The submitter doesn't state affected versions, but judging from systemd's NEWS file, the resolved component was first introduced in 213 and later dubbed as "a pretty complete caching DNS and LLMNR stub resolver" in 216: http://lwn.net/Articles/609740/
Considering most users run on a backported 208-stable IIRC (I know RHEL 7 settled on that), I'm not sure how widespread this is. Still concerning that they felt to roll their own and not follow RFC guidelines, though.
Considering how plagued with vulnerabilities BIND was, I'd assume DNS is a hard thing to do.
> "a pretty complete caching DNS and LLMNR stub resolver"
That quote is gold. Most of DNS isn't implementing the protocol, but implementing all the protections against cache poisoning, many of which are not intuitive.
But as the oss-sec email says: "systemd-resolved does not implement any of the hardening recommendations of rfc5452."
Considering most users run on a backported 208-stable IIRC (I know RHEL 7 settled on that), I'm not sure how widespread this is. Still concerning that they felt to roll their own and not follow RFC guidelines, though.
Considering how plagued with vulnerabilities BIND was, I'd assume DNS is a hard thing to do.