this fixes an issue when nameserver responds with AA=0 and authority
of a CNAME target (which is in current bailiwick)

DNS 0x20 https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
is a way to add more randomness into queries to make spoofing tougher
this implementation provides up to 32 bits of randomness to QNAME,
which is more than enough for most names (it is possible to add a
maximum of 1 bit of entropy per alphanumeric character, so it's not very
efficient with shorter names)

fixes #27

previously the NS address list was wiped out, this prevents them from being added in the first place

some servers break qname m12n by sending REFUSED, this accepts such answer and requeries with m12n turned off 

if an authoritative answer comes and the server responds correctly, but appends out-of-bailiwick NS records, ignore them but resolve the query

since the next CNAME target query was added on top, it replaced
the original ‘current query’, this caused recaching of an answer
if it came from cache (as the query flags have changed)

This reverts commit 3d1ee641.

This reverts commit ee2cce4d.

previously only queried names were resolved from cache, this meant that if the target name was present in cache but a server on the search path dropped from it, it would refetch it - this is a problem when a loadbalancer with very short TTL was in search path

the resolution has to start from the root for zonecut resolution, otherwise it might stall resolution if the only good NS drops out of cache and only the bad remain

module api can now store userdata, e.g. owner

previously producers in overlay could only generate query or
update the final answer - this required exported callbacks
from iterate.c and specific processing. this wouldn’t work
for negative cache, as it would be required to reimplement
whole iterate layer for cached data

the new workflow allows produce layers to generate answer
instead, this answer is then consumed in the next step
by the iterate module in unified fashion for all caches/generators

this fixes stripped DNSSEC records in final answer

the server responds with edns0 if the client requests it,
it also uses DNSSEC for queries if DO=1

the obtained records are not however validated

if the server doesn’t understand edns0, replies with
notimpl, formerr or sends bad badly formed response,
we try basic dns query (ns0.rbsov.bbc.co.uk)

previously cryptolib random function was used to generate message id,
this works well but it is slow especially when the entropy is low,
replaced with cryptographically safe prng ISAAC

the ccan directory is going to be used in the future, as it's include
structure makes it easy to embed C snippets instead of reimplementing
them

the encloser might exist and contain valid data, the resolver would return wrong records in this case

instead of keeping just random NS and address,
it keeps a map of nameservers => {addresslist}

this allows scoring and correct NS election, fallback
and evaluation