systemd version the issue has been seen with

257

Used distribution

NixOS unstable

Linux kernel version used

6.16.7

CPU architectures issue was seen on

x86_64

Component

resolvectl, systemd-resolved

Expected behaviour you didn't see

Everything working fine

Unexpected behaviour you saw

Stops resolving domains. Manually querying nameservers with dig works fine.

$ resolvectl query google.com
google.com: resolve call failed: All attempts to contact name servers or networks failed

Checking resolvectl status shows that DNSSEC is reported as unsupported, but it did work before.
Disabling DNSSEC AND DoT makes everything work again.
Disabling DoT leads to a different error:

$ resolvectl query google.com
google.com: resolve call failed: DNSSEC validation failed: failed-auxiliary

Steps to reproduce the problem

I don’t know, exactly.
My DNS resolvers are

1.1.1.1#one.one.one.one
1.0.0.1#one.one.one.one
2606:4700:4700::1111#one.one.one.one
2606:4700:4700::1001#one.one.one.one

Additional program output to the terminal or log subsystem illustrating the issue