Change rules for retrying guards (and marking them broken)

This branch partially solves #404 (closed), #407 (closed), and #406 (closed) by achieving several goals:

• Making guard retries use decorrelated jitter.
• Making the all-guards-are-down response not retry all guards immediately.
• Tracking our sources of directory information better.
• Treating some kinds of directory failure as indicating directory cache failure.

It isn't done yet, because it also needs to take FallbackDir into account, which is not a directory guard.

(Passing review to @Diziet since Eta's mostly out today.)