iterate: update zone cut when NS is authoritative for both parent and child

iterate: update zone cut when NS is authoritative for both parent and child

In some cases the NS is authoritative for both parent and the child side of
the delegation (e.g. nrl.navy.mil). When it gets the query for such NS,
it can respond from the child side with an NS record in the answer and AA=1.
The resolver should update the zone cut accordingly, otherwise it would fail
validation in cases when the child-side of the delegation is insecure,
but parent side  of the delegation is secure, because the child side
would respond without DNSSEC records, and it wouldn't indicate that
the zone cut needs updating (when using minimal answers) (e.g. www.nrl.navy.mil).