dnssec-validation exception domains

We've had a feature request on the back burner list for a long while: The ability to permanently configure the equivalent of a negative trust anchor so that local fake TLDs like "corp" or "home" can be used without triggering validation failures due to their nonexistence at the root.

I implemented this over the weekend. No particular urgency about it, we might even decide it's not a good idea, but I'm opening an issue so I can push an associated MR for further discussion.