Have a filter on accepted domains provided by networks

[pemensik]

In modes where we allow redirection of sub-domains to network provided DNS servers, we may want to restrict what domains are accepted. Currently there is no simple way to trust just some kinds of domains or authenticate them in a some way.

• We may want to use https://publicsuffix.org list, which contains TLD and some other domains, which allow registration of public zones. query.publicsuffic.zone provides such data even in form of DNS.
• We may want to use at least list of TLD provided by IANA
• Good alternative might be described at by IETF draft: https://datatracker.ietf.org/doc/draft-ietf-add-split-horizon-authority/
• Use a different list of accepted domains based on connection.zone property from NM

Right now we would allow anything to be redirected, which might not be safe. That were main reason, why dnssec-trigger did not add such domains into search in resolv.conf.

We may want to differentiate between routing-domains provided by trusted administrator, who write them into connection specified. At all times, they should be considered secured. But domains received by DHCP or router advertisement should not be trusted the same way. Now we have no way to differentiate between user-specified and network-received domains from NM.

[pemensik]

Then thing is, we may want connection marked trusted to specify redhat.com, but we may not want the same domain provided by public networks on train or airports or hotel.

[pemensik]

Another draft reference: https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/

[pemensik]

We have a python module in Fedora: python3-publicsuffix2.noarch