launch hardening: TC bit, Dockerfile, platform-aware deploy

- Set TC (truncation) bit when response exceeds 4096-byte buffer
  instead of dropping the response silently. Clients can retry via TCP.
- Log when upstream response is truncated in forward.rs.
- Dockerfile: bump to Rust 1.88, include site/service files, use
  alpine runtime instead of scratch, add cmake/perl for aws-lc-sys.
- Makefile deploy: platform-aware — codesign on macOS, systemctl on Linux.
- README: trim roadmap to near-term items only.
- Verified: Docker build + smoke test passes on Linux (Alpine musl).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/ctx.rs

@@ -150,8 +150,17 @@ pub async fn handle_query(
     );
 
     let mut resp_buffer = BytePacketBuffer::new();
-    response.write(&mut resp_buffer)?;
-    ctx.socket.send_to(resp_buffer.filled(), src_addr).await?;
+    if response.write(&mut resp_buffer).is_err() {
+        // Response too large for UDP — set TC bit and send header + question only
+        debug!("response too large, setting TC bit for {}", qname);
+        let mut tc_response = DnsPacket::response_from(&query, response.header.rescode);
+        tc_response.header.truncated_message = true;
+        let mut tc_buffer = BytePacketBuffer::new();
+        tc_response.write(&mut tc_buffer)?;
+        ctx.socket.send_to(tc_buffer.filled(), src_addr).await?;
+    } else {
+        ctx.socket.send_to(resp_buffer.filled(), src_addr).await?;
+    }
 
     // Record stats and query log
     {