feat: add full Zonemaster stack with Docker and Spanish UI

- Clone all 5 Zonemaster component repos (LDNS, Engine, CLI, Backend, GUI)
- Dockerfile.backend: 8-stage multi-stage build LDNS→Engine→CLI→Backend
- Dockerfile.gui: Astro static build served via nginx
- docker-compose.yml: backend (internal) + frontend (port 5353)
- nginx.conf: root redirects to /es/, /api/ proxied to backend
- zonemaster-gui/config.ts: defaultLanguage set to 'es' (Spanish)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

zonemaster/test-zone-data/DNSSEC-TP/dnssec07/dnssec07.cfg

@@ -0,0 +1,235 @@
+# | 127.15.7.0/24   | DNSSEC07 scenarios                                     |
+# | 127.15.7.21     | ns1.dnssec07.xa                                        |
+# | 127.15.7.22     | ns2.dnssec07.xa                                        |
+# | 127.15.7.27     | ns1 of root                                            |
+# | 127.15.7.28     | ns2 of root                                            |
+# | 127.15.7.31     | ns1 of parent in some scenarios                        |
+# | 127.15.7.32     | ns2 of parent in some scenarios                        |
+# | 127.15.7.41     | ns1 of child zone                                      |
+# | 127.15.7.42     | ns2 of child zone                                      |
+# | 127.15.7.53     | resolver with test case local hint                     |
+
+
+## root
+.:53 {
+    bind 127.15.7.27               # ns1
+    bind fda1:b2:c3:0:127:15:7:27  # ns1
+    bind 127.15.7.28               # ns2
+    bind fda1:b2:c3:0:127:15:7:28  # ns2
+    log
+    file DNSSEC-TP/dnssec07/root-zone.zone .
+}
+
+# Resolver using test case local root
+. {
+    bind 127.15.7.53
+    unbound {
+       option root-hints DNSSEC-TP/dnssec07/hintfile.zone
+    }
+    log
+}
+
+dnssec07.xa:53 { # 
+    bind 127.15.7.21               # ns1
+    bind fda1:b2:c3:0:127:15:7:21  # ns1
+    bind 127.15.7.22               # ns2
+    bind fda1:b2:c3:0:127:15:7:22  # ns2
+    log
+    file DNSSEC-TP/dnssec07/dnssec07.xa.zone dnssec07.xa
+}
+
+
+# SIGNED-AND-DS-1
+signed-and-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone signed-and-ds-1.dnssec07.xa
+     template IN DNSKEY signed-and-ds-1.dnssec07.xa. {
+        answer "signed-and-ds-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "signed-and-ds-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "signed-and-ds-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 signed-and-ds-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+
+# SIGNED-NO-DS-1
+signed-no-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone signed-no-ds-1.dnssec07.xa
+     template IN DNSKEY signed-no-ds-1.dnssec07.xa. {
+        answer "signed-no-ds-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "signed-no-ds-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "signed-no-ds-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 signed-no-ds-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+
+# INCONSIST-SIGNED-AND-DS-1
+inconsist-signed-and-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone inconsist-signed-and-ds-1.dnssec07.xa
+     template IN DNSKEY inconsist-signed-and-ds-1.dnssec07.xa. {
+        answer "inconsist-signed-and-ds-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "inconsist-signed-and-ds-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "inconsist-signed-and-ds-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 inconsist-signed-and-ds-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+inconsist-signed-and-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone inconsist-signed-and-ds-1.dnssec07.xa
+}
+
+# INCONSIST-SIGNED-NO-DS-1
+inconsist-signed-no-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone inconsist-signed-no-ds-1.dnssec07.xa
+     template IN DNSKEY inconsist-signed-no-ds-1.dnssec07.xa. {
+        answer "inconsist-signed-no-ds-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "inconsist-signed-no-ds-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "inconsist-signed-no-ds-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 inconsist-signed-no-ds-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+inconsist-signed-no-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone inconsist-signed-no-ds-1.dnssec07.xa
+}
+
+# ### SIGNED-AND-INCONSIST-DS-1
+signed-and-inconsist-ds-1.dnssec07.xa:53 { # parent (ns1)
+     bind 127.15.7.31               # ns1
+     bind fda1:b2:c3:0:127:15:7:31  # ns1
+     log
