lib/dnssec: conditionally ignore SHA1 DS, as SHOULD by RFC4509

We're a bit late with this ad-hoc rule; I think it was most useful when SHA256 support in DS algorithms wasn't wide-spread yet. (Note that DNSKEY algos have standardized no similar rule.)

Usage of SHA1 as DS algorithm is highly discouraged, but even at this point it does not seem unsafe, in the sense of anyone publishing an attack that would come anywhere close to breaking this usage of SHA1.