feat: add full Zonemaster stack with Docker and Spanish UI

- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI)
- Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend
- Dockerfile.gui: Astro static build served via nginx
- docker-compose.yml: backend (internal) + frontend (port 5353)
- nginx.conf: root redirects to /es/, /api/ proxied to backend
- zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior01.md

@@ -0,0 +1,35 @@
+## BEHAVIOR01: NXDOMAIN returned in response in the event of querying a domain name that does not exist
+
+### Test case identifier
+
+**BEHAVIOR01:** Name Error RCODE returned in response in the event of
+querying a domain name that does not exist
+
+### Objective 
+This test is to verify whether the engine responds with a RCODE NXDOMAIN when
+querying a domain name that does not exist.
+
+### Inputs
+
+The domain to be tested. The domain should not be already delegated in the DNS.
+
+### Ordered description of steps to be taken to execute the test case
+
+1. Zonemaster CLI is used to verify an invalid domain
+2. If the query don’t receive an RCODE NXDOMAIN, the test returns FAIL
+
+
+### Results
+Verifying the invalid domain with zonemaster CLI does provide conclusive errors as you
+could see from the appendix
+
+### Appendix
+```
+zonemaster-cli afnics.fr
+Seconds Level     Message
+======= ========= =======
+   1.17 CRITICAL  Nameserver for zone fr responded with NXDOMAIN to query for
+glue.
+   1.17 CRITICAL  Not enough data about afnics.fr was found to be able to run
+tests.
+```

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior02.md

@@ -0,0 +1,39 @@
+## BEHAVIOR02: NODATA returned in response in the event of querying a domain name that exists but no relevant answers in the answer section
+
+### Test case identifier
+
+**BEHAVIOR02:** NODATA returned in response in the event of querying a 
+domain name that exist but no relevant answers in the answer section
+
+### Objective 
+Section 1 of [RFC 2308](https://datatracker.ietf.org/doc/html/rfc2308) mentions that
+"NODATA" is a pseudo RCODE. "NODATA" indicates that there are RRs for the requested
+domain name, but none of them match the record type queried.
+
+"NODATA" is indicated by an answer with RCODE set to "NOERROR" (defined in RFC
+[RFC 1035](https://datatracker.ietf.org/doc/html/rfc1035)) and no relevant answers in the
+answer section.
+
+This test is to verify whether the engine responds with NODATA when
+querying a domain name that exists, but the queried record type does not exist.
+
+### Inputs
+
+The domain to be tested. The domain should be already delegated in the DNS, but
+should not contain delegation RRs or the queried RRs
+
+### Results
+Verifying a domain such as "gouv.fr" which does not have delegation RRs results
+in expected results as you can see from the appendix.
+
+
+### Appendix
+```
+zonemaster-cli gouv.fr
+Seconds Level     Message
+======= ========= =======
+   1.16 CRITICAL  Nameservers for "fr" provided no NS records for tested zone.
+RCODE given was NOERROR.
+   1.16 CRITICAL  Not enough data about gouv.fr was found to be able to run
+tests.
+```

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior03.md

@@ -0,0 +1,44 @@
+## BEHAVIOR03: The behavior of the engine when IPv6 or IPv4 is disabled
+
+### Test case identifier
+
+**BEHAVIOR03:** The behavior of the engine when IPv6 or IPv4 is disabled
+
+### Objective 
+This test is to verify whether appropriate results are displayed when
+querying a domain name from the CLI with IPv6 or IPv4 disabled.
+
+### Inputs
+
+The domain to be tested.
+
+### Ordered description of steps to be taken to execute the test case
+
+1. A valid domain is verified with corresponding options "--no-ipv6" or "--no-ipv4" using Zonemaster CLI
+2. If the query don’t receive a CRITICAL or ERROR notice, the test returns PASS
+
+### Results
+
+Verifying a valid zone with either IPv4 or IPV6 disabled using the zonemaster
+CLI does provide expected results without false positive or false negative as
+seen in the appendix. 
+
+### Appendix
+```
+zonemaster-cli --no-ipv6 afnic.fr
+Seconds Level     Message
+======= ========= =======
+   2.30 NOTICE    IPv6 is disabled, not sending "NS" query to
+ns1.nic.fr/2001:660:3003:2::4:1.
+   2.30 NOTICE    IPv6 is disabled, not sending "NS" query to
+ns2.nic.fr/2001:660:3005:1::1:2.
+   2.31 NOTICE    IPv6 is disabled, not sending "NS" query to
+ns3.nic.fr/2001:660:3006:1::1:1.
+   7.65 NOTICE    SOA 'mname' nameserver (dnsmaster.nic.fr) is not listed in
+"parent" NS records for tested zone (ns1.nic.fr;ns2.nic.fr;ns3.nic.fr).
+   7.65 NOTICE    SOA 'refresh' value (7200) is less than the recommended one
+(14400).
+   7.65 NOTICE    SOA 'retry' value (1800) is less than the recommended one
+(3600).
+
+```

