fix: regex zone names break regex_records matching due to endswith guard

[teunis90]

Bug

When a zone is configured with `regex: true`, the zone `name` is a regex pattern (e.g. `.*`), not a real DNS zone name. However, `check_rrset_allowed` applies a string `endswith(zone.name)` guard before evaluating `regex_records`:

```python
if not rrset["name"].rstrip(".").endswith(zone.name.rstrip(".")):
return False # always hits here for regex zones

for regex in zone.regex_records: # never reached
if check_record_in_regex(rrset["name"], regex):
return True
```

Since no record name ends with `.*`, the function always returns `False` before checking `regex_records`, making it impossible to restrict a regex zone to specific record name patterns.

Impact

Any config combining `regex: true` on the zone name with `regex_records` to filter record names is silently broken — all writes are denied regardless of the record name.

Fix

Skip the endswith guard when `zone.regex is True`:

```python
if not zone.regex and not rrset["name"].rstrip(".").endswith(zone.name.rstrip(".")):
return False
```

Example use case that requires this fix

An ACME certificate manager token that may only read all zones and write `_acme-challenge.*` TXT records:

```yaml
zones:

• name: ".*"
  regex: true
  allowed_record_types:
  • "TXT"
    regex_records:
  • "^_acme-challenge\..*"
    ```

[teunis90]

Sorry my claude instance was a bit eager, let me check if we actually need this.

[teunis90]

I think Claude is legit here, created an PR for this issue: #197

Would be open to elaborate if this fix is causing side effects.

[rwxd]

Out of interest, did claude open the pull request on its own?

[rwxd]

You have made another PR in your fork: Nextpertise#1

The PR is against your fork and not this upstream repo, just a heads-up in case it should be against this repo.