DNSSEC fixes

Two fixes in this MR:

1. Continuation of fix merged in !176 (merged). Knot was still generating RRSIGs for the old (wrong) NSEC3s, as it did not know that they would be removed. Fixed by marking nodes from which NSEC3s are to be removed, so that these are not signed in the next step. (Commit 38aeecc3)
2. Function for saving removed NSEC/NSEC3 records into changeset (knot_nsec_changeset_remove()) was ignoring NSEC3 RRSIGs. (Commit 8b5f08ac). This probably manifested after UPDATE - a test should be added for this case.