The trust anchor and keys are not changed in order not to disrupt packet
validation.

All RRSets in section must be signed properly. (Currently no checking for
non-authoritative RRSets is implemented.)

the resolution driver now correctly fetches keys,
and the zonecut lookup should find closest TA,
then the validation module should have all the
information needed for simple validation

the only flag supported now is the KR_REQ_DNSSEC,
which indicates that the caller wants a secure answer

1. validate module must be between iterate/cache
2. produce: copy OPT with DO=1, ask for DNSKEY if we don’t have it
3. resolve.c: subrequest DNSKEY if asked to do it
4. consume: check DNSKEY and set it, validate RRSIGs against it

another issues:

rrsigcache is copypasta of rrcache, there is one special case with storing RRSIGs which doesn’t deserve it’s own module (if the validation is off, then nothing will get written in there anyway)

since the resolution is asynchronous, layers must only *ask* resolver to do subrequests for them using query flags (like when we encounter an unknown zone cut)