resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them

This adds logic to detect cases like the Fritz!Box routers which serve
a private DNS domain "fritz.box" under the TLD "box" that does not
exist in the root servers. If this is detected DNSSEC validation is
turned off for this private domain, thus improving compatibility with
such private DNS zones.

This should be fairly secure as we first rely on the proof that .box
does not exist before this logic is applied. Nevertheless the logic is
only enabled for DNSSEC=allow-downgrade mode.

This logic does not work for routers that set up a full DNS zone directly
under a non-existing TLD, as in that case we cannot prove
that the domain is truly non-existing according to the root servers.

1 files changed, 9 insertions, 0 deletions

diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 3209f73bc1..5da2d5488e 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -203,6 +203,15 @@
         setting is in effect, unless it is unset in which case the
         global setting is used instead.</para>
 
+        <para>Site-private DNS zones generally conflict with DNSSEC
+        operation, unless a negative (if the private zone is not
+        signed) or positive (if the private zone is signed) trust
+        anchor is configured for them. If
+        <literal>allow-downgrade</literal> mode is selected, it is
+        attempted to detect site-private DNS zones using top-level
+        domains (TLDs) that are not known by the DNS root server. This
+        logic does not work in all private zone setups.</para>
+
         <para>Defaults to off.</para>
         </listitem>
       </varlistentry>