preparations for TA rotation and management
in config:
trust_anchors.file = ‘root.key’
trust_anchors.auto = true // NOTIMPL
trust_anchors.add(‘. IN DS …’) // Manual addition

as per rfc4035 all secured referrals must have either DS or proof
of non-existence. there is one use case where the resolver doesn’t
learn a DS this way, when a single server hosts both parent and
child zone. in this case, DS must be requested separetely

also answers for which minimisation failed or truncated
are fixed, for such answers iterator sets state to ‘consume’
to indicate the answer wasn’t processed

subrequests may be insecure (e.g. out of bailiwick insecure NS),
but the final answer may be secured
the commit also fixes caching in this case

previously, only root TA was considered

Function determining whether a NSEC3 record covers a name was wrong. The
case when the owner and next hashed name was wrapping over zero was
wrongly interpreted.

previously, debug messages were optional with -DWITH_DEBUG
now the debug messages are built in (unless compiled with -DNDEBUG), but
disabled by default

verbose output can be enabled by '-v' or '--verbose' CLI option
or interactively by 'verbose(true|false)' (or in config)

The hard-wired root trust anchor was removed.

zonecut should be able to hold these for testing reasons (like private
root or zone cut), but it should filter out data from the internet
a new flag: QUERY_ALLOW_LOCAL allows for being more permissive, and
letting name server query local or private address ranges

this is a small step for me, but a huge step for resolver

this provides a useful callback for per-request operations that can’t wait until the query is completed (e.g. blocking or logging started queries)

The trust anchor and keys are not changed in order not to disrupt packet
validation.

All RRSets in section must be signed properly. (Currently no checking for
non-authoritative RRSets is implemented.)