Support for signing a slave zone

Some procedures for transferring a DNSSEC signed zone from one operator to another require temporarily slaving the zone to be signed from the other operator. It would be extremely helpful to be able to slave a zone, apply DNSKEYs and sign the zone, and then act as master out to the rest of the DNS infrastructure.

In the below description of the high-level procedure, operator B should be running Knot:

1. Operator B slaves the zone from Operator A
2. NS records are changed, to point to Operator B's infrastructure (wait for TTLs)
3. Operator A adds Operator B's public KSK/ZSK to the zone (wait for TTLs)
4. Operator B takes over signing the zone, post-publishing Operator A's DNSKEYs
5. Operator B switches from slaving to mastering the zone

The above is only possible if Knot is able to sign while in slave mode.

As an additional implementation note, when signing a slave zone Knot should strip all DNSSEC material from the zone prior to signing. Optionally, Knot might include a configuration option to only replace expiring signatures, and only replace NSEC(3) records as necessary. This would mean there would be a period where the zone contained signatures using both the old and new keys, however it would reduce the initial load on the server when DNSSEC is enabled for the zone.