DNSSEC: signature checking, forced signing, merged diff's and DNSSEC's changesets

- Zones are now automatically (re)signed when server starts/reloads
- Signature validity check now calculates the signature as well - this is used to detect changes to RRs themselves
- 'knotc signzone' issues a force signing of zone - all RRSIGs are dropped and recreated
- Some leaks and bugs still present, but the code is commitable now

Refs #4