Comment 7 for bug 1898590

Something helpful for anyone looking into this later I found what seems a good testcase without requiring too much a local setup (of a dnssec dns server):

To get unbound (brute force) do:
apt install unbound
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl enable unbound-resolvconf
sudo systemctl enable unbound
# set 127.0.0.1
vim /etc/resolv.conf

Now this should show the ad flag as reported:
$ dig salsa.debian.org -t sshfp
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

$ ssh -v -o "VerifyHostKeyDNS=yes" <email address hidden>

This indeed (as reported), does show the changed behavior (clean LXD containers, just changes as mentioned above, edns0 set by default):

Bionic:
debug1: found 4 secure fingerprints in DNS
debug1: matching host key fingerprint found in DNS

Focal:
debug1: found 4 insecure fingerprints in DNS
debug1: matching host key fingerprint found in DNS
The authenticity of host 'salsa.debian.org (209.87.16.44)' can't be established.
ED25519 key fingerprint is SHA256:OAD3pGSwcODIthxF+zIRvPTZ8UCJAYI75E42XDfGr84.
Matching host key fingerprint found in DNS.