rec: Only check the netmask for subnet specific cache entries

rec: Only check the netmask for subnet specific cache entries

We used to check the netmask for all entries for a qname
if at least one of them was a subnet specific one. Since an empty
`Netmask` doesn't match anything, we would effectively ignore every
non subnet specific entries if we had at least one subnet specific
one.
This caused a very hard to reproduce issue with for example
f.root-servers.net that includes an EDNS Client Subnet option in its
answer for `NS .` if the query has an EDNS Client Subnet option.
This caused the recursor to cache a subnet specific entry for `NS .`.
When that entry expired, we retrieved and cached a non subnet specific
one, but that new one was ignored as long as the subnet specific
was not expunged from the cache.
Under certain circumstances that could cause a root refresh loop
using a lot of stack memory.