Fedora 33 configures GnuTLS to consider some algorithms as insecure, so they don't get usable normally. However, some of them still MUST be supported in validators. Fortunately GnuTLS provides a flag for signature verification; signing itself remains broken (most likely; it's RSA_SHA1*
in F33 case).
Tested on Knot Resolver + the full algorithm matrix.