Follow-up from "Draft: Resolve "XoT xfrin""

The following discussion from !4571 (merged) should be addressed:

• @each started a discussion:

  Rebased, squashed, pushed some suggestions, including CHANGES, release note, documentation (which may not be very good, I'm not sure I have the TLS terminology correct), added setter/getter functions for a few things that were left out, and a few other bits and bobs.

  I think dns_transport should be isc_transport so that it can be used with the netmgr and as a parameter to isc_tlsctx_createserver(). I almost made that change already but decided to leave it for now so that it would be easier to review the changes I've already made (moving a file makes it harder to read diffs).

  We urgently MUST create key and cert files so that we can test with something other than "ephemeral" in the system tests. I suspect non-ephemeral configurations may not work for DoT currently, and I'm certain they don't work for XoT.

  I'm about to reveal some possibly-embarrassing ignorance about TLS: does it make sense to reference tls statements in primaries? isc_tlsctx_createclient() doesn't take any parameters, so I'm not sure what tls <anything-but-ephemeral> would even do. (I already confirmed it's basically a no-op by configuring it with "tls whatever", a configuration that uses /dev/null for both key and cert files, and it worked fine.)

  So, is configuring client-side TLS parameters a thing we want to be able to do but haven't implemented yet? Or is it a thing nobody ever does, and we should revise the syntax so as not to imply it's possible?