Fixes #100.
The file with the addresses is in the repo, so people don't have to
regenerate it, but the build system is able to do it.

The implementation is now similar to set-associative caches
that x86 CPU use.  Also the API is changed a bit, leading to
slight simplification of our use patterns.

Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/93.
API of a KR_EXPORT function is changed, so ABIVER is bumped.

this change introduces new API for cache backends,
that is a subset of knot_db_api_t from libknot
with several cache-specific operations

major changes are:
* merged 'cachectl' module into 'cache' as it is
  99% default-on and it simplifies things
* not transaction oriented, transactions may be
  reused and cached for higher performance
* scatter/gather API, this is important for
  latency and performance of non-local backends
  like Redis
* faster and reliable cache clearing
* cache-specific operations (prefix scan, ...) in
  the API not hacked in
* simpler code for both backends and caller

* daemon now processes messages over TCP stream
out-of-order and concurrently
* support for TCP_DEFER_ACCEPT
* support for TCP Fast-Open
* there are now deadlines for TCP for idle/slow
streams (to prevent slowloris; pruning)
* there is now per-request limit on timeouts
(each request is allowed 4 timeouts before bailing)
* faster request closing, unified retry/timeout timers
* rare race condition in timer closing fixed

this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver

* PIE,RELRO+NOW and other security features enabled
* support for both static/dynamic builds with BUILDMODE
* dynamic library is ABI-versioned, starting at 1
* pkg-config file is installed

rdata may be <=64k + 8B on stack which may be source of various mystery
errors later, for example in bindings or stackspace-constricted env

when a delegation is provably insecure, it is flagged as INSECURE in
cache (this is different from "unchecked"), when the next query finds
the same zone cut, this information is retrieved and if it was proved to
be insecure before, this status is reused

this prevents refetching of NS/DNSKEY in some situations

this fixes a bug when NS drops out of cache, but it's TA not,
so i.e. we end up with TA 'cz' and NS in '.', but we need the root TA

reason: a root gives consistently unpredictable performance, which
we cannot take into consideration for the first start. j,k roots
moved to the front as they're everywhere and less loaded than a
swamped with requests from legacy tools

effectively enables/disables usage of given IP protocol
for subrequests (the server can still listen on these)

before the algorithm was happy with root hints for all queries starting
at root, however they're often overloaded and result in timeouts
the updated code provides SBELT only for root NS query lookup and tries
to use cached information as much as possible

previously it was always overwritten with SBELT for root + root TA
doesn't have to be in cache (it's in trust store)

each subrequest can now enter and leave islands of trust
independently. this fixes a case when a zone is in an
island of trust, but one of its NS isn’t (different zone for example)

zonecut should be able to hold these for testing reasons (like private
root or zone cut), but it should filter out data from the internet
a new flag: QUERY_ALLOW_LOCAL allows for being more permissive, and
letting name server query local or private address ranges

The trust anchor and keys are not changed in order not to disrupt packet
validation.