1. validate module must be between iterate/cache
2. produce: copy OPT with DO=1, ask for DNSKEY if we don’t have it
3. resolve.c: subrequest DNSKEY if asked to do it
4. consume: check DNSKEY and set it, validate RRSIGs against it

another issues:

rrsigcache is copypasta of rrcache, there is one special case with storing RRSIGs which doesn’t deserve it’s own module (if the validation is off, then nothing will get written in there anyway)

since the resolution is asynchronous, layers must only *ask* resolver to do subrequests for them using query flags (like when we encounter an unknown zone cut)

the query flags were cleared too early, and the rec never
retried if the NS had ipv6 addresses, but all were bad

this fixes an issue when nameserver responds with AA=0 and authority
of a CNAME target (which is in current bailiwick)

DNS 0x20 https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
is a way to add more randomness into queries to make spoofing tougher
this implementation provides up to 32 bits of randomness to QNAME,
which is more than enough for most names (it is possible to add a
maximum of 1 bit of entropy per alphanumeric character, so it's not very
efficient with shorter names)

fixes #27

libuv doesn't do connected UDP sockets, so we can't get ICMP unreachable
otherwise