[CVE-2019-6475] mirror zones can be spoofed
The code that matches DNSKEY records to trust anchors in check_dnskey_sigs()
does so incorrectly, which could allow a root zone signed with a different key to be accepted as a valid root mirror zone. This essentially disables DNSSEC as a protection against bogus answers.