+     file DNSSEC-TP/dnssec07/signed-and-inconsist-ds-1.dnssec07.xa_ns1.zone signed-and-inconsist-ds-1.dnssec07.xa
+}
+signed-and-inconsist-ds-1.dnssec07.xa:53 { # parent (ns1)
+     bind 127.15.7.32               # ns2
+     bind fda1:b2:c3:0:127:15:7:32  # ns2
+     log
+     file DNSSEC-TP/dnssec07/signed-and-inconsist-ds-1.dnssec07.xa_ns2.zone signed-and-inconsist-ds-1.dnssec07.xa
+}
+child.signed-and-inconsist-ds-1.dnssec07.xa:53 { # child
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone child.signed-and-inconsist-ds-1.dnssec07.xa
+     template IN DNSKEY child.signed-and-inconsist-ds-1.dnssec07.xa. {
+        answer "child.signed-and-inconsist-ds-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "child.signed-and-inconsist-ds-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "child.signed-and-inconsist-ds-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 child.signed-and-inconsist-ds-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+
+# UNSIGNED-AND-DS-1
+unsigned-and-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone unsigned-and-ds-1.dnssec07.xa
+}
+
+# UNSIGNED-NO-DS-1
+unsigned-no-ds-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone unsigned-no-ds-1.dnssec07.xa
+}
+
+# NON-AUTH-RESPONSE-DNSKEY-1
+non-auth-response-dnskey-1.dnssec07.xa:53 {
+     view pass {
+        expr type() in ['DNSKEY']
+        }
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     log
+     template IN DNSKEY non-auth-response-dnskey-1.dnssec07.xa. {
+        answer "non-auth-response-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "non-auth-response-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "non-auth-response-dnskey-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 non-auth-response-dnskey-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+     header {
+         response clear aa
+     }
+}
+non-auth-response-dnskey-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone non-auth-response-dnskey-1.dnssec07.xa
+}
+non-auth-response-dnskey-1.dnssec07.xa:53 {
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone non-auth-response-dnskey-1.dnssec07.xa
+     template IN DNSKEY non-auth-response-dnskey-1.dnssec07.xa. {
+        answer "non-auth-response-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "non-auth-response-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "non-auth-response-dnskey-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 non-auth-response-dnskey-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+
+# NO-RESPONSE-DNSKEY-1
+no-response-dnskey-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone no-response-dnskey-1.dnssec07.xa
+     acl no-response-dnskey-1.dnssec07.xa {
+        drop type DNSKEY
+     }
+}
+no-response-dnskey-1.dnssec07.xa:53 {
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone no-response-dnskey-1.dnssec07.xa
+     template IN DNSKEY no-response-dnskey-1.dnssec07.xa. {
+        answer "no-response-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "no-response-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "no-response-dnskey-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 no-response-dnskey-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+
+# ### UNEXP-RCODE-RESP-DNSKEY-1
+unexp-rcode-resp-dnskey-1.dnssec07.xa:53 {
+     bind 127.15.7.41               # ns1
+     bind fda1:b2:c3:0:127:15:7:41  # ns1
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone unexp-rcode-resp-dnskey-1.dnssec07.xa
+     template IN DNSKEY unexp-rcode-resp-dnskey-1.dnssec07.xa. {
+         rcode "REFUSED"
+     }
+}
+unexp-rcode-resp-dnskey-1.dnssec07.xa:53 {
+     bind 127.15.7.42               # ns2
+     bind fda1:b2:c3:0:127:15:7:42  # ns2
+     log
+     file DNSSEC-TP/dnssec07/CHILD.dnssec07.xa.zone unexp-rcode-resp-dnskey-1.dnssec07.xa
+     template IN DNSKEY unexp-rcode-resp-dnskey-1.dnssec07.xa. {
+        answer "unexp-rcode-resp-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  256 3 13 XboDHQ6clhzmXdJarL5rAlENpwc/L+C5kX3OhwRAPGSOGseBgn7cgt5fbdrREm6nGa6ZWoDfBQR1m4HDosM1Ug=="
+        answer "unexp-rcode-resp-dnskey-1.dnssec07.xa.  3210  IN  DNSKEY  257 3 13 6/8fEc37k5iabGoWgsl7rmreQth8ADr9sYFGd0pxmgxN19MBR629YAH5ntzSus7SjJx6PAVqGzHHpCPVyDLQHQ=="
+        answer "unexp-rcode-resp-dnskey-1.dnssec07.xa.  3210  IN  RRSIG  DNSKEY 13 2 3600 20351103070323 20250929053323 51298 unexp-rcode-resp-dnskey-1.dnssec07.xa. PjvG59Cz29mhpMEwzuXJSqKk/kuEvoMxKIPPgVGwj4cezpiu94xNC4O7CzWltqH/mLMR5AAqXpMbVgXe9gAngA=="
+     }
+}
+