Convert enable dnssec test case to pytest

Move the 'enable-dnssec' to the rollover test dir and convert to pytest.

This requires new test functionality to check that "CDS is published"
messages are logged (or prohibited).

The setup part is slightly adapted such that it no longer needs to
set the '-P sync' value in most cases (this is then set by 'named'),
and to adjust for the inappropriate safety intervals fix.

(cherry picked from commit 233fdb8d52)

bin/tests/system/isctest/kasp.py

@@ -25,6 +25,7 @@ import dns.tsig
 import isctest.log
 import isctest.query
 import isctest.util
+from isctest.vars.algorithms import Algorithm, ALL_ALGORITHMS_BY_NUM
 
 DEFAULT_TTL = 300
 
@@ -403,6 +404,11 @@ class Key:
     def is_zsk(self) -> bool:
         return self.get_metadata("ZSK") == "yes"
 
+    @property
+    def algorithm(self) -> Algorithm:
+        num = int(self.get_metadata("Algorithm"))
+        return ALL_ALGORITHMS_BY_NUM[num]
+
     def dnskey_equals(self, value, cdnskey=False):
         dnskey = value.split()
 
@@ -955,6 +961,19 @@ def check_cds(rrset, keys):
     assert numcds == len(cdss)
 
 
+def check_cdslog(server, zone, key, substr):
+    with server.watch_log_from_start() as watcher:
+        watcher.wait_for_line(
+            f"{substr} for key {zone}/{key.algorithm.name}/{key.tag} is now published"
+        )
+
+
+def check_cdslog_prohibit(server, zone, key, substr):
+    server.log.prohibit(
+        f"{substr} for key {zone}/{key.algorithm.name}/{key.tag} is now published"
+    )
+
+
 def _query_rrset(server, fqdn, qtype, tsig=None):
     response = _query(server, fqdn, qtype, tsig=tsig)
     assert response.rcode() == dns.rcode.NOERROR