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior04.md

@@ -0,0 +1,21 @@
+## BEHAVIOR04: Able to test a particular profile from the CLI using an option which selects a particular test profile
+
+### Test case identifier
+
+**BEHAVIOR04:** Able to test a particular profile from the CLI using an option
+which selects a particular test profile
+
+### Objective 
+Zonecheck CLI has an option '-P' which allows to select a particular profile to
+test. For example, "zonecheck -P Afnic iis.se" tests the zone with the tests
+defined in afnic.profile
+(https://github.com/mat813/ZoneCheck/blob/master/etc/zonecheck/afnic.profile). 
+
+### Results
+The Zonemaster-CLI has integrated this functionality even though
+as of not we do not have different profiles to test.
+
+
+
+
+

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior05.md

@@ -0,0 +1,41 @@
+## BEHAVIOR05: Capable of running the test when the delegation parameters are specified
+
+### Test case identifier
+
+**BEHAVIOR05:** Capable of running the test when the delegation parameters are specified
+
+### Objective 
+This test is to verify whether the engine is capable of running an undelegated
+test
+
+### Inputs
+
+The domain to be tested with NS and IP addresses. It could be either a delegated
+or un delegated domain
+
+### Ordered description of steps to be taken to execute the test case
+
+1. A valid domain is verified using Zonemaster CLI with appropriate options as
+seen in the appendix
+2. If the query don’t receive a CRITICAL or ERROR notice, the test returns PASS
+
+
+### Results
+As viewed in the appendix, the engine is capable of testing un delegated
+domains.
+
+### Appendix
+```
+zonemaster-cli iis.se  --ns i.ns.se/194.146.106.22 --ns
+i.ns.se/2001:67c:1010:5::53 --ns ns.nic.se/212.247.7.228 --ns
+ns.nic.se/2a00:801:f0:53::53 --ns ns3.nic.se/212.247.8.152 --ns
+ns3.nic.se/2a00:801:f0:211::152  IISIIS
+Seconds Level     Message
+======= ========= =======
+   6.20 WARNING   Nameserver ns3.nic.se has an IP address (212.247.8.152)
+without PTR configured.
+  10.45 NOTICE    192.36.144.107 returned no DS records for iis.se.
+  11.51 NOTICE    SOA 'refresh' value (10800) is less than the recommended one
+(14400).
+
+```

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior06.md

@@ -0,0 +1,43 @@
+## BEHAVIOR06: Timestamps display
+
+### Test case identifier
+
+**BEHAVIOR06:** Timestamps display
+
+### Objective 
+This test is to verify whether the engine displays timestamps on the test being
+run
+
+### Inputs
+
+The domain to be tested. 
+
+### Ordered description of steps to be taken to execute the test case
+
+1. A valid domain is verified using Zonemaster CLI with appropriate options as
+see in the appendix
+2. If the query don’t show timestamp in the results,  the test returns FAIL
+
+### Results
+
+### Appendix
+```
+zonemaster-cli --time afnic.fr
+Seconds Level     Message
+======= ========= =======
+  17.89 NOTICE    SOA 'mname' nameserver (dnsmaster.nic.fr) is not listed in
+"parent" NS records for tested zone (ns1.nic.fr;ns2.nic.fr;ns3.nic.fr).
+  17.90 NOTICE    SOA 'refresh' value (7200) is less than the recommended one
+(14400).
+  17.90 NOTICE    SOA 'retry' value (1800) is less than the recommended one
+(3600).
+sandoche@eryx:~$ zonemaster-cli afnic.fr
+Seconds Level     Message
+======= ========= =======
+   8.16 NOTICE    SOA 'mname' nameserver (dnsmaster.nic.fr) is not listed in
+"parent" NS records for tested zone (ns1.nic.fr;ns2.nic.fr;ns3.nic.fr).
+   8.16 NOTICE    SOA 'refresh' value (7200) is less than the recommended one
+(14400).
+   8.17 NOTICE    SOA 'retry' value (1800) is less than the recommended one
+(3600).
+```

