this is a saner default for large answers. instead of waiting for
probably lost/thrown away fragmented packet, do the query over TCP
instead

this fixes a problem when a module was removed, but pending
queries referenced it, causing a crash. usually when the
server was busy and a module was unloaded.
as we don’t need to copy layers at all, they’re just iterated
from the array of modules using a macro

no need to scramble queries satisfied from cache

the resolution driver now correctly fetches keys,
and the zonecut lookup should find closest TA,
then the validation module should have all the
information needed for simple validation

the only flag supported now is the KR_REQ_DNSSEC,
which indicates that the caller wants a secure answer

1. validate module must be between iterate/cache
2. produce: copy OPT with DO=1, ask for DNSKEY if we don’t have it
3. resolve.c: subrequest DNSKEY if asked to do it
4. consume: check DNSKEY and set it, validate RRSIGs against it

another issues:

rrsigcache is copypasta of rrcache, there is one special case with storing RRSIGs which doesn’t deserve it’s own module (if the validation is off, then nothing will get written in there anyway)

since the resolution is asynchronous, layers must only *ask* resolver to do subrequests for them using query flags (like when we encounter an unknown zone cut)

the query flags were cleared too early, and the rec never
retried if the NS had ipv6 addresses, but all were bad

libuv doesn't do connected UDP sockets, so we can't get ICMP unreachable
otherwise

before root hints were hardcoded to the resolver,
now they are present in form of a cut in the resolution
context, and the modules can add/remove/replace them
on the fly

previously a CNAME RR could be merged as a queried type RR, leading to failed cache lookups as ‘expired’

previously if NS had no A/AAAA records, they we’re looked up in subrequests, after that a new NS was reelected (possibly preferring another unknown), now it stays true to the NS of choice and changes only if it is unuseable

the cache_peek() api was reworked to return an error code instead, from this the caller can tell whether the record is present (but expired) or missing. this save a secondary CNAME lookup in case the original record was just expired

this LRU-like cache tracks lame nameservers, unresolvable
nameservers (to not waste resources in trying to resolve them),
and possibly other features (extension support, …)

if a name server is missing address, it requires launching a recursive query to discover it - starting from root
now however it can start from either closest covering zonecut in cache if it isn’t a subdomain of current zone cut, or as a parent of current zone cut

when a NS is in the TIMEOUT, it can’t be autoselected by default but only probed after a successful dice roll - however in some scenarios we’d like to probe timeouting servers more thoroughly 

score has now meaning of ‘RTT’, maximum RTT is 10s
which is also the penalty for timeout
unknown servers are favorized as 10ms servers to
encourage resolver to try them out, if they contain
unknown glue they are most favourable

previously it restarted query production for each NS, now it loops until it finds a suitor or bails out

if the query is satisfied from cache, it doesn’t need a zone cut lookup, so it may be deferred until an outbound query is about the be issued.

this prepares cache/txn structures to hold API as well, so we can get
rid of the global api

the module memory not be moved (reallocd), turned array of modules to array of pointers to modules

this fixes a bug where resolution failed, but the finish callbacks thought the answer is noerror