systemd-resolved: maybe I snapped at this

etc/systemd/resolved.conf.d/.gitignore

@@ -1,2 +0,0 @@
-10-dot-trex.conf
-99-lan-resolver.conf

etc/systemd/resolved.conf.d/00-defaults.conf

@@ -1,27 +0,0 @@
-[Resolve]
-# Don't trust upstream to verify DNSSEC, even if was encrypted.
-# https://notes.valdikss.org.ru/jabber.ru-mitm/
-# BREAKAGE WARNING for everything else than DNSSEC=false !
-# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
-# PRIVACY WARNING! systemd-networkd/links may override this.
-# NOTE: Empty variables unset whatever is set before! They are not a mistake.
-DNSSEC=true
-# Take the risk of downgrade attacks. Web browser policies enforce
-# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
-# it.
-DNSOverTLS=opportunistic
-Cache=true
-# Consider local DNS servers if they exist.
-DNS=
-DNS=::1
-DNS=127.0.0.1
-FallbackDNS=
-FallbackDNS=::1
-FallbackDNS=127.0.0.1
-Domains=~.
-# .local domains
-#MulticastDNS=true
-# Microsoft Windows compatibility?
-#LLMNR=true
-
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/05-do53-dna-moi.conf

@@ -1,6 +0,0 @@
-[Resolve]
-# https://asiakaspalvelu.moi.fi/hc/fi/articles/360029789832-Mitk%C3%A4-ovat-Moin-palvelinosoitteet
-DNS=2001:14b8:1000::1 2001:14b8:1000::2
-DNS=62.241.198.245 62.241.198.246
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/05-do53-elisa.conf

@@ -1,9 +0,0 @@
-[Resolve]
-# https://elisa.fi/asiakaspalvelu/nettiliittymat/tiedonsiirtoportit-porttiohjaukset/
-# Elisa
-DNS=193.229.0.40 193.229.0.42
-# Saunalahti
-DNS=2001:998:20::20 2001:998:20::40
-DNS=195.74.0.47 195.197.54.100
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/10-dot-443.conf

@@ -1,7 +0,0 @@
-[Resolve]
-# OK, this is not 443, but it bothers me to not have both ports used.
-DNS=[2a02:1b8:10:234::2]:853#dot1.applied-privacy.net 146.255.56.98:853#dot1.applied-privacy.net
-DNS=[2a02:1b8:10:234::2]:443#dot1.applied-privacy.net 146.255.56.98:443#dot1.applied-privacy.net
-DNSOverTLS=true
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/10-dot-adguard.conf

@@ -1,6 +0,0 @@
-[Resolve]
-DNS=94.140.14.14#dns.adguard.com 94.140.15.15#dns.adguard.com 2a10:50c0::ad1:ff#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com
-#DNS=94.140.14.140#unfiltered.adguard-dns.com 94.140.14.141#unfiltered.adguard-dns.com DNS=2a10:50c0::1:ff#unfiltered.adguard-dns.com 2a10:50c0::2:ff#unfiltered.adguard-dns.com
-DNSOverTLS=true
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/10-dot-cloudflare.conf

@@ -1,8 +0,0 @@
-[Resolve]
-# Unfiltered
-#DNS=2606:4700:4700::1111#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com 1.1.1.1#cloudflare-dns.com 2606:4700:4700::1111#one.one.one.one 1.1.1.1#one.one.one.one 1.0.0.1#one.one.one.one  2606:4700:4700::1001#one.one.one.one
-# Malicious domain filtering
-DNS=2606:4700:4700::1112#security.cloudflare-dns.com 2606:4700:4700::1002#security.cloudflare-dns.com 1.1.1.2#security.cloudflare-dns.com 1.0.0.2#security.cloudflare-dns.com
-DNSOverTLS=true
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/10-dot-dns0.conf

@@ -1,8 +0,0 @@
-[Resolve]
-DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
-#DNS=193.110.81.1#kids.dns0.eu 185.253.5.1#kids.dns0.eu 2a0f:fc80::1#kids.dns0.eu 2a0f:fc81::1#kids.dns0.eu
-#DNS=193.110.81.254#open.dns0.eu 185.253.5.254#open.dns0.eu 2a0f:fc80::ffff#open.dns0.eu 2a0f:fc81::ffff#open.dns0.eu
-#DNS=193.110.81.9#zero.dns0.eu 185.253.5.9#zero.dns0.eu 2a0f:fc80::9#zero.dns0.eu 2a0f:fc81::9#zero.dns0.eu
-DNSOverTLS=true
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/10-dot-google.conf

@@ -1,8 +0,0 @@
-[Resolve]
-DNS=8.8.4.4#dns.google 8.8.8.8#dns.google 2001:4860:4860::8844#dns.google 2001:4860:4860::8888#dns.google
-# Google DNS64
-#DNS=2001:4860:4860::6464#dns64.dns.google	2001:4860:4860::64#dns64.dns.google
-DNSOverTLS=true
-Domains=~.
-DNSSEC=true
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/10-dot-mullvad.conf

