[master] complete NTA work

3882.	[func]		By default, negative trust anchors will be tested
			periodically to see whether data below them can be
			validated, and if so, they will be allowed to
			expire early. The "rndc nta -force" option
			overrides this behvaior.  The default NTA lifetime
			and the recheck frequency can be configured by the
			"nta-lifetime" and "nta-recheck" options. [RT #36146]

bin/tests/system/dnssec/ns2/example.db.in

@@ -65,6 +65,10 @@ ns.insecure		A	10.53.0.3
 bogus			NS	ns.bogus
 ns.bogus		A	10.53.0.3
 
+; A subdomain with a corrupt DS
+badds			NS	ns.badds
+ns.badds		A	10.53.0.3
+
 ; A dynamic secure subdomain
 dynamic			NS	dynamic
 dynamic			A	10.53.0.3

bin/tests/system/dnssec/ns2/sign.sh

@@ -26,11 +26,10 @@ zonefile=example.db
 
 ( cd ../ns3 && $SHELL sign.sh )
 
-for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
-    optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
-    auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \
-    split-smart expired expiring upper lower
-
+for subdomain in secure badds bogus dynamic keyless nsec3 optout \
+	nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
+	kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
+	ttlpatch split-dnssec split-smart expired expiring upper lower
 do
 	cp ../ns3/dsset-$subdomain.example. .
 done