OPT record is not sent on validation failures
kresd
a36b705a does not reply with OPT record (EDNS) when it is sending SERVFAIL caused by DNSSEC validation failure.
This breaks rules specified in https://tools.ietf.org/html/rfc6840#section-5.6 because DO bit must be reflected back to the requestor. Also, it might potentially cause problems with EDNS version negotiation if the failed query is a first request sent by the client to kresd
.
As far as I can tell unbound-1.6.0-6.fc25.x86_64
replies with OPT record and DO bit set accordingly even on validation failures.