Support restricted key tag range when generating new keys

When generating new keys in a multi-signer scenario it is useful to be able to restrict the generated key to have keys tags within a specified range. This allows for independent key generation by each operator without generating keys with colliding key tags when keys from multiple operators are combined into the DNSKEY RRset. Note both the key tag and the DNSKEY's revoked key tag value need to sit within the range.

Dnssec-policy should roll any current keys that do not match the specified range.