resolved: implement RFC5452

This improves the resilience against cache poisoning by being stricter
about only accepting responses that match precisely the requst they
are in reply to.

It should be noted that we still only use one port (which is picked
at random), rather than one port for each transaction. Port
randomization would improve things further, but is not required by
the RFC.