Comment 4 for bug 1823171

DNSSEC isn't required to query a DS record. The reason your query succeeded after you enabled DNSSEC is because systemd-resolved caches it internally as a result of the DNSSEC lookup.

Once the DS query is cached, the bug will not manifest. Another way to cache it is:

ubuntu@server:~$ dig ripe.net ds @127.0.0.53 +short

ubuntu@server:~$ dig ripe.net ds @127.0.0.54 +short
10186 13 2 BC15C85E16FE7C651EAAFCEE3B1F1C956217A5B70A536BFEF38C24A9 AB7B9A3F

ubuntu@server:~$ dig ripe.net ds @127.0.0.53 +short
10186 13 2 BC15C85E16FE7C651EAAFCEE3B1F1C956217A5B70A536BFEF38C24A9 AB7B9A3F