Audit whether the ICANN root key can sign instead of the ncdns "bit." key

[JeremyRand]

It's unclear to me whether Unbound will accept responses from ncdns that are signed with the ICANN root key. If it does accept such responses, then this has the following security implications:

1. Anyone who can control the network path between Unbound and ncdns will be able to censor .bit domains. (It's unclear to me whether they can do this selectively for only certain .bit domains.)
2. Anyone who can both (a) control the network path between Unbound and ncdns, and (b) sign things with the ICANN root key, will be able to hijack arbitrary .bit domains.

Neither of these is a big deal for the default installation settings that we provide (since the network path to localhost is probably trustworthy), but it becomes a serious problem if someone is running Unbound on a separate device from ncdns (say, an Android phone running Unbound, talking to ncdns on a PC).

If Unbound won't accept such responses, then we should document a procedure for independently auditing this fact. (And it should probably be added to automated CI tests for something.)