RHEL 8.2 systemd-resolved.service and /etc/resolv.conf

A new service called 'systemd-resolved' is not working as expected.
Command 'resolvectl', shows config item 'DNSSEC setting: allow-downgrade'
In my environment it points to a Windows DNS server. The status of the service shows

Using degraded feature set (UDP+EDNS0) for DNS server xyz

Trying a query

resolvectl query www.google.com
www.google.com: resolve call failed: DNSSEC validation failed: failed-auxiliary

so it looks like the 'allow-downgrade' part is not working.

Further to this, my "old style" /etc/resolv.conf file says that it's being controlled by NetworkManager, as opposed to systemd-resolvd. In the fedora docs, they talk about a symlink being needed, but I don't see this present in RHEL 8.2 ?