Once upon a time, Lennart Poettering <mzerqung@0pointer.de> said:
> The DNS servers in edge routers are awful at supporting
> either. i.e. the DNS servers you usually get informed about in DHCP
> leases are typically too crap at supporting either kind of DNSSEC (and
> that for a reason actually, these devices generally define their own
> private, local DNS names (e.g. "fritz.box"), which couldn't possibly
> be validated with DNSSEC, because they are made up and local.)

That might be true if you are just considering residential users with
cheap gateways as your only use case (but even then, most of those run
dnsmasq, which has gotten a lot better).  However, there are lots of
other use cases.

> We
> intend to implement the "AD" stuff however correctly for this, but
> this isn't tested much since pretty much noone except for a few DNS
> devs actually set this, hence there might be issues, which might be
> what Florian found.

Advertising yourself as a "nameserver" in /etc/resolv.conf means you get
to handle all the requests, including the ones you didn't think about or
want to just dismiss as only of interest "a few DNS devs".  That's the
only standard way for software to find DNS servers to use for any
purpose.  Returning errors to clients for things you don't care about is
basically useless, because they have no other way to get that
information when actual DNS servers aren't in /etc/resolv.conf.

If systemd-resolved is not going to implement a standards-compliant DNS
server (and not just "we return errors to things we don't care about",
but actual current DNS standards), then it does not belong in
/etc/resolv.conf.  Listening on the system bus as an alternative, to
implment gethostbyname/getaddrinfo/etc., is fine, but don't pretend to
be an actual DNS server and go in /etc/resolv.conf.