note: this also needs further refactoring.

- when initializing RFC 5011 for a name, we populate the managed-keys
  zone with KEYDATA records derived from the initial-key trust anchors.

  however, with initial-ds trust anchors, there is no key. but the
  managed-keys zone still must have a KEYDATA record for the name,
  otherwise zone_refreshkeys() won't refresh that key. so, for
  initial-ds trust anchors, we now add an empty KEYDATA record and set
  the key refresh timer so that the real keys will be looked up as soon
  as possible.

- when a key refresh query is done, we verify it against the
  trust anchor; this is done in two ways, one with the DS RRset
  set up during configuration if present, or with the keys linked
  from each keynode in the list if not.  because there are two different
  verification methods, the loop structure is overly complex and should
  be simplified.

- the keyfetch_done() and sync_keyzone() functions are both too long
  and should be broken into smaller functions.