DANE-TA mode "2 0 0" doesn't work with CA cert omitted from chain sent in TLS handshake

[richfelker]

RFC 7671 introduced a new allowance (section 5.2) that servers may omit the trust anchor certificate from the cert chain sent to the client if it's included in full (not hash) in the TLSA record and all TLSA records are of this form ("2 0 0"). This is a rather awful usage, since it requires gigantic DNS messages, but it should be supported since the standard allows it. I believe the right way to do it is by pre-processing the TLSA records to put the trust anchor(s) they define into a chain to pass into br_ssl_client_init_full. I'm not doing it yet since this is a low-priority feature, but documenting it here so it can be done later.