@@ -1,9 +0,0 @@
-[Resolve]
-#DNS=2a07:e340::2#dns.mullvad.net 194.242.2.2#dns.mullvad.net
-#DNS=194.242.2.3#adblock.dns.mullvad.net 2a07:e340::3#adblock.dns.mullvad.net
-DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net
-#DNS=2a07:e340::5#extended.dns.mullvad.net 194.242.2.5#extended.dns.mullvad.net
-#DNS=2a07:e340::9#all.dns.mullvad.net 194.242.2.9#all.dns.mullvad.net
-DNSOverTLS=true
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/10-dot-quad9.conf

@@ -1,19 +0,0 @@
-# https://docs.quad9.net/services/
-# https://www.trex.fi/service/resolvers.html - says they don't provide
-# encryption, but host a Quad9 node and giving these addresses instead.
-[Resolve]
-# Secure
-DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
-DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
-# No Threat Blocking
-#DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net [2620:fe::10]:8853#dns10.quad9.net [2620:fe::fe:10]:8853#dns10.quad9.net
-#DNS=149.112.112.10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10:8853#dns10.quad9.net 9.9.9.10:8853#dns10.quad9.net
-# Secure + ECS. IPv4 first so it gets preferred as my Unbound likely prefers IPv6 anyway.
-#DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
-#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
-# No Threat Blocking + ECS
-#DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net
-#DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net
-DNSOverTLS=true
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/98-local-resolver.conf

@@ -1,15 +0,0 @@
-# Being at the higher end of numbers, this file will take priority assuming
-# nothing else uses the prefix 99- and override values of others with the
-# unsets.
-[Resolve]
-DNSSEC=false
-DNSOverTLS=false
-Cache=false
-DNS=
-DNS=::1
-DNS=127.0.0.1
-FallbackDNS=
-FallbackDNS=::1
-FallbackDNS=127.0.0.1
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/99-lan-resolver.conf.sample

@@ -1,13 +0,0 @@
-[Resolve]
-# These could be used in some business
-#DNS=10.0.0.1
-#DNS=172.16.0.1
-# Average router
-#DNS=192.168.0.1
-# Huawei?
-#DNS=192.168.8.1
-# Mikrotik
-#DNS=192.168.88.1
-DNSSEC=true
-Domains=~.
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/99-working-dns.conf

@@ -1,7 +1,4 @@
-# DNS0 and Quad9 should be a good combination for family that just works
-# regardless of restrictive networks, thus opportunistic DoT. DNSSEC is a
-# risk in systemd-resolved. https://github.com/systemd/systemd/issues/10579 &
-# https://github.com/systemd/systemd/issues/9867
+# 99-working-dns.conf
 [Resolve]
 DNS=
 DNS=::1
@@ -14,9 +11,8 @@ FallbackDNS=
 FallbackDNS=::1
 FallbackDNS=127.0.0.1
 Domains=~.
-#DNSSEC=allow-downgrade
-#DNSSEC=true
-#DNSSEC=false
+# I lied. https://github.com/systemd/systemd/issues/34896 https://github.com/systemd/systemd/issues/35126
+DNSSEC=true
 DNSOverTLS=opportunistic
 Cache=true
 # vim: filetype=systemd

etc/systemd/resolved.conf.d/README.md

@@ -9,7 +9,6 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
 - [Quickstart](#quickstart)
-- [Files explained](#files-explained)
 - [General commentary](#general-commentary)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
@@ -33,34 +32,6 @@ sudo systemctl restart systemd-resolved
 `../../resolv.conf-generate.bash` **is the best** this repository has to
 offer.
 
-## Files explained
-
-- `00-defaults.conf` - configuration that should be used everywhere. Enables
-  DNSSEC (regardless of systemd-resolved not handling it properly), enables
-  opportunistic DoT, caching and local DNS servers (because they should exist
-  anyway as I don't trust systemd-resolved entirely. Anyway if there truly is
-  no local resolver, systemd-resolved will detect that and act accordingly.)
-  - To rephrase, this is to be used together with other files, especially some
-    of those beginning with `10-dot-`.
-- `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
-  network and owned by them)
-- `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
-  Saunalahti still exists here as well.
-- `10-dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
-  At least one of these should be used in addition to `00-defaults.conf`
-- `98-local-resolver.conf` attempts to configure localhost resolver and
-  disables unnecessary features for that scenario. The number 10 takes
-  priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also
-  apply to the former ones that are unlikely to support it. When numbering the
-  files, I didn't think I would be adding the plaintext DNS servers that I am
-  unlikely to use whenever Unbound is available (and I currently have only one
-  system that has systemd-resolved while not having Unbound and it seems to
-  prefer DoT over my router anyway).
-- `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
-  LAN assuming they are trusted. Note that if used together with
-  `98-local-resolver.conf`, DNSSEC would be disabled.
-- `README.md` - you are reading it right now.
-
 ## General commentary
 
 - DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big