Implement RFC 3645 Section 4.1.1 key expiry check in TKEY

Implement RFC 3645 Section 4.1.1 key expiry check in TKEY

Check for existing non-expired TSIG keys before accepting a new
GSS-API negotiation.  Per RFC 3645 Section 4.1.1:

- If a key exists and has not expired, reject with BADNAME
- If a key exists but has expired, delete it and start fresh

Previously, an expired GSS key would permanently block
re-negotiation for that name until the server was restarted.

Use BADKEY rather than BADNAME to avoid creating an oracle for
key name enumeration by unauthenticated attackers.