* kubernetes: never respond with NXDOMAIN for authority label

Return a nodata response when trying to resolve the authority's label
for a record type that doesn't match the record type of the authority.

This guards against poisoning the authority record by requesting the
wrong record type for the authority label. For instance, given an
authoritative resolver that uses subdomain delegation for Kubernetes
services of a cluster that's configured to use IPv4, the parent may be
poisoned by querying it for the authority label of the cluster subdomain
with a AAAA record type, which would otherwise (i.e. without this
change) return an NXDOMAIN. That is, given
	cluster.example.com        NS 10800 ns.dns.cluster.example.com
	ns.dns.cluster.example.com A  10800 10.0.1.2
The parent may be poisoned for the SOA TTL by querying it for a AAAA
record of ns.dns.cluster.example.com, causing the parent to fail
delegate properly until the SOA TTL lapses.

* kubernetes: add tests for authority queries