refs #16

this is Unbound's 'forward-zone' on steroids

the library is able to resolve query in stub mode (no referral chasing,
zone cut lookup) if asked to
validator turns off for stub queries, validating stub is NYI

thanks to Pieter Lexis and Peter van Dijk from PowerDNS for discovering this.

the RFC4035 M < S < N stands if the S isn’t after the last name in the zone, this is indicated by M > N, proving that the next of the last name is the first name; if the S is after M, then it proves it’s non-existence

thanks to Pieter Lexis and Peter van Dijk from PowerDNS for discovering this!

resolved() returns true if current query is resolved (i.e. authoritative)
final() returns true if current query is resolved and is not a subrequest (has no parent)

as the libknot packet interface disallows out-of-order packet
writes, authority and additional records must be written after
the answer is complete; records in the rr arrays will be written to final answer during finalization

this yields much better contrast in this situation, where
one country overshadows the rest on a linear scale

when resolver finds a zone cut from cache, it checks whether there is an empty non-terminal between target QNAME and cached zone cut.
this is indicated by presence of NODATA/NXDOMAIN in packet cache.
if it finds one, it turns off qname minimisation and continues,
this saves one query for empty non-term zones like ‘co.jp’

caveat: only direct child of the cut can be considered (e.g. ‘co.jp’ for ‘jp’), otherwise we would leak information to parent if the zone cut fell out of cache and NODATA existed

for pktcache same or better rank is required (because it’s a direct answer)
for rrcache better rank is required (unless doing write-through)

for both cases, no cache rank check is needed when inserting secure data

security note: this mitigates possible non-auth NS hijacking

reason: a root gives consistently unpredictable performance, which
we cannot take into consideration for the first start. j,k roots
moved to the front as they're everywhere and less loaded than a
swamped with requests from legacy tools