First of all, thanks for your reply!
Most emails — but not all of them! — have this:
0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to
zen.spamhaus.org was blocked due to usage of an
open resolver. See
https://www.spamhaus.org/returnc/pub/
[62.149.156.61 listed in zen.spamhaus.org]
The oddest thing is that it does indeed sometimes work, as the DQS dashboard shows:
I did apply the changes when I first made them, and rebooted just earlier (which incidentally triggered the apache2 bug that your script at Nginx + apache + ssl = 421 misdirected request - #5 by sahsanu solved (thanks for that!).
Apparently 127.0.0.53 is a systemd quirk and indeed my /etc/resolv.conf is just a symlink to /run/systemd/resolve/stub-resolv.conf
I had missed that, thanks. The problem remains though: for some reason, my attempts at querying 2.0.0.127.zen.spamhaus.org, despite going through 127.0.0.1, return 127.255.255.254 (which means “you’re using an open dns!”), and mine is not even an open dns!
I’m going to give that a go, I admit I had no idea about that file. I stopped using Linux as my main driver before it became a thing. 
I just tested again and once again SpamAssassin seems to query the standard zen server (and via some open resolver too). Even weirder, there’s also a complaint about using dbl, which is NOT in my dnsbl.conf file.
In fact, I commented out the DQS subdomain too so that it only contained the spamcop one, restarted spamd, and sent myself an email… and got this:
Aug 03 20:56:49 luna.example.com spamd[6659]: spamd: checking message <[email protected]> for debian-spamd:120
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns1.dreamhost.com/A'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns3.dreamhost.com/A'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns3.dreamhost.com/AAAA'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns1.dreamhost.com/AAAA'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns2.dreamhost.com/A'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns2.dreamhost.com/AAAA'
Aug 03 20:56:49 luna.example.com named[768]: success resolving '41.218.85.209.list.dnswl.org/A' after disabling qname minimization due to 'ncache nxdomain'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns2.dreamhost.com/A'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns1.dreamhost.com/A'
Aug 03 20:56:49 luna.example.com named[768]: loop detected resolving 'ns3.dreamhost.com/A'
Aug 03 20:56:49 luna.example.com named[768]: success resolving '41.218.85.209.wl.mailspike.net/A' after disabling qname minimization due to 'ncache nxdomain'
Aug 03 20:56:49 luna.example.com named[768]: success resolving '41.218.85.209.zen.spamhaus.org/A' after disabling qname minimization due to 'ncache nxdomain'
Aug 03 20:56:50 luna.example.com named[768]: REFUSED unexpected RCODE resolving 'bl.score.senderscore.com/NS/IN': 50.17.210.219#53
Aug 03 20:56:50 luna.example.com named[768]: REFUSED unexpected RCODE resolving 'bl.score.senderscore.com/NS/IN': 3.222.213.252#53
Aug 03 20:56:50 luna.example.com named[768]: REFUSED unexpected RCODE resolving 'bl.score.senderscore.com/NS/IN': 34.198.135.31#53
Aug 03 20:56:50 luna.example.com named[768]: REFUSED unexpected RCODE resolving 'bl.score.senderscore.com/NS/IN': 18.210.38.0#53
Aug 03 20:56:50 luna.example.com named[768]: success resolving '41.218.85.209.bl.score.senderscore.com/A' after disabling qname minimization due to 'failure'
Aug 03 20:56:50 luna.example.com spamd[6659]: check: dns_block_rule RCVD_IN_ZEN_BLOCKED_OPENDNS hit, creating /root/.spamassassin/dnsblock_zen.spamhaus.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny zen.spamhaus.org" to disable queries)
Aug 03 20:56:50 luna.example.com spamd[6659]: spamd: clean message (3.1/5.0) for debian-spamd:120 in 0.9 seconds, 3102 bytes.
Aug 03 20:56:50 luna.example.com spamd[6659]: spamd: result: . 3 - DMARC_NONE,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_ZEN_BLOCKED_OPENDNS,SPF_HELO_NONE,SPF_PASS,TVD_SPACE_RATIO,URIBL_DBL_BLOCKED_OPENDNS scantime=0.9,size=3102,user=debian-spamd,uid=120,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=41572,mid=<[email protected]>,autolearn=no autolearn_force=no
And while I do have a .spamassassin directory in /root, it’s empty. I’m even more confused at this point, and someone else had a similar problem but there’s no answer.
(As a side note, it looks like restarting spamassassin from the web panel fails and just says “Error: ERROR: Restart of spamassassin failed.”; I’ve been using service spamd restart)