DNSSEC: refresh signatures earlier

The signatures are now refreshed (signature_lifetime / 10) seconds
before their expiration. The default signature lifetime is 30 days,
therefore the signatures are refreshed 3 days before their expiration.

The parameter 'expires_at' in signing functions was renamed to 'refresh_at',
as the name was misleading.

The signing policy structure was cleaned and helper functions were added.

DNSSEC event logging was changed from relative to absolute value, because
the intervals are much longer now.