Fix bogus vs insecure check

[buffrr]

I mentioned this in hsd and hnsd as well. Unbound has two variables in the result secure and bogus.

1. In all cases, if the answer is bogus we should return servfail.
2. If the answer is secure add the Authenticated Data (AD) bit.
3. If the answer is not secure set the Authenticated Data (AD) bit to false.

bogus indicates a security failure which means that the result shouldn't be trusted. This allows us to do authenticated denial of existence.

One thing that's nice to have but not necessary is that if the CD bit is set (checking disabled) in the question we probably shouldn't do anything about this and return the bogus result (but it's not really a big deal since they will get servfail from the validating resolver anyway).