to make a related test pass, incorporated the NotImplemented exception
handling from findNSECCover to getDNSSECRRset.
note: in this commit I reversed the behavior when we encounter the situation
where NSEC is expected but cannot be found; it now returns a NULL pointer,
although the NSEC_SIGNED flag can be still set.

It's a quite broken case of zone config so it's probably up to the
implementation, and in that sense throwing an exception is not necessary
wrong.  But we may have such a situation in a valid scenario if and when we
support incremental zone signing.  Also, this behavior is consistent with
BIND 9.

The emptyNonterminalNSEC test case was adjusted accordingly.