DNSSEC isn't required to query a DS record. The reason your query succeeded after you enabled DNSSEC is because systemd-resolved caches it internally as a result of the DNSSEC lookup.
Once the DS query is cached, the bug will not manifest. Another way to cache it is:
DNSSEC isn't required to query a DS record. The reason your query succeeded after you enabled DNSSEC is because systemd-resolved caches it internally as a result of the DNSSEC lookup.
Once the DS query is cached, the bug will not manifest. Another way to cache it is:
ubuntu@server:~$ dig ripe.net ds @127.0.0.53 +short
ubuntu@server:~$ dig ripe.net ds @127.0.0.54 +short 51EAAFCEE3B1F1C 956217A5B70A536 BFEF38C24A9 AB7B9A3F
10186 13 2 BC15C85E16FE7C6
ubuntu@server:~$ dig ripe.net ds @127.0.0.53 +short 51EAAFCEE3B1F1C 956217A5B70A536 BFEF38C24A9 AB7B9A3F
10186 13 2 BC15C85E16FE7C6