diff --git a/etc/systemd/resolved.conf.d/00-defaults.conf b/etc/systemd/resolved.conf.d/00-defaults.conf
index a47ec07f..9b095a53 100644
--- a/etc/systemd/resolved.conf.d/00-defaults.conf
+++ b/etc/systemd/resolved.conf.d/00-defaults.conf
@@ -1,6 +1,9 @@
 [Resolve]
 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
 #DNSSEC=allow-downgrade
-DNSSEC=no
+# Regardless of the above DNS breaking issues when DNSSEC is
+# enabled/opportunistic, it provides authentication which is important. TLS
+# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
+DNSSEC=yes
 DNSOverTLS=opportunistic
 Cache=yes
diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md
index 16e9c781..e8a9a8b9 100644
--- a/etc/systemd/resolved.conf.d/README.md
+++ b/etc/systemd/resolved.conf.d/README.md
@@ -11,9 +11,9 @@ sudo systemctl restart systemd-resolved
 
 ## Files explained
 
-- `00-defaults.conf` - configuration not touching resolvers. Disables DNSSEC (as
-  systemd-resolved doesn't handle it properly), enables opportunistic DoT and
-  caching.
+- `00-defaults.conf` - configuration not touching resolvers. Enables DNSSEC
+  (regardless of systemd-resolved not handling it properly), enables
+  opportunistic DoT and caching.
 - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
   captive portals are a concern, `DNSOverTLS=no`.
 - `README.md` - you are reading it right now.
@@ -33,10 +33,12 @@ sudo systemctl restart systemd-resolved
   potential downgrade attack. There are also captive portals, affecting
   `DNSOverTLS`. Both take `yes` or `no` or their own special option,
   for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
+  - Then again when was any system that outdated to not have working DNSSEC?
+    - TODO: return to this configuration should that actually happen?
 
 Other links I have found important and my files are based on:
 
 - https://wiki.archlinux.org/index.php/Systemd-resolved
   - Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
-- request for strict DOT: https://github.com/systemd/systemd/issues/10755
+- request for strict DoT: https://github.com/systemd/systemd/issues/10755
 - vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
diff --git a/etc/systemd/resolved.conf.d/unbound.conf b/etc/systemd/resolved.conf.d/unbound.conf
index ca839719..e26cf66a 100644
--- a/etc/systemd/resolved.conf.d/unbound.conf
+++ b/etc/systemd/resolved.conf.d/unbound.conf
@@ -4,7 +4,7 @@ DNS=127.0.0.1
 DNS=::1
 Domains=~.
 # Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867)
-DNSSEC=no
+#DNSSEC=no
 # Not needed on localhost
 DNSOverTLS=no
 # Done by Unbound