DNSSEC scan check

[rafaeljusto]

RFC 4035, section 2.2 (last paragraph):

There MUST be an RRSIG for each RRset using at least one DNSKEY of
each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset
itself MUST be signed by each algorithm appearing in the DS RRset
located at the delegating parent (if any).

Zone must be signed with at least one key of each algorithm that appears in the keyset. We should check the RRSIGs from the keyset and from the SOA record.

[rafaeljusto]

The difficult here is checking the RRSIGs from the SOA record. Two solutions:

1. Store the SOA response from the nameserver's check (will make the code uglier)
2. New query in DS check for the SOA record (one more network IO will make scan slower)

Thinking on a way to make solution 1 without an ugly code.