Improve and extend "auto-dnssec" tests

Just testing whether an NSEC3 record exists with the DNSKEY bit set in
its type bitmap is arguably not a solid enough test for how named
processes a signed zone with "auto-dnssec maintain;" set and extra keys
available.  Rather than querying a resolver for a record at the apex of
such a zone, get the whole zone from an authoritative server and run it
through dnssec-verify to improve the comprehensiveness of the test.

Add similar tests for signed zones which have extra keys using a
different algorithm available.

Prevent zone file duplication by making all relevant tests use the same
source file, "".
41 jobs for !1875 with 953-properly-handle-nsec3param-in-unsigned-zone-files in 17 minutes and 28 seconds (queued for 3 seconds)
latest detached