DNS over TLS and TCP out-of-order processing

Refresh !18 (closed)

I merged few bits from @dkg branch, but there are two notable things missing:

• watch for on-disk chang of credentials - not sure if this is really needed, I would suggest a separate MR, where we can discuss benefits of doing so.
• ephemeral key generation from net.tls_servicename - this is fine, but instead of setting tls_servicename, let's make it an explicit generator e.g. net.generate_certificate("name") instead of setting tls_servicename in the struct network. Again I would suggest a separate MR.

To test the TLS listen, you can use a dns-over-tls branch from Knot DNS:

./daemon/kresd --tls=127.0.0.1\#5353
net.tls("cert", "key")

$ ./src/kdig +tls -p 5353 www.cmu.edu @127.0.0.1
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 9741
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.cmu.edu.        		IN	A

;; ANSWER SECTION:
www.cmu.edu.        	86400	IN	CNAME	www-cmu-prod-vip.andrew.cmu.edu.
www-cmu-prod-vip.andrew.cmu.edu. 21600	IN	A	128.2.42.52

;; Received 107 B
;; Time 2016-08-05 11:52:25 CEST
;; From 127.0.0.1@5353(TCP) in 2146.1 ms
;; TLS session info: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)