etc/systemd-resolved: rework all files more or less

* explain things in README.md, don't duplicate comments
* opportunistic-insecure.conf should be used everywhere by default, so
  thus it's now everywhere.conf. However I am yet to test it does what
  I expect, so this is bad case of testing in production or after
  committing it in general.

etc/systemd/resolved.conf.d/README.md

@@ -0,0 +1,36 @@
+## systemd-resolved additional config files
+
+### Files explained
+
+* everywhere.conf - configuration that doesn't affect DNS servers, attempts
+  to use DNSSEC and DoT and if it fails, doesn't care and uses insecure
+  configuration.
+* quad9-compat.conf - non-tech person config for Quad9, same as above except
+  specifies the server.
+* quad9-strict.conf - tech person config demanding DNSSEC and DoT from Quad9
+* README.md - you are reading it right now.
+
+### General commentary
+
+I have moved duplicate comments to this file, so it will possibly look weird
+or miss original context.
+
+* Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
+  at the time of writing this README.md, the current version is Ubuntu 20.04.0)
+  (systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
+  v243 (big improvements in v244).
+  * TODO: find out when SNI became supported, I have just spotted it in the
+    fine manual in 2020-06-??.
+* Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
+  without which I wouldn't have got this right.
+* DNSSEC may not work if the system is down for a long time and not updated.
+  Thus `allow-downgrade` may be better for non-tech people, even with the
+  potential downgrade attack. There are also captive portals, affecting
+  `DNSOverTLS`. Both take `true` or `false` or their own special option,
+  for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
+
+Other links I have found important and my files are based on:
+
+* https://wiki.archlinux.org/index.php/Systemd-resolved
+* request for strict DOT: https://github.com/systemd/systemd/issues/10755
+* vulnerable to MITM: https://github.com/systemd/systemd/issues/9397

etc/systemd/resolved.conf.d/quad9-compat.conf

@@ -1,9 +1,7 @@
+# Quad9 / systemd-resolved. For non-tech people? See README.md
 [Resolve]
 DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
 Domains=~.
-# see man resolved.conf, may not work if system is down for a long time, +
-# captive portals?
 DNSSEC=allow-downgrade
-# allow downgrade/MITM and captive portals
 DNSOverTLS=opportunistic
 Cache=true

etc/systemd/resolved.conf.d/quad9-strict.conf

@@ -0,0 +1,8 @@
+# Quad9 / systemd-resolved. For people who don't panic when DNSSEC or
+# DoT doesn't work and captive portals attack? See README.md
+[Resolve]
+DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
+Domains=~.
+DNSSEC=true
+DNSOverTLS=true
+Cache=true

etc/systemd/resolved.conf.d/quad9.conf

@@ -1,19 +0,0 @@
-[Resolve]
-DNS=2620:fe::9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 9.9.9.9#dns.quad9.net
-Domains=~.
-DNSSEC=true
-DNSOverTLS=opportunistic
-Cache=true
-
-# Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS
-# (systemd v237)
-
-# Sources:
-# https://wiki.archlinux.org/index.php/Systemd-resolved
-# * request for strict DOT: https://github.com/systemd/systemd/issues/10755
-# * vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
-# https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
-# * I wouldn't have found having to set `~.` without this.
-
-# DNSOverTLS became supported in v239, strict mode (yes) in v243 (big
-# improvements in v244).