DNSSEC bis merge from HEAD:

1581.  [func]          Disable DNSSEC support by default.  To enable
                       DNSSEC specify "enable-dnssec yes;" in named.conf.

1565.  [bug]           CD flag should be copied to outgoing queries unless
                       the query is under a secure entry point in which case
                       CD should be set.

1558.  [func]          New DNSSEC 'disable-algorithms'.  Support entry into
                       child zones for which we don't have a supported
                       algorithm.  Such child zones are treated as unsigned.

1557.  [func]          Implement missing DNSSEC tests for
                       * NOQNAME proof with wildcard answers.
                       * NOWILDARD proof with NXDOMAIN.
                       Cache and return NOQNAME with wildcard answers.

1541.  [func]          NSEC now uses new bitmap format.

1519.  [bug]           dnssec-signzone:nsec_setbit() computed the wrong
                       length of the new bitmap.

1516.  [func]          Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.

bin/tests/master/master6.data

@@ -7,7 +7,7 @@ $TTL 1000
 				604800		;expiration
 				3600 )		;minimum
 
-secure1	3600 IN	 KEY (
+secure1	3600 IN	 DNSKEY (
 		FLAG2|FLAG4|FLAG5|NTYP3|FLAG8|FLAG9|FLAG10|FLAG11|SIG15
 		3 3
 		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2
@@ -19,7 +19,7 @@ secure1	3600 IN	 KEY (
 		/7YMt8VUkA8/8UCszBBT7XAJ3OFjiMO8mvxrZZFzvwJlPBQ1
 		oFq/TNZlSe+N )
 
-secure2	3600 in	 key (
+secure2	3600 in	 DNSKEY (
 		flag2|flag4|flag5|ntyp3|flag8|flag9|flag10|flag11|sig15
 		3 3
 		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2