In reverse (PTR) records, now the last definition wins,
and non-canonical names don't get (shadowed) records.

The API function doesn't do anything else anyway.

The length was halved, mixed ">" vs. ">>", etc.

If one line contains multiple names for the address, the first
name should be the canonical one (i.e. used for reverse lookups).
In the current implementation wins top level domain according to
domain tree.

This change saves PTR records to separate tree. Names are
oredered according to order in host file.

- This affects the iterating mode only (except for a verbose message).
- The problem was introduced when implementing forwarding in 651c5aad.
- Example that was affected: *.org.ru.

When the same server is authoritative for multiple consecutive zones,
with a higher one being signed and a lower one being unsigned, we may
get an unsigned answer even in case we *think* we're currently in a
signed zone.

In particular, DS (sub-)queries are important because of being used to
prove the insecurity of zones - in that case the iterator can correctly
determine the (unexpected) zone name from which the answer came, due to
seeing the SOA record, but that is too late for zone_cut_check() to try
getting a trust chain to it, so we need to YIELD for it to do it.

Valid CNAME chains that ended in NODATA had AD flag set.

This part of code is NOT reachable when forwarding, because
ns.name is . (the root) and retry is true.
kr_nsrep_elect* would ruin forwarding anyway, as they're written ATM.

Casting is dangerous, e.g. it's easy to misconfigure policy with
  policy.add(policy.FORWARD('some address'))
which lead to segfault without showing any indication of the cause.
Now this case will show as
  .../policy.lua:98: 'struct kr_query' has no member named 'current'
and only abort the policy module instead of the whole process.

Closes #198.

Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/198.
We can't let multiple "matching RRsets" to the wire, and we can't just
merge the sets from multiple queries either.  The only way is to choose
either of the sets and put it on the wire.  ATM the last one wins.

Common ocurrence of the bug: if www.example.cz was a CNAME for example.cz
and we ask for a non-existent type, we would get the SOA record twice
in the final answer.

A few related changes:
 - don't just assert, also return error code if -DNDEBUG
 - kr_ranked_rrarray_set_wire: don't do full-content comparison anymore;
   see the first paragraph in this commit message for the reasons
 - minor refactoring of that code, more comments, etc.