Unfortunately the DNS interface of current systemd-resolved strips DNSSEC, so applications that do DANE validation still have to target the upstreams directly. I have filed a bug about this: https://github.com/systemd/systemd/issues/4621
** Bug watch added: github.com/systemd/systemd/issues #4621 https://github.com/systemd/systemd/issues/4621 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1624320 Title: systemd-resolved appends 127.0.0.53 to resolv.conf alongside existing entries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624320/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs