This PR switches the local DNS stub resolver to Unbound, due to systemd-resolved's unreliable DNSSEC validation and broader concerns. See #1174.

Changelog:

• Remove systemd-resolved and install dnsconfd-unbound
  • dnsconfd implements a dbus interface for NetworkManager and applies DNS settings dynamically to Unbound
  • Configured NetworkManager to use dnsconfd dbus interface
• Harden unbound.service and configure Unbound
  • Run unprivileged, no capabilities, no setuid/setgid/chroot
  • Use systemd network and UNIX sockets
  • Lock down other syscalls, namespaces, filesystem
  • Fedora bug opened, hopefully will upstream a subset
  • Add non-default hardening and performance configuration
• Harden dnsconfd.service
  • Will try to upstream
• Migrate existing configuration to NetworkManager with secureblue-migrate-dns.service
  • Seamless for all users of the bash ujust dns-selector
• Refactor ujust dns-selector and rewrite in Python using sandboxing framework
  • Pre-defined servers from bash now stored in JSON at /usr/share/secureblue
• Rewrite ujust audit-secureblue audit_dns()
  • Checks for global DNS, DNSSEC validation, Trivalent DoT
  • Wrapper around new ujust dns-selector status
• Update i18n for ujust audit-secureblue
  • Some translatable strings have changed
• Add workaround for unapplied dnsconfd SELinux type
  • Upstream has a bug in v1.7.2 that causes dnsconfd to run unconfined by SELinux.
  • Fixed in v1.7.3, pinged maintainer so now on Bodhi, autopushes in 1-2 days?

Not included in this PR:

• Per-connection DNS, to simplify configuration of DNS with VPNs and work/public networks
  • Also VPN-enlightened ujust audit-secureblue
• Zero-trust DNS even in Anaconda by setting kargs, so no leaks (possible from F43)
• Investigation needed for GNOME's overly strict GUI DNS validation
• DNS allowlisting