Clarify meaning of empty trust_anchors extensions

[bob-beck]

Currently if the client examines a list of TAI's for a server (either via DNS SVCB, previous Encrypted Extensions, or any yet to be determined means) we do not say what the client should do as a result.

If the client decides it does not have a common intersection with this list it is free to:

A) send an empty TAI extension, and hope the other end sends it updated information where it might now have an option
B) send no TAI extension, to force the other end to do their legacy behaviour, relying on being able to path build it's way to an ubiquitious trust anchor from what the server sends it in the fallback case.

If a server decides for whatever reason to not advertise a full list of trust anchors, It can not rely on the client retrying if the client decides to fall back to the legacy behaviour.

Not sure if this is fine, or not.

[davidben]

I think we should be opinionated and the answer should be yes, just send an empty one.

[davidben]

In particular, the server is already expected to do something sensible in response to the empty list. That could be the default lowest common denominator credential, or a slightly more aggressive one targeting the common case, with the knowledge that the retry will work. This was a key point in the current design, to make the DNS bits slightly less load bearing.