{resolver,validator}: provide more EDE codes.

dnssec:

• Provide a way to retrieve whether a DNSKEY has the Zone Key Bit set, and add bindings for Lua modules (kr_dnssec_key_zonekey_flag), like kr_dnssec_key_sep_flag.
• In kr_ds_algo_support() provide a way to retrieve what is wrong with the keys.
• Check if a RRSIG RR has the signature expired already before inception time.

validator:

• Set EDE "Unsupported NSEC3 Iterations Value" when downgrading.
• Set EDE "Signature Expired before Valid" when checking RRSIGs.
• Set EDE "No Zone Key Bit Set" when a DNSKEY with the Zone Key Bit set to 0 is discarded.
• Instead of the generic "Other Error" with extra text "unsupported digest/key", set appropriate EDEs "Unsupported DNSKEY Algorithm" and "Unsupported DS Digest Type".

resolver:

• Set EDE "No Reachable Authority" when it is decided that all authoritative servers are unreachable or misbehaving.

Depends on/supersedes !1585 (merged).