validator: avoid using RRSIG from a different packet

Restrict tried RRSIGs by qry_uid equality. I see no use case against and it could be confusing. (Also rewrite the conditions around to positive form.)

An assertion in cache noticed an NSEC with _SECURE rank but no RRSIG (in practice). It was a side-effect of still not keeping RRSIGs with their RRs in some places. It wasn't a security problem, as it doesn't really matter where the signatures came from. Theoretically it might've lead to incorrect caching (missing usable RRSIGs), as cache was restricting qry_uid to match, but that hasn't been noticed in practice.