Another from the email list (2022/04/22):
systemd-resolved is broken in many ways. I doubt it can forward correctly TSIG or SIG(0). If you have a proper DNS server running on your machine, there is not many reasons to run also systemd-resolved. If you need it, I suggest to write fixed /etc/resolv.conf pointing to 127.0.0.1 or ::1. Consider chattr +i /etc/resolv.conf afterwards. Do not use stub resolver provided by systemd if you have better caching server running on the same machine. I would even recommend to uninstall it on Fedora, where it is possible. Unless you use mdns on selected networks only, I don't think systemd-resolved provides you any benefit.
systemd-resolved strips in default configuration even DNSSEC signatures. I would doubt it can handle key signatures or even updates.
A solution:
sudo systemctl disable systemd-resolved.service sudo service systemd-resolved stop
And then mask: systemd masking