systemd-resolved: attempt to simplify configuration

etc/systemd/resolved.conf.d/00-defaults.conf

@@ -0,0 +1,23 @@
+[Resolve]
+# Don't trust upstream to verify DNSSEC, even if was encrypted.
+# https://notes.valdikss.org.ru/jabber.ru-mitm/
+# BREAKAGE WARNING for everything else than DNSSEC=false !
+# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
+# PRIVACY WARNING! systemd-networkd/links may override this.
+DNSSEC=true
+# Take the risk of downgrade attacks. Web browser policies enforce
+# DNS-over-HTTPS anyway due to Encrypted Client Hello (ECH) still requiring
+# it.
+DNSOverTLS=opportunistic
+Cache=true
+# Consider local DNS servers if they exist. Empty should erase previous values.
+DNS=
+DNS=127.0.0.1
+DNS=::1
+Domains=~.
+# .local domains
+MulticastDNS=true
+# Microsoft Windows compatibility?
+LLMNR=true
+
+# vim: filetype=systemd

etc/systemd/resolved.conf.d/00-no-local-resolver.conf

@@ -1,19 +0,0 @@
-[Resolve]
-# Use this together with other files other than 00-only-local-resolver.conf!
-# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
-#DNSSEC=allow-downgrade
-# Regardless of the above DNS breaking issues when DNSSEC is
-# enabled/opportunistic, it provides authentication which is important. TLS
-# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
-DNSSEC=true
-DNSOverTLS=opportunistic
-Cache=true
-#DNS=127.0.0.1
-#DNS=::1
-Domains=~.
-# .local domains
-MulticastDNS=true
-# Microsoft Windows compatibility?
-LLMNR=true
-
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/00-only-local-resolver.conf

@@ -1,14 +0,0 @@
-[Resolve]
-# All this is done by Unbound. Don't use other files together with this one.
-DNSSEC=false
-DNSOverTLS=false
-Cache=false
-DNS=127.0.0.1
-DNS=::1
-Domains=~.
-# .local domains
-MulticastDNS=true
-# Microsoft Windows compatibility?
-LLMNR=true
-
-# vim: filetype=systemd

etc/systemd/resolved.conf.d/README.md

@@ -26,19 +26,15 @@ sudo systemctl restart systemd-resolved
 
 ## Files explained
 
-- `00-no-local-resolver.conf` - configuration that should be used everywhere.
+- `00-defaults.conf` - configuration that should be used everywhere.
   Enables DNSSEC (regardless of systemd-resolved not handling it properly),
   enables opportunistic DoT, caching and local DNS servers (because they
   should exist anyway as I don't trust systemd-resolved entirely. Anyway if
   there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
-  - To rephrase, this is sto be used together with other files, especially
+  - To rephrase, this is to be used together with other files, especially
     some of those beginning with `dot-`.
-- `00-only-local-resolver.conf` - for when there is known local resolver.
+- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS.
-  **_Don't combine this with the other files._**
+  At least one of these should be used in addition to `00-defaults.conf`
-- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
-  captive portals are a concern, `DNSOverTLS=opportunistic`. At least one of these
-  should be used in addition to `00-defaults.conf`
-- `nordvpn.conf` - includes NordVPN's resolver addresses for hosts using it
 - `README.md` - you are reading it right now.
 
 ## General commentary

etc/systemd/resolved.conf.d/nordvpn.conf

@@ -1,5 +0,0 @@
-[Resolve]
-DNS=2400:bb40:4444::103 2400:bb40:8888::103
-DNS=103.86.96.100 103.86.99.100
-
-# vim: filetype=systemd