[master] complete NTA work

3882.	[func]		By default, negative trust anchors will be tested
			periodically to see whether data below them can be
			validated, and if so, they will be allowed to
			expire early. The "rndc nta -force" option
			overrides this behvaior.  The default NTA lifetime
			and the recheck frequency can be configured by the
			"nta-lifetime" and "nta-recheck" options. [RT #36146]

bin/tests/system/dnssec/ns3/bogus.example.db.in

@@ -28,5 +28,6 @@ ns			A	10.53.0.3
 
 a			A	10.0.0.1
 b			A	10.0.0.2
+c			A	10.0.0.3
 d			A	10.0.0.4
 z			A	10.0.0.26

bin/tests/system/dnssec/ns3/named.conf

@@ -68,6 +68,12 @@ zone "bogus.example" {
 	allow-update { any; };
 };
 
+zone "badds.example" {
+	type master;
+	file "badds.example.db.signed";
+	allow-update { any; };
+};
+
 zone "dynamic.example" {
 	type master;
 	file "dynamic.example.db.signed";

bin/tests/system/dnssec/ns3/secure.example.db.in

@@ -26,7 +26,11 @@ ns3			A	10.53.0.3
 
 a			A	10.0.0.1
 b			A	10.0.0.2
+c			A	10.0.0.3
 d			A	10.0.0.4
+e			A	10.0.0.5
+f			A	10.0.0.6
+g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a

bin/tests/system/dnssec/ns3/sign.sh

@@ -459,3 +459,18 @@ zonefile=siginterval.example.db
 kskname=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
 zskname=`$KEYGEN -q -3 -r $RANDFILE $zone`
 cp $infile $zonefile
+
+#
+# A zone with a bad DS in the parent
+# (sourced from bogus.example.db.in)
+#
+zone=badds.example.
+infile=bogus.example.db.in
+zonefile=badds.example.db
+
+keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
+
+cat $infile $keyname.key >$zonefile
+
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+sed -e 's/bogus/badds/g' < dsset-bogus.example. > dsset-badds.example.