Fix root server proofs, and just that (big fix 3/4)

[pinheadmz]

Refactored out of bloated #76

This was the original point of that PR before it got carried away. It should just cover the original goals:

• Replaces empty zone proofs with minimally covering NSEC records
• Fix ICANN insecure delegation proofs
• No referrals for negative DS answers since root zone is authoritative (referral answers must only be for delegated sub-trees).
• Fix ICANN DS answers since it used to send referrals for all questions
• NSEC bitmap now shows correct types available for a name like TXT records (if no delegation)
• Clean up SOA and AA bit handling for handshake and ICANN names
• Remove DS from root zone it should only exist in parent zone

Note that although these tests do pass, the actual NSEC records being returned by this branch by itself are wrong, and will require #83 merged before being totally correct:

# hnsd

$ dig @127.0.0.1 -p 25349 doesnotexist txt +dnssec
...
.                       21600   IN      NSEC    doesnotexist\\000. RRSIG NSEC
...


# hsd, correct:

$ dig @127.0.0.1 -p 5349 doesnotexist txt +dnssec
...
doesnotexiss\255.       21600   IN      NSEC    doesnotexist\000. RRSIG NSEC
...

[pinheadmz]

added check for cd bit:

--> dig @127.0.0.1 -p 5350 dnssec-failed.org

; <<>> DiG 9.16.10 <<>> @127.0.0.1 -p 5350 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31519
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; Query time: 3276 msec
;; SERVER: 127.0.0.1#5350(127.0.0.1)
;; WHEN: Tue Jan 11 11:50:50 EST 2022
;; MSG SIZE  rcvd: 46

--> dig @127.0.0.1 -p 5350 dnssec-failed.org +cd

; <<>> DiG 9.16.10 <<>> @127.0.0.1 -p 5350 dnssec-failed.org +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33737
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      7187    IN      A       69.252.80.75

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5350(127.0.0.1)
;; WHEN: Tue Jan 11 11:51:00 EST 2022
;; MSG SIZE  rcvd: 62

... hnsd logs:

rs:   why_bogus: validation failure <dnssec-failed.org. A IN>: key for validation dnssec-failed.org. is marked as invalid because of a previous validation failure <dnssec-failed.org. A IN>: No DNSKEY record from 68.87.76.228 and 69.252.250.103 and 69.252.250.103 and 68.87.68.244 and 69.252.250.103 and 69.252.250.103 and 69.252.250.103 and 69.252.250.103 and 68.87.76.228 and 68.87.85.132 and 68.87.72.244 and 68.87.76.228 and 69.252.250.103 and 69.252.250.103 and 68.87.68.244 and 68.87.72.244 and 68.87.76.228 and 69.252.250.103 and 68.87.76.228 and 68.87.72.244 and 68.87.76.228 and 68.87.68.244 and 69.252.250.103 and 68.87.85.132 and 68.87.68.244 and 68.87.76.228 and 68.87.85.132 and 69.252.250.103 and 68.87.72.244 and 68.87.76.228 and 68.87.72.244 and 68.87.68.244 and 68.87.68.244 for key dnssec-failed.org. while building chain of trust
rs:   (checking disabled)