implement dnssec-awareness throughout code, and dane for incoming/outgoing mail delivery

the vendored dns resolver code is a copy of the go stdlib dns resolver, with
awareness of the "authentic data" (i.e. dnssec secure) added, as well as support
for enhanced dns errors, and looking up tlsa records (for dane). ideally it
would be upstreamed, but the chances seem slim.

dnssec-awareness is added to all packages, e.g. spf, dkim, dmarc, iprev. their
dnssec status is added to the Received message headers for incoming email.

but the main reason to add dnssec was for implementing dane. with dane, the
verification of tls certificates can be done through certificates/public keys
published in dns (in the tlsa records). this only makes sense (is trustworthy)
if those dns records can be verified to be authentic.

mox now applies dane to delivering messages over smtp. mox already implemented
mta-sts for webpki/pkix-verification of certificates against the (large) pool
of CA's, and still enforces those policies when present. but it now also checks
for dane records, and will verify those if present. if dane and mta-sts are
both absent, the regular opportunistic tls with starttls is still done. and the
fallback to plaintext is also still done.

mox also makes it easy to setup dane for incoming deliveries, so other servers
can deliver with dane tls certificate verification. the quickstart now
generates private keys that are used when requesting certificates with acme.
the private keys are pre-generated because they must be static and known during
setup, because their public keys must be published in tlsa records in dns.
autocert would generate private keys on its own, so had to be forked to add the
option to provide the private key when requesting a new certificate. hopefully
upstream will accept the change and we can drop the fork.

with this change, using the quickstart to setup a new mox instance, the checks
at internet.nl result in a 100% score, provided the domain is dnssec-signed and
the network doesn't have any issues.

rfc/index.md

@@ -122,10 +122,14 @@ https://www.iana.org/assignments/message-headers/message-headers.xhtml
 8904	DNS Whitelist (DNSWL) Email Authentication Method Extension
 
 # DANE
+6394	Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE)
 6698	The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
 7218	Adding Acronyms to Simplify Conversations about DNS-Based Authentication of Named Entities (DANE)
 7671	The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance
 7672	SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)
+7673	Using DNS-Based Authentication of Named Entities (DANE) TLSA Records with SRV Records
+7929	DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP
+8162	Using Secure DNS to Associate Certificates with Domain Names for S/MIME
 
 # TLS-RPT
 8460	SMTP TLS Reporting
@@ -283,6 +287,7 @@ See implementation guide, https://jmap.io/server.html
 
 # TLS
 6125	Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)
+7250	Using Raw Public Keys in Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
 7525	Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
 8314	Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access
 8996	Deprecating TLS 1.0 and TLS 1.1
@@ -321,21 +326,31 @@ See implementation guide, https://jmap.io/server.html
 1536	Common DNS Implementation Errors and Suggested Fixes
 2181	Clarifications to the DNS Specification
 2308	Negative Caching of DNS Queries (DNS NCACHE)
+2672	(obsoleted by RFC 6672) Non-Terminal DNS Name Redirection
+3226	DNSSEC and IPv6 A6 aware server/resolver message size requirements
 3363	Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS)
 3596	DNS Extensions to Support IP Version 6
 3597	Handling of Unknown DNS Resource Record (RR) Types
+3833	Threat Analysis of the Domain Name System (DNS)
 4343	Domain Name System (DNS) Case Insensitivity Clarification
 4592	The Role of Wildcards in the Domain Name System
+5001	DNS Name Server Identifier (NSID) Option
 5452	Measures for Making DNS More Resilient against Forged Answers
 6604	xNAME RCODE and Status Bits Clarification
 6672	DNAME Redirection in the DNS
 6891	Extension Mechanisms for DNS (EDNS(0))
 6895	Domain Name System (DNS) IANA Considerations
+7686	The ".onion" Special-Use Domain Name
 7766	DNS Transport over TCP - Implementation Requirements
+7828	The edns-tcp-keepalive EDNS0 Option
+7873	Domain Name System (DNS) Cookies
 8020	NXDOMAIN: There Really Is Nothing Underneath
 8482	Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY
 8490	DNS Stateful Operations
+8499	DNS Terminology
 8767	Serving Stale Data to Improve DNS Resiliency
+8914	Extended DNS Errors
+9018	Interoperable Domain Name System (DNS) Server Cookies
 9210	DNS Transport over TCP - Operational Requirements
 
 # DNSSEC
@@ -352,6 +367,7 @@ See implementation guide, https://jmap.io/server.html
 6014	Cryptographic Algorithm Identifier Allocation for DNSSEC
 6781	DNSSEC Operational Practices, Version 2
 6840	Clarifications and Implementation Notes for DNS Security (DNSSEC)
+7901	CHAIN Query Requests in DNS
 8198	Aggressive Use of DNSSEC-Validated Cache
 8624	Algorithm Implementation Requirements and Usage Guidance for DNSSEC
 8749	Moving DNSSEC Lookaside Validation (DLV) to Historic Status