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior07.md

@@ -0,0 +1,33 @@
+## BEHAVIOR07: IDN Verification 
+
+### Test case identifier
+
+**BEHAVIOR07:** IDN Verification 
+
+### Objective 
+
+The objective of this test is to verify the engine verifies IDN domains
+
+### Inputs
+
+The IDN domain to be tested.
+
+### Ordered description of steps to be taken to execute the test case
+
+1. A standard query for an IDN domain is made using the zonemaster CLI
+2. If the output from the CLI does not verify the IDN domain as in the case of
+normal domain names, then the test fails 
+
+### Results
+As seen in the appendix, the engine is capable of verifying IDN domains
+
+### Appendix
+``` 
+zonemaster-cli café.fr
+Seconds Level     Message
+======= ========= =======
+  25.67 WARNING   All nameservers are in the same AS (16509).
+  25.67 WARNING   All nameservers IPv4 addresses are in the same AS (16509).
+  25.70 NOTICE    192.5.4.2 returned no DS records for xn--caf-dma.fr.
+
+

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior08.md

@@ -0,0 +1,182 @@
+## BEHAVIOR08: Display of verbose information
+
+### Test case identifier
+
+**BEHAVIOR08:** Display of verbose information 
+
+### Objective 
+
+The objective of this test is to verify whether it is possible to obtain
+different levels of information for a zone that is being tested
+
+### Inputs
+
+The  domain to be tested.
+
+### Ordered description of steps to be taken to execute the test case
+
+
+1. A valid domain is verified using Zonemaster CLI with appropriate options as
+seen in the appendix. The options --level (CRITICAL, ERROR, WARNING, NOTICE, INFO, 
+DEBUG, DEBUG2 or DEBUG3) provides different levels of information for the zone being tested
+
+2. If the query doesn't have results with level to the verbose option then the
+test return FAIL.
+
+### Results
+The engine passes the test as can be verified from the appendix
+
+### Appendix
+```
+zonemaster-cli --level CRITICAL iis.se
+Seconds Level     Message
+======= ========= =======
+Looks OK.
+
+```
+```
+zonemaster-cli --level INFO iis.se    
+Seconds Level     Message
+======= ========= =======
+   1.86 INFO      Nameserver for zone se replies when trying to fetch glue.
+   1.86 INFO      Nameserver for zone se listed these nameservers as glue:
+i.ns.se.,ns.nic.se.,ns3.nic.se..
+   2.34 INFO      IPv4 is enabled, can send "NS" query to
+i.ns.se/194.146.106.22.
+   2.35 INFO      Nameserver i.ns.se/194.146.106.22 listed these servers as
+glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
+   2.35 INFO      IPv6 is enabled, can send "NS" query to
+i.ns.se/2001:67c:1010:5::53.
+   2.37 INFO      Nameserver i.ns.se/2001:67c:1010:5::53 listed these servers as
+glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
+   2.37 INFO      IPv4 is enabled, can send "NS" query to
+ns.nic.se/212.247.7.228.
+   2.42 INFO      Nameserver ns.nic.se/212.247.7.228 listed these servers as
+glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
+   2.42 INFO      IPv6 is enabled, can send "NS" query to
+ns.nic.se/2a00:801:f0:53::53.
+   2.46 INFO      Nameserver ns.nic.se/2a00:801:f0:53::53 listed these servers
+as glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
+   2.46 INFO      IPv4 is enabled, can send "NS" query to
+ns3.nic.se/212.247.8.152.
+   2.50 INFO      Nameserver ns3.nic.se/212.247.8.152 listed these servers as
+glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
+   2.50 INFO      IPv6 is enabled, can send "NS" query to
+ns3.nic.se/2a00:801:f0:211::152.
+   2.54 INFO      Nameserver ns3.nic.se/2a00:801:f0:211::152 listed these
+servers as glue: i.ns.se.,ns.nic.se.,ns3.nic.se..
+   2.54 INFO      Functional nameserver found. "A" query for www.iis.se test
+aborted.
+   2.75 INFO      All Nameserver addresses are in the routable public addressing
+space.
+   6.84 WARNING   Nameserver ns3.nic.se has an IP address (212.247.8.152)
+without PTR configured.
+   8.78 INFO      None of the 3 nameserver(s) with IPv6 addresses is part of a
+bogon prefix.
+   8.78 INFO      Nameserver i.ns.se/194.146.106.22 accessible over UDP on port
+53.
+   8.81 INFO      Nameserver i.ns.se/2001:67c:1010:5::53 accessible over UDP on
+port 53.
+   8.85 INFO      Nameserver ns.nic.se/212.247.7.228 accessible over UDP on port
+53.
+   8.89 INFO      Nameserver ns.nic.se/2a00:801:f0:53::53 accessible over UDP on
+port 53.
+   8.93 INFO      Nameserver ns3.nic.se/212.247.8.152 accessible over UDP on
+port 53.
+   8.93 INFO      Nameserver ns3.nic.se/2a00:801:f0:211::152 accessible over UDP
+on port 53.
+   8.94 INFO      Nameserver i.ns.se/194.146.106.22 accessible over TCP on port
+53.
+   8.98 INFO      Nameserver i.ns.se/2001:67c:1010:5::53 accessible over TCP on
+port 53.
+   9.06 INFO      Nameserver ns.nic.se/212.247.7.228 accessible over TCP on port
+53.
