[Resolve]
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
#DNSSEC=allow-downgrade
# Regardless of the above DNS breaking issues when DNSSEC is
# enabled/opportunistic, it provides authentication which is important. TLS
# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
DNSSEC=yes
DNSOverTLS=opportunistic
Cache=yes