Add DNS default route as option per connection
VPNs, particular corporate VPNS, use a split DNS system to publish corporate internal resources only via corporate addresses. A consultant connecting to a client and to their own company needs to access both internal resources. Because each set of DNS servers is unaware of the other's internal DNS records, the resolution by one set of default DNS servers is impossible. This can also applies to wired, wireless an other connections.
systemd resolved added a "DNS Default Route" to each "Link" in v240 (https://github.com/systemd/systemd/pull/11050). This results in the domains for a connection acts as a whitelist of domains that are to use the nameservers provided for this connection.
The dbus method is SetLinkDefaultRoute(link (integer), value (boolean)
(more dbus documentation was just requested https://github.com/systemd/systemd/issues/13799, however https://www.freedesktop.org/software/systemd/man/resolvectl.html#dns%20%5BLINK%20%5BSERVER%E2%80%A6%5D%5D and https://www.freedesktop.org/software/systemd/man/systemd.network.html#DNSDefaultRoute= cover the behaviour).
As a feature request to NetworkManager I'd like to set this boolean from (to false from the default of true) for a number of connections.
This need not be a dns=systemd-resolved only service. unbound can do this same thing it seems with unbound-control forward_add {zone} {addr} (https://linux.die.net/man/8/unbound-control) which is how vpnc-script (http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script) does it.
Another per link/server option available to both providers is DNSSEC enabled/disabled/allow-downgrade.