Treat records below a DNAME as out-of-zone data

DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains.  Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records.  Check that DNAME-obscured
records are not signed.

bin/tests/system/verify/tests.sh

@@ -58,7 +58,7 @@ do
 		expect1="signature has expired"
 		expect2="No self-signed .*DNSKEY found"
 		;;
-	*.out-of-zone-nsec|*.below-bottom-of-zone-nsec)
+	*.out-of-zone-nsec|*.below-bottom-of-zone-nsec|*.below-dname-nsec)
 		expect1="unexpected NSEC RRset at"
 		;;
 	*.nsec.broken-chain)