Use monotonic SOA serial numbers, enforced by 12-confirmation "safe height" for tree roots

[pinheadmz]

Closes #690 Implementation of https://github.com/handshake-org/hsd/issues/690#issuecomment-1062079903:

1. Like SPV node, Full Node should wait 12 confirmations after each Urkel Tree update before resolving records from the updated root zone. (see getSafeRoot() in chain.js)

2. The SOA serial should be the timestamp in the first block header after each tree update (ie. the first block header to commit to the updated tree root hash, which according to (1) was at least 11 blocks ago)

3. The hsd (and hnsd) root server should send REFUSED (or is there something better ?) until the chain is "synced" which means the timestamp in the chain tip (most recent block) is within the last 6 hours. This is a different definition of "synced" than is used elsewhere in the code, that's OK.

This will:

• prevent old records from being served while a node is still syncing
• guarantee that SOA serial is always increasing, and only changes when the root zone actually changes
  • even if there is a chain reorg, but only if that reorg is < 12 blocks deep (which is like, we got bigger problems then)
• synchronize the responses from full and light nodes
  • HNS users will have to get used to an extra 2-hour wait when updating records on chain 😬

TODO: ~- [ ] Add EDNS error code (will require update to bns as well): suggested by @buffrr ~ <- This will be handled in a future PR once https://github.com/chjj/bns/pull/37 is reviewed and merged.