Log whether DNS queries were DNSSEC-validated

[aarongable]

When we look up TXT records for dns-01 and dns-account-01 validation, copy the Authenticated Data (AD) bit into the ValidationRecord that we log and store in the database. Similarly, when we look up A/AAAA records for http-01 and tls-alpn-01 validation, copy the AD bit into the ValidationRecord (indirectly via the httpValidationTarget, for http-01). Finally, when we look up CAA records, keep track of the AD bit for each record we find while tree-climbing, and add it to the line we audit-log.

This comes with two caveats:

1. There are two possible reasons for the AD bit to be false: either the records were not DNSSEC-signed, or the resolver did not validate DNSSEC. We have our recursive resolvers configured to always validate DNSSEC and to fail the query if validation fails, but Boulder itself does not and cannot enforce that behavior.
2. For CAA records, we're only logging whether the "Relevant RRSet" had the AD bit; this PR ignores the AD status of earlier queries in the CAA tree-climbing algorithm which had no relevant RRSet.

Fixes https://github.com/letsencrypt/boulder/issues/2700