Add DANE-TA(2) support

[buffrr]

While PKIX certificate usages are optional, for complete DANE implementation we should support DANE-TA(2). This is useful if server administrators that would like to pin self-signed CA instead of pinning an individual end entity certificate for each service.

From RFC7671

Some domains may prefer to avoid the operational complexity of publishing unique TLSA RRs for each TLS service. If the domain employs a common issuing CA to create certificates for multiple TLS services, it may be simpler to publish the issuing authority as a TA for the certificate chains of all relevant services. The TLSA query domain (TLSA base domain with port and protocol prefix labels) for each service issued by the same TA may then be set to a CNAME alias that points to a common TLSA RRset that matches the TA

[yagikota]

RFC7671 also says that DANE-TA(2) and DANE-EE(3) certificate usages are RECOMMENDED.

https://datatracker.ietf.org/doc/html/rfc7671#section-4

Designs in which clients support just the DANE-TA(2) and DANE-EE(3) certificate usages are RECOMMENDED. With DANE-TA(2) and DANE-EE(3), clients don't need to track a large changing list of X.509 TAs in order to successfully authenticate servers whose certificates are issued by a CA that is brand new or not widely trusted.