if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit

until RFC2181 credibility is implemented in cache, this behavior breaks
DNSSEC as the parent-side comes first to the cache
disabled this behavior until implemented properly

example:

worker.resolve('cz', kres.type.NS, kres.class.IN, 0,
function (pkt)
	local answer = kres.pkt_t(pkt)
	print (answer:rcode())
end)

RRSets are merged by using stash_add().

this allows the classic workflow, kdig for root DNSKEY
records to a key file and let it start

this fixes a case when a DNSKEY is either accepted from cache or offered
in advance

a cache is consulted before we even know a zone cut for the query, thus
the DNSKEY can't be validated. as a policy, everything should be
validated before it's accepted into cache, then it's trusted and
shouldn't be rechecked

with DNSSEC, such query needs to be revalidated as the TA/key is missing
for the new zone cut, which would lead to duplicated answers

in the future there may be an api to defer query processing, but for now
it can't be done

in this case the NS is an authority for both parent and child, so the NS
set stays the same and only the cut name changes

this fixes problems with servers authoritative both for
parent and child zone and vice versa
as the DS is authoritative parent-side, a full subrequest
is launched. this breaks some tests that don’t have
a full referral path

todo bugs:
- non-existence proof with only SOA and no NS is not
correctly resolved
- revalidation in some cases causes record duplication
- NS queries with DO=1 answered from cache are not correctly resolved, as the TA is not set at this time

config:
trust_anchors.negative = { ‘bad.cz’, ‘here.com’ }

all names below these NTA will not be validated
(unless there is an island of trust below these anchors)

preparations for TA rotation and management
in config:
trust_anchors.file = ‘root.key’
trust_anchors.auto = true // NOTIMPL
trust_anchors.add(‘. IN DS …’) // Manual addition

as per rfc4035 all secured referrals must have either DS or proof
of non-existence. there is one use case where the resolver doesn’t
learn a DS this way, when a single server hosts both parent and
child zone. in this case, DS must be requested separetely

also answers for which minimisation failed or truncated
are fixed, for such answers iterator sets state to ‘consume’
to indicate the answer wasn’t processed

if the final query isn’t satisfied with DNSSEC on,
then the answer counts as insecure

subrequests may be insecure (e.g. out of bailiwick insecure NS),
but the final answer may be secured
the commit also fixes caching in this case

each subrequest can now enter and leave islands of trust
independently. this fixes a case when a zone is in an
island of trust, but one of its NS isn’t (different zone for example)