Implement system tests for signing

[bal-e]

Some of these may be more appropriate as unit tests.

• Test that signed zones are DNSSEC-valid (e.g. via dnssec-verifyzone)
• Test that (without pass-through mode) DNSSEC records in the input are stripped
• Test that signed zones contain all the same records as unsigned zones (excl. SOA)
• Test than NSEC / NSEC3 chains are generated based on the signer.denial.type policy
• Test that NSEC3 empty non-terminals are produced
• Test that NSEC3 opt-out correctly omits unsigned delegations
• Test that generated RRSIGs have the TTL of their unsigned RRset
• Test that generated RRSIGs have appropriate inception and expiration times
• Test that the generated SOA serial matches the serial number policy (for all options)

Tests that can be implemented now, but will be important for #299:

• Test that adding an NS record causes descendant records (which are now glue) to not be signed
• Test that removing an NS record causes descendant records (which were glue) to be signed
• Test that NSEC3 empty non-terminals are correctly added and removed
• Test that adding a DS record for a delegation includes it in the NSEC3 chain with opt-out
• Test that removing the DS record for a delegation removes it from the NSEC3 chain with opt-out

Tests for #299 that cannot be implemented yet:

• Test that the signer fails if it cannot find a valid resigning schedule (due to max-changed-signatures, min-resign-period, expiration-time / remain-time and max-rollover-time policy settings)
• Test that the signer respects the max-changed-signatures setting
• Test that the signer respects the min-resign-period setting