* in the begin() layer, the incoming query is
  exposed as req->qsource.packet, it is invalidated
  after begin() and should not be modified
* the destination address (local interface) is
  also tracked for filtering purposes

during the consume step, the information about
upstream authoritative (address and current rtt)
is exposed in the request structure, just like
information about current query

the daemon has now three modes of strictness
checking from strict to permissive.
it reflects the tradeoff between resolving the
query in as few steps as possible and security
for insecure zones

this is a temporary change until luajit-kdns is
merged-in with complete functionality,
this will break the API later and will require a
couple changes in several modules and trust anchors

a part of the zone cut is visible from Lua world:
- zone cut name (dname)
- trust anchor (rrset)
- current key (rrset)

when raised, a response zone cut will be recovered
even if the response came from cache. this is
normally not needed (and incurs additional cache
lookups), but it may be useful for
inspection

the field length is platform-dependent

this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver

the copy doesn't take cdata length into account, but measures string len

refs #43

this fixes a bug when a text-declared type wasn’t reused and LJ eventually segfaulted in ffi.new after a lot of redeclarations

the library is able to resolve query in stub mode (no referral chasing,
zone cut lookup) if asked to
validator turns off for stub queries, validating stub is NYI

resolved() returns true if current query is resolved (i.e. authoritative)
final() returns true if current query is resolved and is not a subrequest (has no parent)

as the libknot packet interface disallows out-of-order packet
writes, authority and additional records must be written after
the answer is complete; records in the rr arrays will be written to final answer during finalization

this is useful when you need to issue several subrequests before
continuing with the current query, resuming is not supported yet, so it
will requery after the subrequests complete

current processed query is always in `request->current_query`

effectively enables/disables usage of given IP protocol
for subrequests (the server can still listen on these)

example:
local rr = pkt:section(kres.section.ANSWER)[1]
print(kres.rr2str(rr))

example:
local rr = pkt:section(kres.section.ANSWER)
for i = 1, #rr do
	if rr[i].type == kres.type.A then
		print(kres.dname2str(rr[i].owner))
		print(‘rdlen:’, #rr[i].rdata)
	end
end

todo: active refresh

DS keys are injected into current set (unmanaged)
DNSKEY keys are in the managed set and their RFC5011 state is tracked

todo:
- implement timers and this AddTime/RemTime
- active refresh
- move to a separate module

config:
trust_anchors.negative = { ‘bad.cz’, ‘here.com’ }

all names below these NTA will not be validated
(unless there is an island of trust below these anchors)

preparations for TA rotation and management
in config:
trust_anchors.file = ‘root.key’
trust_anchors.auto = true // NOTIMPL
trust_anchors.add(‘. IN DS …’) // Manual addition

module can identify clients based on their source address or used TSIG
key

the requestor can provide information identifying the query originator
here (address and TSIG key), both fields are optional
update Lua FFI bindings