Comment 44 for bug 1624320

openssh relies on RRSIG records to verify the remote key using DNSSEC and SSHFP resource records. See VerifyHostKeyDNS under ssh_config. systemd-resolve breaks this.

Here is a detailed blog article that covers the issue in depth:

https://moss.sh/name-resolution-issue-systemd-resolved/