improving latency of nameserver chasing
When chasing addresses of nameservers, kresd by default only trusts glue addresses if in bailiwick of the zone we asked. This isn't optimal even in some common cases, e.g. com
and net
TLD zones are served by the same set of servers, so when a delegation from either has NS
records from the other, we could safely trust the glue. Doing this check generally won't be trivial, but it might be worth the latency gains on cold cache; some nameservers cause us to chase through multiple zones until we find a trusted glue.
On a related note, we might also accept the glue if the child zone is signed. (seems easier to implement)