validate nitpick fix: unsupported algo edge case
kr_dnskeys_trusted() semantics is changed, but I do NOT consider that a part of public API.
Go insecure due to algorithm support even if DNSKEY is NODATA. I can't see how that's relevant to practical usage, but I think this new behavior makes more sense. We still do try to fetch the DNSKEY even though we have information about its un-usability beforehand. I'd consider fixing that a premature optimization. We'll still be affected if the DNSKEY query SERVFAILs or something.