Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor.  The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure.  Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.