explicitly set dnssec-validation in system tests

the default value of dnssec-validation is 'auto', which causes
a server to send a key refresh query to the root zone when starting
up. this is undesirable behavior in system tests, so this commit
sets dnssec-validation to either 'yes' or 'no' in all tests where
it had not previously been set.

this change had the mostly-harmless side effect of changing the cached
trust level of unvalidated answer data from 'answer' to 'authanswer',
which caused a few test cases in which dumped cache data was examined in
the serve-stale system test to fail. those test cases have now been
updated to expect 'authanswer'.

(cherry picked from commit 0b09ee8cdc)

bin/tests/system/nsupdate/ns1/named.conf.in

@@ -24,6 +24,7 @@ options {
 	notify yes;
 	minimal-responses no;
 	update-quota 1;
+	dnssec-validation no;
 };
 
 acl named-acl {