Add kasp nsec3param configuration

Add configuration and documentation on how to enable NSEC3 when
using dnssec-policy for signing your zones.

doc/misc/options

@@ -26,6 +26,8 @@ dnssec-policy <string> {
         keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
             <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
         max-zone-ttl <duration>;
+        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt
+            <string> ];
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>; // obsolete