fixes #41

this allows daemon to try other NSs for fast retransmit if the best chosen NS doesn’t respond within time limit

instead of single I/O request per step, the daemon now retries
all addresses in the selection with 300ms timeout between tries.
there are len(list) + len(list)/2 tries

the idea is to reduce latency when UDP request doesn't punch through,
or some NSs are overwhelmed/faulty

RRs may be touched after resolution completion, this copies RR from
temporary per-recv buffer to answer, which is persistent for the whole
duration of request

if the library or daemon is compiled with address sanitizer, objects in
freelists are poisoned to detect use-after-recycle errors
it is not currently used in the library, as there are no freelists

refs #33

refs #16

the library is able to resolve query in stub mode (no referral chasing,
zone cut lookup) if asked to
validator turns off for stub queries, validating stub is NYI

thanks to Pieter Lexis and Peter van Dijk from PowerDNS for discovering this.

the RFC4035 M < S < N stands if the S isn’t after the last name in the zone, this is indicated by M > N, proving that the next of the last name is the first name; if the S is after M, then it proves it’s non-existence

thanks to Pieter Lexis and Peter van Dijk from PowerDNS for discovering this!

as the libknot packet interface disallows out-of-order packet
writes, authority and additional records must be written after
the answer is complete; records in the rr arrays will be written to final answer during finalization

when resolver finds a zone cut from cache, it checks whether there is an empty non-terminal between target QNAME and cached zone cut.
this is indicated by presence of NODATA/NXDOMAIN in packet cache.
if it finds one, it turns off qname minimisation and continues,
this saves one query for empty non-term zones like ‘co.jp’

caveat: only direct child of the cut can be considered (e.g. ‘co.jp’ for ‘jp’), otherwise we would leak information to parent if the zone cut fell out of cache and NODATA existed

for pktcache same or better rank is required (because it’s a direct answer)
for rrcache better rank is required (unless doing write-through)

for both cases, no cache rank check is needed when inserting secure data

security note: this mitigates possible non-auth NS hijacking

reason: a root gives consistently unpredictable performance, which
we cannot take into consideration for the first start. j,k roots
moved to the front as they're everywhere and less loaded than a
swamped with requests from legacy tools

[1] shows an attack using spoofed CNAME targets to replace legitimate
entries in resolver cache by speeding up once-per-TTL attack opportunity

as a defense, the resolver almost always requeries CNAME targets and
doesn't store them in cache. the only exception is when the CNAME target
is within current authority, and the answer is DNSSEC-secured

thanks to Toshinori Maeno (@beyondDNS) for pointing this out [2]

[1]: https://tools.ietf.org/id/draft-weaver-dnsext-comprehensive-
resolver-00.html
[2]: https://moin.qmail.jp/DNS/KnotResolver/CNAMEpatch

when the DS NODATA was proved from a different authority

validator can now yield, but it doesn't plan the sub-requests directly,
that is still a job of the driver

this caters a use case when a layer needs to issue subrequests before
continuing, so it yields. when the subrequests finish, the layer is
resumed with the same parameters and input

todo: fix validator, that shifted most of the processing to driver

this is useful when you need to issue several subrequests before
continuing with the current query, resuming is not supported yet, so it
will requery after the subrequests complete

current processed query is always in `request->current_query`

when no validation is attempted, trust level is 'bad'
when validation attempted but insecure, trust level is 'insecure'
otherwise 'secure'

minimised nodata/nxdomain can now be cached if it is
authoritative. also pkt/sec cache are now shared using
the ‘rank’ field to replace insecure version with secure
if needed