Fix #1378 - Switch to stub resolver, remove pyunbound

[mxsasha]

Fun discoveries so far:

• IPv6 NS connectivity check just checks if port 53 TCP is open. Not whether it's DNS, that's only checked when we fall back to UDP.
• Precheck for mail says in the UI it looks for SOA, but it actually checks if any record exists at the label. It queries for SOA, but accepts NOANSWER.
• It looks like we check MX dnssec by asking for the SOA? We don't check if the actual MX record is secure? See Check for A/AAAA/MX DNSSEC records #283 too.
• The DNSSEC test says: "If a domain redirects to another domain via CNAME, then we also check if the CNAME domain is signed (which is conformant with the DNSSEC standard). If the CNAME domain is not signed, the result of this subtest will be negative.". I have been unable to locate any code that does this. No guarantees, it is possible I overlooked it.

TODO:

• Inline todo's
• Review
• Remove permissive resolver
• Remove or document remaining cb_data use (might clash with TLS branch and need to be left for later)
• Remove compatibility shim after updating to dnspython 2.7 in Update all python deps, drop py3.7 pins #1610
• Check do_resolve_aaaa rename to do_resolve_single_aaaa
• Add to changelog
• Fix up commits

[bwbroersma]

🎉 Great work!
Now IPV4_IP_RESOLVER_INTERNAL_PERMISSIVE is only 'used' on these two spots:

• Internet.nl/interface/management/commands/api_check_ipv6.py

  Line 23 in 972bcbb

  f"Using unbound at: {settings.IPV4_IP_RESOLVER_INTERNAL_PERMISSIVE}."

• Internet.nl/integration_tests/develop/test_resolvers.py

  Line 33 in 972bcbb

  "app", "ldns-dane -n -T verify internet.nl 443 -r $IPV4_IP_RESOLVER_INTERNAL_PERMISSIVE"

So I would say it's not really used (at least in production).
Not sure if the first message is even right, and the second can probably be rewritten. Then the whole resolver-permissive container (and config) can be removed, which would be nice.

[bwbroersma]

So this refactor the IPv6 connectivity:

• leaves the TCP 53 port check in (as first method)
• changes DNS resolving from unbound (with forward) to stub, can this somehow form an issue?

[bwbroersma]

BTW this refactor also centralizes DNS queries in dns_resolve.
So logging all DNS queries, including if they are valid DNSSEC, can be done more easily:

Internet.nl/checks/resolver.py

Lines 99 to 104 in 972bcbb

	def dns_resolve(qname: str, rr_type: RdataType, allow_bogus=True, raise_on_no_answer=True):
	answer = _get_resolver().resolve(dns.name.from_text(qname), rr_type, raise_on_no_answer=raise_on_no_answer)
	dnssec_status = DNSSECStatus.from_message(answer.response)
	if dnssec_status == DNSSECStatus.BOGUS and not allow_bogus:
	raise ValidationFailure()
	return answer.rrset, dnssec_status