Apply review fixes: validation, idempotency, SOA dedup, startup cleanup

- Migration v2: INSERT → INSERT OR IGNORE for idempotency
- Config: validate server.tls_cert and server.tls_key are non-empty
- gRPC: add input validation matching REST handlers
- gRPC: add logger to zone/record services, log timestamp parse errors
- REST+gRPC: extract SOA defaults into shared db.ApplySOADefaults()
- DNS: simplify SOA query condition (remove dead code from precedence bug)
- Startup: consolidate shutdown into shutdownAll(), clean up gRPC listener
  on error path, shut down sibling servers when one fails

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/dns/server.go

@@ -116,8 +116,8 @@ func (s *Server) handleAuthoritativeQuery(w dns.ResponseWriter, r *dns.Msg, zone
 		relName = strings.TrimSuffix(qname, "."+zoneFQDN)
 	}
 
-	// Handle SOA queries.
-	if qtype == dns.TypeSOA || relName == "@" && qtype == dns.TypeSOA {
+	// SOA queries always return the zone apex SOA regardless of query name.
+	if qtype == dns.TypeSOA {
 		soa := s.buildSOA(zone)
 		s.writeResponse(w, r, dns.RcodeSuccess, []dns.RR{soa}, nil)
 		return