if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit

with DNSSEC, such query needs to be revalidated as the TA/key is missing
for the new zone cut, which would lead to duplicated answers

in the future there may be an api to defer query processing, but for now
it can't be done

in this case the NS is an authority for both parent and child, so the NS
set stays the same and only the cut name changes

also answers for which minimisation failed or truncated
are fixed, for such answers iterator sets state to ‘consume’
to indicate the answer wasn’t processed

previously, debug messages were optional with -DWITH_DEBUG
now the debug messages are built in (unless compiled with -DNDEBUG), but
disabled by default

verbose output can be enabled by '-v' or '--verbose' CLI option
or interactively by 'verbose(true|false)' (or in config)

zonecut should be able to hold these for testing reasons (like private
root or zone cut), but it should filter out data from the internet
a new flag: QUERY_ALLOW_LOCAL allows for being more permissive, and
letting name server query local or private address ranges

this is a small step for me, but a huge step for resolver

this provides a useful callback for per-request operations that can’t wait until the query is completed (e.g. blocking or logging started queries)

no need to scramble queries satisfied from cache

this fixes an issue when nameserver responds with AA=0 and authority
of a CNAME target (which is in current bailiwick)

DNS 0x20 https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
is a way to add more randomness into queries to make spoofing tougher
this implementation provides up to 32 bits of randomness to QNAME,
which is more than enough for most names (it is possible to add a
maximum of 1 bit of entropy per alphanumeric character, so it's not very
efficient with shorter names)

fixes #27

previously the NS address list was wiped out, this prevents them from being added in the first place

some servers break qname m12n by sending REFUSED, this accepts such answer and requeries with m12n turned off 

if an authoritative answer comes and the server responds correctly, but appends out-of-bailiwick NS records, ignore them but resolve the query

since the next CNAME target query was added on top, it replaced
the original ‘current query’, this caused recaching of an answer
if it came from cache (as the query flags have changed)

This reverts commit 3d1ee641.