Serious issue in zone_fetcher (includes patch)

Guys, I have found a serious bug in the zone_fetcher. The result of this bug is that if an AXFR fails half-way through, the zone_fetcher assumes that the transfer was successful. The result of this is that the signer receives a partial zone as input which it will sign diligently and will be served out.

The end result is that mangled zones end up on the Internet which is very bad indeed. The patch included with this ticket fixes two issues:

• It checks after the AXFR ends whether the AXFR was complete (i.e. whether the SOA record was seen twice as per the RFC, it uses the LDNS function ldns_axfr_complete for this)
• The code is changed so the ldns_resolver structure used by the zone_fetcher is not re-used. I've talked to Wouter from NLnet Labs and he is of the opinion that it was never designed to be used for multiple AXFRs. The fact that the zone_fetcher starts acting erroneously seems to suggest that this is indeed the case. I now create and clean up an ldns_resolver structure for each separate AXFR, this vastly improves the stability of the zone fetcher

I highly recommend that we plan a new release ASAP that includes this fix as we got into serious trouble because of this bug. It is most likely to occur for larger zones such as our main domain surfnet.nl. Let's just say that it's not good if all records that start with the letters s-z are not served out...