I confirm that this bug exists after upgrading systemd. Systemd-resolved *sometimes* does not downgrade and SERVERFAILS on all domains that do not have a signature dns record.
The error with resolvectl query is $ resolvectl query example.domain example.domain: resolve call failed: DNSSEC validation failed: no-signature $ resolvectl reset-server-features or $ resolvectl flush-caches This is a problem that can only be corrected by passing dnssec=no to all interfaces (even ones with no dns server) or global in the configuration and restart the systemd-resolved Happens with both: systemd 245 (245.2-1) systemd 245 (245.4-1) My DNS resolver is a unmodified openwrt (dnsmasq) router which forwards to 1.1.1.1.
