This PR fixes several DNSSEC issues:
Needs a very big review.
Add missing DNSSEC trace message
Add test for island of security (#4181)
Compress 3 lines into 1
Don't go bogus on CNAMEs to islands of security
Incidentally, this commit also ensures that we no longer 'jojo' between
Secure and Insecure states. Once we have an Insecure, we can only go
Bogus but not Secure.
Add changelog entry
Do not follow CNAMEs when hunting for DS records
This fixes the CNAME at apex bogus
Validate all key paths on possible Insecure
Before, we only checked the first QName, now we go through every name we
have to verify that the answer is indeed insecure.