as per rfc4035 all secured referrals must have either DS or proof
of non-existence. there is one use case where the resolver doesn’t
learn a DS this way, when a single server hosts both parent and
child zone. in this case, DS must be requested separetely

also answers for which minimisation failed or truncated
are fixed, for such answers iterator sets state to ‘consume’
to indicate the answer wasn’t processed

if the final query isn’t satisfied with DNSSEC on,
then the answer counts as insecure

subrequests may be insecure (e.g. out of bailiwick insecure NS),
but the final answer may be secured
the commit also fixes caching in this case

each subrequest can now enter and leave islands of trust
independently. this fixes a case when a zone is in an
island of trust, but one of its NS isn’t (different zone for example)

the reason is that it's not actively used since we moved to binary
testing, and it depends on libknot internal api that has changed
also removed several unused libknot internal headers

previously, only root TA was considered

Function determining whether a NSEC3 record covers a name was wrong. The
case when the owner and next hashed name was wrapping over zero was
wrongly interpreted.

previously, debug messages were optional with -DWITH_DEBUG
now the debug messages are built in (unless compiled with -DNDEBUG), but
disabled by default

verbose output can be enabled by '-v' or '--verbose' CLI option
or interactively by 'verbose(true|false)' (or in config)

The hard-wired root trust anchor was removed.

Original TTL has not been set.

module can identify clients based on their source address or used TSIG
key

the requestor can provide information identifying the query originator
here (address and TSIG key), both fields are optional
update Lua FFI bindings