Improve DNS security evidence handling

[DENGXUELIN]

/claim #54

Summary

Improves dns-security so DNSSEC, protective DNS, RPZ, client-path, and exfiltration findings are tied to concrete control-plane and data-plane evidence.

Changes include:

• Adds DNS-CTRL-01 through DNS-CTRL-08 gates for evidence source/confidence, authoritative parent-chain validation, recursive validation, RPZ freshness/logging, client bypass enforcement, exfiltration logging coverage, Not Evaluable reason codes, and split-horizon exception tracking.
• Extends finding output with asset role, evidence source, evidence confidence, Not Evaluable reason, and bypass path fields.
• Adds vulnerable and benign fixtures for signed-zone/RPZ overclaiming versus verified parent DS, resolver, egress, RPZ, and SIEM evidence.

Why

Signed local zone files and resolver RPZ configuration do not prove public DNSSEC validation or endpoint enforcement. The review should distinguish configuration intent from parent DS evidence, external validation, resolver path controls, direct DNS/DoH bypass handling, feed freshness, and source-attributed logs.

Validation

• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD
• Markdown fence-balance check for skills/network/dns-security/SKILL.md
• Marker check for DNS-CTRL-01 through DNS-CTRL-08
• YAML parse check for both added fixtures
• Added-line sensitive/public-contact pattern scan

Bounty Info

• I have read and agree to CONTRIBUTING.md bounty terms.
• Requested tier: Improver Moderate ($100) if accepted/merged.