monitor local resolves to check if unbound fails

In #41639 (closed) we have a point about replicating what was being done with the dsa-check-unbound-anchors script. That script is looking up files in the unbound-specific directory to check whether there's garbage old files or invalid keys present in the directory.

We may want to replicate this monitoring rather by verifying the symptom, so by poking around DNS and checking if key anchors are valid for outside users.