man: correctly document default for DNSSEC= and DNSoverTLS=

https://bugzilla.redhat.com/show_bug.cgi?id=1926323

man/custom-entities.ent.in

@@ -13,5 +13,7 @@
 <!ENTITY DEBUGTTY "{{DEBUGTTY}}">
 <!ENTITY RC_LOCAL_PATH "{{RC_LOCAL_PATH}}">
 <!ENTITY HIGH_RLIMIT_NOFILE "{{HIGH_RLIMIT_NOFILE}}">
+<!ENTITY DEFAULT_DNSSEC_MODE "{{DEFAULT_DNSSEC_MODE_STR}}">
+<!ENTITY DEFAULT_DNS_OVER_TLS_MODE "{{DEFAULT_DNS_OVER_TLS_MODE_STR}}">
 <!ENTITY fedora_latest_version "35">
 <!ENTITY fedora_cloud_release "1.2">

man/resolved.conf.xml

@@ -1,6 +1,9 @@
 <?xml version='1.0'?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY % entities SYSTEM "custom-entities.ent" >
+%entities;
+]>
 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
 
 <refentry id="resolved.conf" conditional='ENABLE_RESOLVE'
@@ -199,7 +202,7 @@
         domains (TLDs) that are not known by the DNS root server. This
         logic does not work in all private zone setups.</para>
 
-        <para>Defaults to <literal>allow-downgrade</literal>.</para>
+        <para>Defaults to <literal>&DEFAULT_DNSSEC_MODE;</literal>.</para>
         </listitem>
       </varlistentry>
 
@@ -239,7 +242,7 @@
         <varname>DNSOverTLS=</varname> setting is in effect. For per-link DNS servers the per-link setting is in effect, unless
         it is unset in which case the global setting is used instead.</para>
 
-        <para>Defaults to off.</para>
+        <para>Defaults to <literal>&DEFAULT_DNS_OVER_TLS_MODE;</literal>.</para>
         </listitem>
       </varlistentry>