Reenable "val-log-level: 2", so that when sites have misconfigured

dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.
ok florian@

src/etc/unbound.conf

@@ -1,4 +1,4 @@
-# $OpenBSD: unbound.conf,v 1.18 2019/11/07 12:49:45 job Exp $
+# $OpenBSD: unbound.conf,v 1.19 2019/11/07 15:46:37 sthen Exp $
 
 server:
 	interface: 127.0.0.1
@@ -22,12 +22,12 @@ server:
 	# Perform DNSSEC validation. Comment out the below option to disable.
 	#
 	auto-trust-anchor-file: "/var/unbound/db/root.key"
-	#val-log-level: 2
+	val-log-level: 2
 
 	# Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains
 	# https://tools.ietf.org/html/rfc8198
 	#
-	#aggressive-nsec: yes
+	aggressive-nsec: yes
 
 	# Serve zones authoritatively from Unbound to resolver clients.
 	# Not for external service.