IPIP: include ipns-record in Gateway CAR responses

[lidel]

IPIP-351: IPNS Signed Records Response Format on HTTP Gateways will return a raw IPNS record, allowing a custom light client to verify IPNS without having to run DHT client.

Users asked for the ability to export both CIDs and IPNS record into a CAR, transport over sneakernet and load this on airgapped node, which is a good use case.

Another use case is Decentralized Gateway WG, which could benefit from the ability to have a single round-trip that includes full or partial CAR with content + ipns-record.

Broad strokes UX we want to accommodate:

$ curl http://gateway.foo/ipns/{id}?format=car&something > ipns-site-dump.car
$ ipfs import ipns-site-dump.car # imaginary command that goes beyond DAGs 
$ ipfs resolve /ipns/{id}   # works, even in offline mode
$ ipfs dag stat  /ipns/{id} # works, even in offline mode

Initial notes / subtasks

### Tasks
- [x] need to add a new `ipns-record` codec, to indicate special meaning of this additional block. Done:  https://github.com/multiformats/multicodec/pull/312
- [ ] Extend [Trustless Gateway spec](https://specs.ipfs.tech/http-gateways/trustless-gateway/) to support  verifiable responses of  `/ipns/{libp2p-key}` paths: decide if returned CAR should include two roots. One for data, second for `ipns-record` block. Specify if ipfs-records should be at the beginning of the CAR returned by `/ipns/{id}?format=car[&something?]` - to allow quick validation of response without wasting time for hashing invalid blocks that do not belong to CID in IPNS record.
- [ ] Kubo CLI should have top level `import` / `export` that operates on content paths (instead of raw dags like `ipfs dag` versions), include all parent blocks and not just the final terminating element recursively, and be smart enough to use `ipns-record` and import it to local namesys cache if a block with ipns-record codec is present in a CAR

cc @hacdias (for now just fyi, tbd if this is something we need to prioritize for Saturn work any time soon)