validate: work around some SERVFAILs (iterating mode)

• This affects the iterating mode only (except for a verbose message).
• The problem was introduced when implementing forwarding in 651c5aad.
• Example that was affected: *.org.ru.

When the same server is authoritative for multiple consecutive zones, with a higher one being signed and a lower one being unsigned, we may get an unsigned answer even in case we think we're currently in a signed zone.

In particular, DS (sub-)queries are important because of being used to prove the insecurity of zones - in that case the iterator can correctly determine the (unexpected) zone name from which the answer came, due to seeing the SOA record, but that is too late for zone_cut_check() to try getting a trust chain to it, so we need to YIELD for it to do it.