Fix knot startup on ns1/ns2: TSIG key perms and port 53 conflict

knotd runs as the "knot" user, so the shared TSIG key file needs
owner/group knot — it was root-only and knot couldn't read it.

systemd-resolved's stub listener was holding port 53, so knot's
0.0.0.0@53 / ::@53 TCP bind failed. Disable the stub (resolution
still works via nss-resolve) to free the port.

modules/dns/authoritative.nix

@@ -9,7 +9,12 @@ in
   # this module, so primary and secondary authenticate transfers with the same key.
   clan.core.vars.generators.dns-tsig = {
     share = true;
-    files."tsig.conf".secret = true;
+    files."tsig.conf" = {
+      secret = true;
+      # knotd drops to the "knot" user, so the included key must be readable by it.
+      owner = "knot";
+      group = "knot";
+    };
     runtimeInputs = [ pkgs.knot-dns ];
     script = ''
       keymgr -t cnx_xfr hmac-sha256 > "$out"/tsig.conf
@@ -19,6 +24,10 @@ in
   networking.firewall.allowedTCPPorts = [ 53 ];
   networking.firewall.allowedUDPPorts = [ 53 ];
 
+  # knot binds 0.0.0.0@53 and ::@53, so free port 53 by disabling the
+  # systemd-resolved stub listener. Resolution still works via nss-resolve.
+  services.resolved.extraConfig = "DNSStubListener=no";
+
   services.knot = {
     enable = true;
     # Including the key via keyFiles keeps the secret out of the Nix store.