+   9.15 INFO      Nameserver ns.nic.se/2a00:801:f0:53::53 accessible over TCP on
+port 53.
+   9.23 INFO      Nameserver ns3.nic.se/212.247.8.152 accessible over TCP on
+port 53.
+   9.31 INFO      Nameserver ns3.nic.se/2a00:801:f0:211::152 accessible over TCP
+on port 53.
+  11.06 INFO      Domain's authoritative nameservers do not belong to the same
+AS.
+  11.06 INFO      A single SOA serial number was seen (1415096701).
+  11.06 INFO      A single SOA rname value was seen (hostmaster.iis.se.)
+  11.07 INFO      A single SOA time parameter set was seen
+(REFRESH=10800,RETRY=3600,EXPIRE=1814400,MINIMUM=14400).
+  11.08 INFO      A unique NS set was seen (i.ns.se.,ns.nic.se.,ns3.nic.se.).
+  11.12 INFO      Found DS records with tags 18937.
+  11.13 INFO      There are both DS and DNSKEY records with key tags 18937.
+  11.13 INFO      DS record with keytag 18937 matches the DNSKEY with the same
+tag.
+  11.13 INFO      At least one DS record with a matching DNSKEY record was
+found.
+  11.14 INFO      The DNSKEY with tag 18937 uses algorithm number 5/(RSA/SHA1),
+which is OK.
+  11.14 INFO      The DNSKEY with tag 52823 uses algorithm number 5/(RSA/SHA1),
+which is OK.
+  11.34 INFO      The zone has NSEC records.
+  11.34 INFO      Parent lists enough nameservers
+(i.ns.se;ns.nic.se;ns3.nic.se). Lower limit set to 2.
+  11.34 INFO      Child lists enough nameservers (i.ns.se;ns.nic.se;ns3.nic.se).
+Lower limit set to 2.
+  11.35 INFO      Parent and child list enough nameservers
+(i.ns.se;ns.nic.se;ns3.nic.se). Lower limit set to 2.
+  11.35 INFO      All the IP addresses used by the nameservers are unique
+  11.35 INFO      The smallest possible legal referral packet is smaller than
+513 octets (it is 357).
+  11.36 INFO      All the nameservers are authoritative.
+  11.38 INFO      No nameserver point to CNAME alias.
+  11.38 INFO      All the nameservers have SOA record.
+  11.39 INFO      All of the nameserver names are listed both at parent and
+child.
+  11.39 INFO      The module Example was disabled by the policy.
+  11.58 INFO      None of the following nameservers is a recursor :
+i.ns.se,ns.nic.se,ns3.nic.se.
+  11.78 INFO      The following nameservers support EDNS0 :
+ns.nic.se/212.247.7.228,i.ns.se/2001:67c:1010:5::53,ns3.nic.se/212.247.8.152,ns.nic.se/2a00:801:f0:53::53,ns3.nic.se/2a00:801:f0:211::152,i.ns.se/194.146.106.22.
+  11.78 INFO      AXFR not available on nameserver i.ns.se/194.146.106.22.
+  11.82 INFO      AXFR not available on nameserver i.ns.se/2001:67c:1010:5::53.
+  11.89 INFO      AXFR not available on nameserver ns.nic.se/212.247.7.228.
+  11.97 INFO      AXFR not available on nameserver ns.nic.se/2a00:801:f0:53::53.
+  12.05 INFO      AXFR not available on nameserver ns3.nic.se/212.247.8.152.
+  12.13 INFO      AXFR not available on nameserver
+ns3.nic.se/2a00:801:f0:211::152.
+  12.14 INFO      All nameservers reply with same IP used to query them.
+  12.33 INFO      The following nameservers answer AAAA queries without problems
+:
+ns.nic.se/2a00:801:f0:53::53,ns3.nic.se/212.247.8.152,i.ns.se/2001:67c:1010:5::53,ns.nic.se/212.247.7.228,i.ns.se/194.146.106.22,ns3.nic.se/2a00:801:f0:211::152.
+  12.33 INFO      All nameservers succeeded to resolve to an IP address.
+  12.34 INFO      No illegal characters in the domain name (iis.se).
+  12.34 INFO      Both ends of all labels of the domain name (iis.se) have no
+hyphens.
+  12.34 INFO      Domain name (iis.se) has no label with a double hyphen ('--')
+in position 3 and 4 (with a prefix which is not 'xn--').
+  12.34 INFO      Nameserver (i.ns.se) syntax is valid.
+  12.34 INFO      Nameserver (ns.nic.se) syntax is valid.
+  12.34 INFO      Nameserver (ns3.nic.se) syntax is valid.
+  12.34 INFO      There is no misused '@' character in the SOA RNAME field
+(hostmaster.iis.se.).
+  12.35 INFO      The SOA RNAME field (hostmaster@iis.se) is compliant with
+RFC2822.
+  12.35 INFO      SOA MNAME (ns.nic.se) syntax is valid.
+  12.35 INFO      Domain name MX (mx1.iis.se) syntax is valid.
+  12.35 INFO      Domain name MX (mx2.iis.se) syntax is valid.
+  12.42 INFO      SOA 'mname' nameserver (ns.nic.se) is authoritative for
+'iis.se' zone.
+  12.42 NOTICE    SOA 'refresh' value (10800) is less than the recommended one
+(14400).
+  12.42 INFO      SOA 'refresh' value (10800) is higher than the SOA 'retry'
+value (3600).
+  12.43 INFO      SOA 'expire' value (1814400) is higher than the minimum
+recommended value (604800) and lower than 'refresh' value.
+  12.43 INFO      SOA 'minimum' value (14400) is between the recommended ones
+(300/86400).
+  12.46 INFO      SOA 'mname' value (ns.nic.se) refers to a NS which is not an
+alias (CNAME).
+  12.48 INFO      SOA 'mname' value (ns.nic.se) refers to a NS which is not an
+alias (CNAME).
+  12.49 INFO      Target (MX=mx2.iis.se/MX=mx1.iis.se) found to deliver e-mail
+for the domain name.
+
+```
+

