While reviewing !291 (merged), @marka noted that verifyzone()...

needs to check for DNAME records as these indicate bottom of zone like is_delegation() indicates bottom of zone. DNAME can appear at the zone apex and if is_delegation() returns true the DNAME test should not be made. zonecut needs to be set if the DNAME test is true so that check_no_nsec() is called for obscured records.