forks are connected with IPC pipes to process
group leader and can execute expressions on its
behalf. so running commands over all workers
is easy now:

> hostname() -- single
localhost

> map 'hostname()' -- all
localhost
localhost
localhost

* in the begin() layer, the incoming query is
  exposed as req->qsource.packet, it is invalidated
  after begin() and should not be modified
* the destination address (local interface) is
  also tracked for filtering purposes

now including <1ms, <50ms, <250ms, <500ms, <1.5s

during the consume step, the information about
upstream authoritative (address and current rtt)
is exposed in the request structure, just like
information about current query

fixed incorrect tagging in rrmap where secure rank would overflow

found by @gdemidov

* SOA MINTTL always preferred for negative answers
* only SOA used for negative answers

refs #75

this is required to avoid REFUSED loops if the origin doesn't handle
minimisation well

previously, if no subnet was given (127.0.0.0),
it was treated as 127.0.0.0/0. now it is treated
as full address length, e.g. 127.0.0.0/32

when opening an empty database, an invalidated key
value was written resulting in possible corruption
of the cache

this change introduces new API for cache backends,
that is a subset of knot_db_api_t from libknot
with several cache-specific operations

major changes are:
* merged 'cachectl' module into 'cache' as it is
  99% default-on and it simplifies things
* not transaction oriented, transactions may be
  reused and cached for higher performance
* scatter/gather API, this is important for
  latency and performance of non-local backends
  like Redis
* faster and reliable cache clearing
* cache-specific operations (prefix scan, ...) in
  the API not hacked in
* simpler code for both backends and caller

by default, build system attempts to use LMDB
from the system. however if it's not found or
the version is too old, it uses the built-in
snapshot in contrib

* simplified soft-fail per-ns limit to per-query
  limit, each query gets 4 tries at resolving
* instead of locking at single servfailing NS,
  penalise it and run reelection, this may or
  may not try other servers but avoids pathologic
  case when single NS is servfailing while others
  are good but never probed
* added new nsrep update mode (addition)

this code used memory pool of source packet instead
of the answer, this could result in invalidated
memory read if the memory occupied by source
packet was rewritten

* daemon now processes messages over TCP stream
out-of-order and concurrently
* support for TCP_DEFER_ACCEPT
* support for TCP Fast-Open
* there are now deadlines for TCP for idle/slow
streams (to prevent slowloris; pruning)
* there is now per-request limit on timeouts
(each request is allowed 4 timeouts before bailing)
* faster request closing, unified retry/timeout timers
* rare race condition in timer closing fixed

the daemon has now three modes of strictness
checking from strict to permissive.
it reflects the tradeoff between resolving the
query in as few steps as possible and security
for insecure zones

an internal timer walks RTT timer periodically and
clears entries with bad results every 5 minutes.
this means that a timeouted entry penalty is 
capped to that interval, making sure that the
bad reputation doesn't last forever

This reverts commit f9ffeca9.

in permissive mode, resolver is free to use
(but not cache) non-mandatory glue records even
if they're not resolvable. this is great as a 
workaround for broken child-side zones, but
not great for security of, well, insecure
delegations. it's off by default.