dns-systemd-resolved: DNSOverTls breaks per-link DNS
When using DNSOverTls in global settings per-link configuration inherits these settings. When DNSOverTls is configured in strict mode and the per-link dns server does not support DoT name resolution fails preventing link-local domains from being resolved correctly.
The problem is: When we get our per-link dns servers through DHCP we cannot be sure if it supports DoT. I also cannot imagine any secure way to find out if the server supports DoT in a way that's not vulnerable to MITM attacks like DoT opportunistic mode would be.
As NetworkManager as far as I know doesn't support DoT with static dns configuration either I suggest setting per-link DoT to "opportunistic" or "no" on setup when systemd-resolved is detected to ensure that per-link dns servers work properly.
What do you think? I can open a pull request that implements this if this approach is acceptable in your opinion.