unbound has some trouble with validating DNSSEC-enabled
domains when the upstream name server is stripping signatures
from the authoritative responses.
This script now checks that, removes any broken upstream
name servers from the list and prints a warning.
If all name servers fail the test, unbound falls back
into recursor mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>