Add blackbox exporter for outside-in DNS probes

control runs blackbox_exporter on loopback, probing each nameserver's
public v4+v6 address for every zone: SOA (zone served) and DNSKEY (still
signed, since blackbox has no DO-bit option). Probe definitions are
shared between the exporter config and the VictoriaMetrics scrape jobs
so they can't drift. Verified live against ns1/ns2 over v4 and v6.

TODO.md

@@ -37,10 +37,19 @@ deploy ns1 and control.
       regenerable over time and control is the backup server, so this needs a
       second client→server pair (e.g. control→ns2) rather than the same topology
 
-## 3. Blackbox DNS probing
+## 3. Blackbox DNS probing (done — pending deploy)
 
-- [ ] `blackbox_exporter` on control doing real DNS + DNSSEC-validation queries
+`blackbox_exporter` on control (loopback `:9115`), probing each nameserver's
+public v4+v6 address for every zone: an SOA query (zone served?) and a DNSKEY
+query (still signed?). Blackbox has no DO-bit option, so signing is checked by
+asking for DNSKEY directly and asserting the RRset is present. Probe defs live
+in `modules/monitoring/blackbox-probes.nix`, shared by the exporter
+(`blackbox.nix`) and the VM scrape jobs (`server.nix`). Verified live against
+ns1/ns2: SOA + DNSKEY succeed on both servers over v4 and v6.
+
+- [x] `blackbox_exporter` on control doing real DNS + DNSSEC-validation queries
       against ns1/ns2 — catches outside-in resolution failures the Knot stats miss
+- [ ] still to pair (next): a `probe_success == 0` alert and a Grafana panel
 
 ## 4. Third secondary off Hetzner (resilience)