zonemaster/docs/internal/functional-tests/Behavior-TP/behavior09.md

@@ -0,0 +1,54 @@
+## BEHAVIOR09: Appropriate error code when the zone is misconfigured
+
+### Test case identifier
+
+**BEHAVIOR09:** Appropriate error code when the zone is misconfigured
+
+### Objective 
+
+The objective of this test is to verify that the engine catches the zone
+mis-configurations appropriately
+
+### Inputs
+
+The broken domain to be tested.
+
+### Ordered description of steps to be taken to execute the test case
+
+1. A standard query for the domain is made using the zonemaster CLI
+2. If the output from the CLI does not catch the expected errors, then the test
+returns FAIL
+
+### Results
+Even though exhaustive tests are not run, for the tests being run the engine
+seems to capture the errors.
+
+
+### Appendix
+``` 
+zonemaster-cli broken.dnssec.ee
+Seconds Level     Message
+======= ========= =======
+   6.12 WARNING   All nameservers are in the same AS (51349).
+   6.12 WARNING   All nameservers IPv4 addresses are in the same AS (51349).
+   6.23 ERROR     DS record with keytag 57307 does not match the DNSKEY with the
+same tag.
+   6.24 ERROR     No DS record with a matching DNSKEY record was found.
+   6.34 ERROR     RRSIG with keytag 57307 and covering type(s) DNSKEY has
+already expired (expiration is: 1393471638).
+   6.34 ERROR     RRSIG with keytag 48381 and covering type(s) SOA has already
+expired (expiration is: 1393882163).
+   6.41 ERROR     Signature for DNSKEY with tag 57307 failed to verify with
+error 'Bogus DNSSEC signature'.
+   6.41 ERROR     The apex DNSKEY RRset was not correctly signed.
+   6.41 ERROR     Trying to verify SOA RRset with signature 48381 gave error
+'Bogus DNSSEC signature'.
+   6.41 ERROR     No RRSIG correctly signed the SOA RRset.
+   6.47 ERROR     Trying to verify NSEC3 RRset with RRSIG 48381 gave error
+'Bogus DNSSEC signature'.
+   7.33 NOTICE    SOA 'refresh' value (10800) is less than the recommended one
+(14400).
+
+``` 
+
+