current processed query is always in `request->current_query`

before the algorithm was happy with root hints for all queries starting
at root, however they're often overloaded and result in timeouts
the updated code provides SBELT only for root NS query lookup and tries
to use cached information as much as possible

if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit

until RFC2181 credibility is implemented in cache, this behavior breaks
DNSSEC as the parent-side comes first to the cache
disabled this behavior until implemented properly

this fixes problems with servers authoritative both for
parent and child zone and vice versa
as the DS is authoritative parent-side, a full subrequest
is launched. this breaks some tests that don’t have
a full referral path

todo bugs:
- non-existence proof with only SOA and no NS is not
correctly resolved
- revalidation in some cases causes record duplication
- NS queries with DO=1 answered from cache are not correctly resolved, as the TA is not set at this time

config:
trust_anchors.negative = { ‘bad.cz’, ‘here.com’ }

all names below these NTA will not be validated
(unless there is an island of trust below these anchors)

preparations for TA rotation and management
in config:
trust_anchors.file = ‘root.key’
trust_anchors.auto = true // NOTIMPL
trust_anchors.add(‘. IN DS …’) // Manual addition

the SIP on OSX 10.11 disables library injection
on system binaries (python is considered as it)
make needs to call python binary directly to allow
brewed python to be used

the reason is that it's not actively used since we moved to binary
testing, and it depends on libknot internal api that has changed
also removed several unused libknot internal headers

The test is failing because of address mangling performed by test
environment.

Query for A or AAAA cannot be currently validated because the test
server mangles all A and AAAA records.

Also fixed TIME_PASSES ELAPSE which ignored the overridden time.