thanks @darix!
fixes #21,#22

* PIE,RELRO+NOW and other security features enabled
* support for both static/dynamic builds with BUILDMODE
* dynamic library is ABI-versioned, starting at 1
* pkg-config file is installed

this is needed to make sure it always compiles with PIC

rdata may be <=64k + 8B on stack which may be source of various mystery
errors later, for example in bindings or stackspace-constricted env

this allows to override any dstdir variable without
patching config.mk

worker can track outbound requests and if N resolutions want the same
subrequest, only one will lead it and others will be notified when it
finishes

this massively reduces number of outbound requests for
slow/unresponsive/low ttl requests

any answer that is considered as malformed/servfail/otherwise bad
penalizes the NS for the next time like timeout, this doesn't apply for
DNSSEC validation failures as it still may be okay for insecure
resolution. EDNS failures are okay because the server is requeried in
the most simple RFC1035 mode before flagging it as failed

this avoids instant requeries for SERVFAILing resolutions

when a delegation is provably insecure, it is flagged as INSECURE in
cache (this is different from "unchecked"), when the next query finds
the same zone cut, this information is retrieved and if it was proved to
be insecure before, this status is reused

this prevents refetching of NS/DNSKEY in some situations

notably key id doesn’t have to be recalculated every time, cheaper checks should come first, name equality check is cheaper as well 

skipping over last/root label returns a pointer to a memory after domain name, this is unsafe

this also fails if the timeout timer cannot be started,
as it would wait for undefined time otherwise

amalgamated build concatenates all files into a single .c file to
allow compiler see all symbols and produce possibly smaller code.
for binary distributions this is what you want, as it's faster but
may consume more memory during compilation.
it however cannot do incremental builds.

if the NSLIST already has a candidate with addresses, never replace
current leader with an empty one. otherwise if the former leader address
was tried and failed, new empty leader would be blamed for this and
penalized

refs #33

refs #33

this fixes a bug when NS drops out of cache, but it's TA not,
so i.e. we end up with TA 'cz' and NS in '.', but we need the root TA

bad control flow, the zone cut should be checked for root, as the second
condition checks if SNAME is at/below cut so the outcome is the same for
root query

refs #43