When a DNS library or application sends DNS requests with the DO bit set, systemd-resolved does not return the proper DNSSEC records because DNSSEC has been completely disabled.
This breaks any DNS library and program that depends on these records. It also undermines DNS security.
Two concrete examples:
libreswan links against libunbound and uses its own DNSSEC validation based on the forwarders specified in /etc/resolv.conf. With systemd-resolved populating resolv.conf with 127.0.0.53, libreswan is given a broken forwarder. DNSSEC fails and ALL RESOLVING within libreswan fails.
my postfix server uses LetsEncrypt certificates and publishes and consumes TLSA records to validate the SMTP TLS channels. Postfix request DNS from the system resolver and expcects the AD bit for DNSSEC validated answers. systemd-resolved will never return these, so all TLSA query answers are igored by postfix, downgrading my email TLS security to anonymous TLS, which can now be MITM'ed by anyone.
This could be considered a CVE magnitude issue