Ensure responses sourced from mirror zones have the AD bit set

Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.

lib/dns/zoneverify.c

@@ -912,6 +912,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, const dns_name_t *name,
 			continue;
 		}
 		if (goodsig(vctx, &rdata, name, keyrdataset, rdataset)) {
+			dns_rdataset_settrust(rdataset, dns_trust_secure);
+			dns_rdataset_settrust(&sigrdataset, dns_trust_secure);
 			set_algorithms[sig.algorithm] = 1;
 		}
 	}
@@ -1561,6 +1563,8 @@ check_dnskey_sigs(vctx_t *vctx, const dns_rdata_dnskey_t *dnskey,
 		 * The supplied key is a trust anchor.
 		 */
 		dns_keytable_detachkeynode(vctx->secroots, &keynode);
+		dns_rdataset_settrust(&vctx->keyset, dns_trust_secure);
+		dns_rdataset_settrust(&vctx->keysigs, dns_trust_secure);
 		*goodkey = ISC_TRUE;
 		break;
 	case DNS_R_PARTIALMATCH: