TLS for name owners: document tls-record placement patterns

[mstrofnone]

Adds a new ## Where to Place the tls Record section to docs/name-owners/tls/index.md, placed just before the existing ## TLS and NS Records section.

The page currently shows TLSA placement implicitly through examples (map["*"].tls at the apex in The Basics, deeper placements in Issuing a Non-Subordinate CA Certificate for a Subdomain) but never spells out the placement rules or the wildcard-inheritance trap that bites name owners running multiple CAs in one zone.

The new section documents two named patterns:

• Pattern A — single CA for the whole zone (recommended): one TLSA at the apex map["*"]. Minimizes on-chain bytes and is the default everyone should aim for.
• Pattern B — subdomain pinned to a different CA: shows that the subdomain needs its own tls and a re-pinned inner map["*"].tls, because deeper hosts under that subdomain would otherwise fall back to the outer wildcard and validate against the wrong CA.

No examples or other sections are rewritten. Purely additive. Same TLSA JSON shape used everywhere else on the page (Hashed mode, [2, 1, 1, "<hash>"]).