This can be done at the resolver level by specifying a set of overrides
via the new 'resolvQueryFlags' field. This makes it possible to request
unvalidated data from validating DNSSEC resolvers (by setting the CD bit)
or to query authoritative servers (by clearing the RD bit, since many
authoritative servers will refuse queries with the RD bit set, even
when authoritative for the query domain).
Alternatively, the new "lookupRaw'" function takes a similar
"QueryFlags" parameter which is combined with overrides from the
resolver configuration. The set of overrides forms a Monoid generated
by the 'rdBit', 'adBit' and 'cdBit' combinators. Each combinator
can request that a given bit "set", "cleared" or "reset" (to its
default). The "queryDNSFlags" function produces the final "DNSFlags"
record after applying the requested overrides.
With these changes one can configure per-resolver defaults for the
RD/AD/CD bits, or else choose settings on the fly for each lookup
with "lookupRaw'". (This makes "lookupRawAD" somewhat obsolete,
we might deprecate it at some point in the future, but probably
best to leave it be, it is simpler if one just wants the AD bit).
Occassionally, when a client gives on a query and closes its UDP
socket, the nameserver nevertheless eventually replies. When that
happens, the UDP socket in question may now be in use for a different
query. When the unexpected stale answer arrives, we should just
drop it, and continue waiting for the right answer. Otherwise, we
may end up with spurious sequence number mismatch errors (observed
in practice under heavy load, with thousands of DNS queries per
second).
We check both the sequence number and the question. For this the
question domain needs to be in standard form, with a trailing '.'.
We might have checked the question class, but questions are at
present implicitly in class "IN". Sprinkled in some comments in
case that ever changes.
Turned the question into a singleton list early, simplifying
downsream code.
