DNSSEC signing after (re)load fixed

Rewritten zone signing after (re)load (function zones_do_diff_and_sign()).

Also simplified the operation a lot. First the newly loaded zone is signed and then the diff is generated (signed zone vs old zone in memory). Thus we do not need to do changeset merging and other such magic. The old code was wrong, as it may have lead to a situation when user makes some changes to DNSSEC records, those are overwritten by signing the zone, but the changeset contains both changes, resulting in non-consistent zone. Example:

Zone contains: abc NSEC3 .... (correct record, zone is properly signed) User replaces it in the zone file by: abcd NSEC3 ... (modified this one record, resulting in zone not properly signed)

After reload, the wrong record is replaced by the correct one, which is identical to the old one. The old code did it this way:

1. Diff is generated (zone on disk vs. zone in server): REMOVE abc NSEC3 ADD abcd NSEC3

2. Signing is performed, resulting changeset from sign: REMOVE abcd NSEC3 ADD abc NSEC3

3. Changesets are merged (simply by appending second after the first): REMOVE abc NSEC3 (removes good record) REMOVE abcd NSEC3 (does nothing, not present in the zone) ADD abcd NSEC3 (adds wrong record) ADD abc NSEC3 (adds good record)

In the end, the zone contains both the good (abc) and the wrong record (abcd).

This could have been resolved by rewriting the merge function so that the changesets are merged in a semantically right way, but this solution is easier and results in neater code.