[BUG] the DNS server crashes when it receives a fake certificate with wrong
      size
[FIX] in sk_query_verify() check the size of the received message

[BUG] when a resolver is trying to resolve a name, and has already initiated
      the resolving process. The resolver tries to send a query to the next
      name server in the chain, and the certificate for that name server has
      just expired, but the RR for that name server is still valid.
      Basically, the TTL for the certificate is shorter that the TTL for the
      RR of a name server, and when the resolving process started, the
      resolver did not know the certificate for one of the name servers in
      the chain will expire in the middle of the resolving process.  In this
      case he resolver tries to send a root certificate request to that name
      server, even if it's not a root name server. This happens because at
      that point in the resolving process, the resolver does not have the IP
      address of the next name server in the chain.
[FIX] when the resolver finds an expired certificate in the middle of the
      resolving process, it will delete the expired certificate and will
      re-initiate the query from the root, refreshing all the certificates
      for the name servers along the chain.