the key is now stored in a format friendly to prefix search, the values
also contain one more 16bit field to store rank of the data (to be
utilised later)

this is a problem when both CNAME and the target are answered from the same NS (but different authority), but only the CNAME authority does DNSSEC. it’s probably legal, but it’s pretty stupid to do so

before the algorithm was happy with root hints for all queries starting
at root, however they're often overloaded and result in timeouts
the updated code provides SBELT only for root NS query lookup and tries
to use cached information as much as possible

previously it was always overwritten with SBELT for root + root TA
doesn't have to be in cache (it's in trust store)

refs #33

the selected address is now an array with selection, caller can then send the same query to multiple offered targets

refs #35

this could happen if the query contained a CNAME with AA=0, or missing mandatory DS in previous NS query

this is useful if we want to prefetch or update data
in cache, it doesn’t affect the lookup of closest known
zone cut

if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit

until RFC2181 credibility is implemented in cache, this behavior breaks
DNSSEC as the parent-side comes first to the cache
disabled this behavior until implemented properly

RRSets are merged by using stash_add().

this allows the classic workflow, kdig for root DNSKEY
records to a key file and let it start

this fixes a case when a DNSKEY is either accepted from cache or offered
in advance

a cache is consulted before we even know a zone cut for the query, thus
the DNSKEY can't be validated. as a policy, everything should be
validated before it's accepted into cache, then it's trusted and
shouldn't be rechecked