Comment 9 for bug 1796501

I grabbed the top 500 hosts in an Eaon LXD container with DNS=1.1.1.1
wget -O top500.csv https://moz.com/top-500/download/?table=top500Domains
cut -d, -f2 < top500.csv | cut -d\" -f2 > top500

I ran this script twice (with and without dnssec=yes):
while read p; do
  sleep 1
  echo "$p"
  resolvectl query $p > with_dnssec/$p
done <top500

The following domains failed only with DNSSEC=yes (and all failures included DVE- notices in journal).
people.com.cn
search.yahoo.com
news.yahoo.com

(oddly engadget wasn't on the list.. There may be a difference between netword/network-manager?)