* Improve collection of RRSIG expiration times
A new record_earliest_rrsig_expiry metric contains the unixtime of the
earliest expiring signature per resolver. This allows for different
alerting configurations when monitoring a mix of authoritative and
caching resolvers.
Use a single DNS query instead of querying for RRSIG separately. While
some resolvers (reasonably enough) return REFUSED when queried for type
RRSIG, they will include relevant RRSIG records when queried for other
types (as required by RFC 4034).
* Document the improved RRSIG expiration handling
While here, also clarify the limitations of the record_days_left metric.
