Let's allow 4 UDP + 4 TCP attempts, within 2+2 seconds,
and then start also using stale cache.

Some parts were hand-written, apparently.

ci: respdiff - update config

See merge request !469

Since we've added the `timeout` metric to respdiff, it uncovered
an issue when running in Docker, where a large amount of queries
(~2% / resolver) end with a timeout.

Until the issue is investigated and fixed, temporarily bump the CI's
tolerance for the test to pass to 3%.

systemd: enable multiple processes with socket activation

See merge request !464

In order to be able to spawn multiple processes with socket activation,
systemd template (see systemd.unit(5)) is used. This allows the user to
create any amount of instances by simply providing a unique name for
each of them. The most sensible instance identifiers are natural
numbers, but any convention could be used.

The default recommended service name becomes kresd@1.service, replacing
the older kresd.service. Sockets are renamed in a similar way. Users are
able to take advantage of bash expansion to spawn/control multiple
processes, e.g. "systemctl start kresd@{1..16}.service"

The socket-activated service can now be launched directly with
"systemctl start kresd@1.service", which will request the associated
sockets without the need for any extra priviledges or capabilities.

Stopping the kresd service now also stops the associated sockets.
Stopping any individual socket is an isolated opration now (stopping
kresd@1.socket no longer stop kresd-tls@1.socket and
kresd-control@1.socket).

Users and packagers are also encouraged to use drop-in files for extra
configuration or modifications to ensure compatibility with their
distribution.

It's not for NSEC3, etc.  We'll fill NEWS soon.

It's just to have the tag in history.  The files are unchanged.

Almost.  A trivial lib/layer/cache.c remains.
I put all lib/generic/*.h into libkres_HEADERS, to be sure.
They rarely change anyway.

It was breaking on Darwin, and clang was throwing warnings.
Problem since ddb699d3.

documentation: reorganize chapters

See merge request !467

The manual page discusses basic usage of kresd, but completely lacks
configuration description. Users are pointed to
https://knot-resolver.readthedocs.io for reference. When visiting this
page, the most important information they don't have yet, is how to
configure kresd. This should be the first chapter in the documentation
to make it easier to find.

fix two nitpicks from clang-scan

See merge request !465

- utils.c: overflowing size_t is basically impossible, but well...
- stats.c: NULL would probably not cause a problem with zero length passed

Also guard all allocations in cache against this, via assert.
(Except in cases that would segfault anyway.)

I somehow forgot that case.  Unfortunately the cache optimization for
CNAMEs doesn't help this case, so we just do (up to) two probes.

policy: polish policy module up

See merge request !462

RFC 6303 section 3 explains that

   The SOA RR is needed to support negative caching [RFC2308] of name
   error responses and to point clients to the primary master for DNS
   dynamic updates.

Now SOA RR owner name matches query name so it can be cached.
Using zone name as owner would be more difficult so it is left for
further optimizations.

I've verified that nsupdate correctly determines that master name
does not exist and stops update process.

I've removed couple layers of indirection to make it easier to follow.
This should make it easier to extend the policy module.

CI: store respdiff database for debuging purposes

See merge request !443

Dockefile: fix TLS server in demo container

See merge request !463