Implement RFC 9103 Strict/Mutual TLS

Knot implements RFC 9250's DNS-over-QUIC protocol in most respects, but this doesn't extend to implementing RFC 9103 as it suggests.

RFC 9103 defines a system for using TLS certificates to authenticate both server and client, which is a far more secure and manageable option for zone transfers than the TSIG authentication that Knot already offers.

This should be quite easy to implement: it is already possible to specify what TLS certificate is presented for DoQ connections. What remains to be done is requiring a specific certificate with a remote, and offering a client certificate when doing so.

It would probably be logical to reuse certificates for both client and server authentication in most cases, though this shouldn't be the only option.

---

While not explicitly mentioned in RFC 9103, it may also be worth considering the use of DANE for certificate validation. This poses a potential chicken-or-egg problem within a zone, of course, but it'd be extremely helpful between zones. Be advised, however, that the use of TLSA with QUIC is currently a draft standard.