When using a cached NSEC record to prove that a delegation is insecure,
we now check that the signer name in the corresponding RRSIG is not
above a known secure delegation point. This prevents a signed namespace
from being downgraded to insecure using an NSEC record from the
grandparent zone.
Closes #5967
Merge branch '5967-nsec-grandparent' into 'main'
See merge request isc-projects/bind9!12257