EDNS(0) is not enabled by default in glibc because the option has interoperability issues with some DNS servers. dnsmasq and systemd-resolved don't have such problems.
Enable the option automatically when using a local resolver so that the data provided via EDNS(0) (e.g. SSH fingerprints or DNSSEC information) is available to applications.
While at it, also enable 'trust-ad', as otherwise glibc (from version 2.31) strips the AD bit from responses .
systemd-resolved also adds both flags to resolv.conf when using the stub resolver .
 https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=NEWS;h=12b239c1fbbe789114e59fed136efcdeecc5c9cd;hp=4e28dc473c844ef230e973fc8861bfbd4bc36b74;hb=446997ff1433d33452b81dfa9e626b8dccf101a4;hpb=4a2ab5843a5cc4a5db1b3b79916a520ea8b115dc  https://github.com/systemd/systemd/blob/v246/src/resolve/resolved-resolv-conf.c#L310