example:
$ kdig @a.root-servers.net +short +tcp DNSKEY . > root.key
$ kresd -k root.key

before the cache was disabled by default, but this has led to many user
errors (mine as well). this enables it by default (which is what most
people want anyway)

if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit

until RFC2181 credibility is implemented in cache, this behavior breaks
DNSSEC as the parent-side comes first to the cache
disabled this behavior until implemented properly

example:

worker.resolve('cz', kres.type.NS, kres.class.IN, 0,
function (pkt)
	local answer = kres.pkt_t(pkt)
	print (answer:rcode())
end)

RRSets are merged by using stash_add().

this allows the classic workflow, kdig for root DNSKEY
records to a key file and let it start

this fixes a case when a DNSKEY is either accepted from cache or offered
in advance

a cache is consulted before we even know a zone cut for the query, thus
the DNSKEY can't be validated. as a policy, everything should be
validated before it's accepted into cache, then it's trusted and
shouldn't be rechecked

with DNSSEC, such query needs to be revalidated as the TA/key is missing
for the new zone cut, which would lead to duplicated answers

in the future there may be an api to defer query processing, but for now
it can't be done

in this case the NS is an authority for both parent and child, so the NS
set stays the same and only the cut name changes

this fixes problems with servers authoritative both for
parent and child zone and vice versa
as the DS is authoritative parent-side, a full subrequest
is launched. this breaks some tests that don’t have
a full referral path

todo bugs:
- non-existence proof with only SOA and no NS is not
correctly resolved
- revalidation in some cases causes record duplication
- NS queries with DO=1 answered from cache are not correctly resolved, as the TA is not set at this time

config:
trust_anchors.negative = { ‘bad.cz’, ‘here.com’ }

all names below these NTA will not be validated
(unless there is an island of trust below these anchors)