resolv: follow the same order as man resolv.conf

etc/resolv.conf

@@ -26,8 +26,9 @@ nameserver 127.0.0.53
 # systemd-resolved DNS proxy (to upstream). No DNSSEC, no LLMNR, no mDNS!
 #nameserver 127.0.0.54
 
-# edns0 = extended DNS
+# no sending local domain to upstream whenever NXDOMAIN happens
-# trust-ad = trust DNSSEC authenticated data
+search .
+
 # timeout:2 = nameserver timeout 2 s (default 5, max 30), then next
 # attempts:2 = if all nameservers fail, attempt again 2 times (def 2, max 5)
 # rotate = instead of trying the nameservers in the order specified, randomize
@@ -35,14 +36,13 @@ nameserver 127.0.0.53
 # except that NordVPN disables IPv6 so ::1 will fail and occassionally only
 # systemd-resolved works and I am under impression that some apps are aware of
 # systemd-resolved and will use it directly bypassing resolv.conf
-options edns0 trust-ad timeout:2 attempts:2 rotate
+# edns0 = extended DNS
+# trust-ad = trust DNSSEC authenticated data
+options timeout:2 attempts:2 rotate edns0 trust-ad
 # AMINDA! Remember, you are specifying these here, a couple of bash scripts
 # in this directory, see the comment on top, ../rc/{bash,zsh}rc
 # ($RES_OPTIONS) and systemd/system/service.d/resolv.conf !
 
-# no sending local domain to upstream whenever NXDOMAIN happens
-search .
-
 # PS. Remove empty lines and comments if this ends up in /etc/resolv.conf
 # PPS. The traditional spell is:
 #    sudo chattr -i /etc/resolv.conf;sudo nvim /etc/resolv.conf;sudo chattr +i /etc/resolv.conf

etc/resolv.conf-generate.bash

@@ -17,7 +17,7 @@ rm -v /etc/resolv.conf
 # Actual resolv.conf creation. OK, this could read resolv.conf in this
 # directory, but I like this being self-contained.
 # tee -p = operate in a more appropriate MODE with pipes.
-printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:2 attempts:2 rotate\nsearch .\n' | tee -p /etc/resolv.conf
+printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
 
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf

etc/systemd-resolv.conf-generate.bash

@@ -29,7 +29,7 @@ chmod -v +w /etc/resolv.conf
 rm -v /etc/resolv.conf
 
 # tee -p = operate in a more appropriate MODE with pipes.
-printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\noptions edns0 trust-ad timeout:2 attempts:2 rotate\nsearch .\n' | tee -p /etc/resolv.conf
+printf 'nameserver 127.0.0.53\nnameserver 127.0.0.53\nnameserver 127.0.0.53\nsearch .\noptions timeout:2 attempts:2 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
 
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf

etc/systemd/system/service.d/resolv.conf

@@ -5,6 +5,6 @@
 # note that this is possible.
 [Service]
 Environment=LOCALDOMAIN=.
-Environment=RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate"
+Environment=RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
 
 # vim: filetype=systemd

rc/bashrc

@@ -258,7 +258,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx
 export LOCALDOMAIN=.
 # Secureish resolv.conf options (except trust-ad, but systemd also sets it
 # regardless of whether DNSSEC=true or not.
-export RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate"
+export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
 
 #####	Aliases						RJ706I	#####
 

rc/zshrc

@@ -217,7 +217,7 @@ export LSCOLORS=gxBxhxDxfxhxhxhxhxcxcx
 export LOCALDOMAIN=.
 # Secureish resolv.conf options (except trust-ad, but systemd also sets it
 # regardless of whether DNSSEC=true or not.
-export RES_OPTIONS="edns0 trust-ad timeout:2 attempts:2 rotate"
+export RES_OPTIONS="timeout:2 attempts:2 rotate edns0 trust-ad"
 
 #####	Aliases						RJ706I	#####