Add check for NSEC3 and key algorithms

NSEC3 is not backwards compatible with key algorithms that existed
before the RFC 5155 specification was published.

(cherry picked from commit 00c5dabea3)

bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf

@@ -11,14 +11,14 @@
 
 dnssec-policy "rsasha1" {
 	keys {
-		csk lifetime P10Y algorithm rsasha1 1024;
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
 	nsec3param iterations 150;
 };
 
 dnssec-policy "rsasha1-bad" {
 	keys {
-		csk lifetime P10Y algorithm rsasha1 1024;
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
 	nsec3param iterations 151;
 };