preparations for TA rotation and management
in config:
trust_anchors.file = ‘root.key’
trust_anchors.auto = true // NOTIMPL
trust_anchors.add(‘. IN DS …’) // Manual addition

as per rfc4035 all secured referrals must have either DS or proof
of non-existence. there is one use case where the resolver doesn’t
learn a DS this way, when a single server hosts both parent and
child zone. in this case, DS must be requested separetely

also answers for which minimisation failed or truncated
are fixed, for such answers iterator sets state to ‘consume’
to indicate the answer wasn’t processed

if the final query isn’t satisfied with DNSSEC on,
then the answer counts as insecure

subrequests may be insecure (e.g. out of bailiwick insecure NS),
but the final answer may be secured
the commit also fixes caching in this case

each subrequest can now enter and leave islands of trust
independently. this fixes a case when a zone is in an
island of trust, but one of its NS isn’t (different zone for example)

the SIP on OSX 10.11 disables library injection
on system binaries (python is considered as it)
make needs to call python binary directly to allow
brewed python to be used

`kresd -a 127.0.0.1 -a ::1` binds to both addresses

the reason is that it's not actively used since we moved to binary
testing, and it depends on libknot internal api that has changed
also removed several unused libknot internal headers

previously, only root TA was considered

Function determining whether a NSEC3 record covers a name was wrong. The
case when the owner and next hashed name was wrapping over zero was
wrongly interpreted.

The test is failing because of address mangling performed by test
environment.

previously, debug messages were optional with -DWITH_DEBUG
now the debug messages are built in (unless compiled with -DNDEBUG), but
disabled by default

verbose output can be enabled by '-v' or '--verbose' CLI option
or interactively by 'verbose(true|false)' (or in config)

Query for A or AAAA cannot be currently validated because the test
server mangles all A and AAAA records.

Also fixed TIME_PASSES ELAPSE which ignored the overridden time.