diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index ec9bfd7ad3b..5a4f5c58b6b 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -59,55 +59,6 @@ uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke) {
         return sum & UINT32_C(0xFFFF);
 }
 
-int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max) {
-        size_t c = 0;
-        int r;
-
-        /* Converts the specified hostname into DNSSEC canonicalized
-         * form. */
-
-        if (buffer_max < 2)
-                return -ENOBUFS;
-
-        for (;;) {
-                r = dns_label_unescape(&n, buffer, buffer_max, 0);
-                if (r < 0)
-                        return r;
-                if (r == 0)
-                        break;
-
-                if (buffer_max < (size_t) r + 2)
-                        return -ENOBUFS;
-
-                /* The DNSSEC canonical form is not clear on what to
-                 * do with dots appearing in labels, the way DNS-SD
-                 * does it. Refuse it for now. */
-
-                if (memchr(buffer, '.', r))
-                        return -EINVAL;
-
-                ascii_strlower_n(buffer, (size_t) r);
-                buffer[r] = '.';
-
-                buffer += r + 1;
-                c += r + 1;
-
-                buffer_max -= r + 1;
-        }
-
-        if (c <= 0) {
-                /* Not even a single label: this is the root domain name */
-
-                assert(buffer_max > 2);
-                buffer[0] = '.';
-                buffer[1] = 0;
-
-                return 1;
-        }
-
-        return (int) c;
-}
-
 #if HAVE_GCRYPT
 
 static int rr_compare(DnsResourceRecord * const *a, DnsResourceRecord * const *b) {
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
index dfee7232c05..1f70861cd06 100644
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -58,8 +58,6 @@ int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key);
 
 uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke);
 
-int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
-
 int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
 
 typedef enum DnssecNsecResult {
diff --git a/src/resolve/test-dnssec.c b/src/resolve/test-dnssec.c
index 840c4fa1db6..8c71c49e067 100644
--- a/src/resolve/test-dnssec.c
+++ b/src/resolve/test-dnssec.c
@@ -13,26 +13,6 @@
 #include "string-util.h"
 #include "hexdecoct.h"
 
-static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
-        char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];
-
-        assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
-        if (r < 0)
-                return;
-
-        assert_se(streq(canonicalized, canonical));
-}
-
-static void test_dnssec_canonicalize(void) {
-        test_dnssec_canonicalize_one("", ".", 1);
-        test_dnssec_canonicalize_one(".", ".", 1);
-        test_dnssec_canonicalize_one("foo", "foo.", 4);
-        test_dnssec_canonicalize_one("foo.", "foo.", 4);
-        test_dnssec_canonicalize_one("FOO.", "foo.", 4);
-        test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
-        test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
-}
-
 #if HAVE_GCRYPT
 
 static void test_dnssec_verify_dns_key(void) {
@@ -499,8 +479,6 @@ static void test_dnssec_nsec3_hash(void) {
 
 int main(int argc, char *argv[]) {
 
-        test_dnssec_canonicalize();
-
 #if HAVE_GCRYPT
         test_dnssec_verify_dns_key();
         test_dnssec_verify_rfc8080_ed25519_example1();