Just testing whether an NSEC3 record exists with the DNSKEY bit set in
its type bitmap is arguably not a solid enough test for how named
processes a signed zone with "auto-dnssec maintain;" set and extra keys
available.  Rather than querying a resolver for a record at the apex of
such a zone, get the whole zone from an authoritative server and run it
through dnssec-verify to improve the comprehensiveness of the test.

Add similar tests for signed zones which have extra keys using a
different algorithm available.

Prevent zone file duplication by making all relevant tests use the same
source file, "auto-nsec.example.db.in".