OPT record is not sent on validation failures
kresd a36b705a does not reply with OPT record (EDNS) when it is sending SERVFAIL caused by DNSSEC validation failure.
This breaks rules specified in https://tools.ietf.org/html/rfc6840#section-5.6 because DO bit must be reflected back to the requestor. Also, it might potentially cause problems with EDNS version negotiation if the failed query is a first request sent by the client to
As far as I can tell
unbound-1.6.0-6.fc25.x86_64 replies with OPT record and DO bit set accordingly even on validation failures.