* PIE,RELRO+NOW and other security features enabled
* support for both static/dynamic builds with BUILDMODE
* dynamic library is ABI-versioned, starting at 1
* pkg-config file is installed

rdata may be <=64k + 8B on stack which may be source of various mystery
errors later, for example in bindings or stackspace-constricted env

when a delegation is provably insecure, it is flagged as INSECURE in
cache (this is different from "unchecked"), when the next query finds
the same zone cut, this information is retrieved and if it was proved to
be insecure before, this status is reused

this prevents refetching of NS/DNSKEY in some situations

this fixes a bug when NS drops out of cache, but it's TA not,
so i.e. we end up with TA 'cz' and NS in '.', but we need the root TA

reason: a root gives consistently unpredictable performance, which
we cannot take into consideration for the first start. j,k roots
moved to the front as they're everywhere and less loaded than a
swamped with requests from legacy tools

effectively enables/disables usage of given IP protocol
for subrequests (the server can still listen on these)

before the algorithm was happy with root hints for all queries starting
at root, however they're often overloaded and result in timeouts
the updated code provides SBELT only for root NS query lookup and tries
to use cached information as much as possible

previously it was always overwritten with SBELT for root + root TA
doesn't have to be in cache (it's in trust store)

each subrequest can now enter and leave islands of trust
independently. this fixes a case when a zone is in an
island of trust, but one of its NS isn’t (different zone for example)

zonecut should be able to hold these for testing reasons (like private
root or zone cut), but it should filter out data from the internet
a new flag: QUERY_ALLOW_LOCAL allows for being more permissive, and
letting name server query local or private address ranges

The trust anchor and keys are not changed in order not to disrupt packet
validation.

the resolution driver now correctly fetches keys,
and the zonecut lookup should find closest TA,
then the validation module should have all the
information needed for simple validation

1. validate module must be between iterate/cache
2. produce: copy OPT with DO=1, ask for DNSKEY if we don’t have it
3. resolve.c: subrequest DNSKEY if asked to do it
4. consume: check DNSKEY and set it, validate RRSIGs against it

another issues:

rrsigcache is copypasta of rrcache, there is one special case with storing RRSIGs which doesn’t deserve it’s own module (if the validation is off, then nothing will get written in there anyway)

since the resolution is asynchronous, layers must only *ask* resolver to do subrequests for them using query flags (like when we encounter an unknown zone cut)

before root hints were hardcoded to the resolver,
now they are present in form of a cut in the resolution
context, and the modules can add/remove/replace them
on the fly