DNSSEC isn't required to query a DS record. The reason your query succeeded after you enabled DNSSEC is because systemd-resolved caches it internally as a result of the DNSSEC lookup.
Once the DS query is cached, the bug will not manifest. Another way to cache it is: ubuntu@server:~$ dig ripe.net ds @127.0.0.53 +short ubuntu@server:~$ dig ripe.net ds @127.0.0.54 +short 10186 13 2 BC15C85E16FE7C651EAAFCEE3B1F1C956217A5B70A536BFEF38C24A9 AB7B9A3F ubuntu@server:~$ dig ripe.net ds @127.0.0.53 +short 10186 13 2 BC15C85E16FE7C651EAAFCEE3B1F1C956217A5B70A536BFEF38C24A9 AB7B9A3F -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1823171 Title: systemd-resolve hides DS records in explicit queries To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1823171/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
