this allows to override any dstdir variable without
patching config.mk

if the root key file doesn’t exist, it will be populated from root DNSKEY query, which will be validated against root trust anchors retrieved over HTTPS with IANA cert verification against built-in current IANA cert CA. it requires luasocket and luasec for it to work. trust anchors XML file signature is not checked, as there’s no facility for PKCS7 checking yet.

worker can track outbound requests and if N resolutions want the same
subrequest, only one will lead it and others will be notified when it
finishes

this massively reduces number of outbound requests for
slow/unresponsive/low ttl requests

any answer that is considered as malformed/servfail/otherwise bad
penalizes the NS for the next time like timeout, this doesn't apply for
DNSSEC validation failures as it still may be okay for insecure
resolution. EDNS failures are okay because the server is requeried in
the most simple RFC1035 mode before flagging it as failed

this avoids instant requeries for SERVFAILing resolutions

when a delegation is provably insecure, it is flagged as INSECURE in
cache (this is different from "unchecked"), when the next query finds
the same zone cut, this information is retrieved and if it was proved to
be insecure before, this status is reused

this prevents refetching of NS/DNSKEY in some situations

daemon/io: remove redundant libknot/internal/utils.h include



See merge request !16

notably key id doesn’t have to be recalculated every time, cheaper checks should come first, name equality check is cheaper as well 

skipping over last/root label returns a pointer to a memory after domain name, this is unsafe

this doesn’t guarantee valid cache after crash,
but then it’s a cache. most of the time on cold
cache is spent on fsyncing as it’s done per each
commit (=> resolved query)

this also fails if the timeout timer cannot be started,
as it would wait for undefined time otherwise