dig MX trstech.net

makes a SERVFAIL. (The BIND resolver is set to dnssec-validation yes
and uses the ISC DLV registry).

The domain is not signed and has no trust anchor at my resolver (BIND
9.5.0-P2). I cannot reproduce the problem with other similar (no
signature, no trust anchor) domains.

The logfile says:

Nov 6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/IN': 196.200.57.137#53
Nov 6 12:37:25 lilith named[22431]: not insecure resolving 'trstech.net/ANY/IN': 147.28.0.39#53
Nov 6 12:37:26 lilith named[22431]: not insecure resolving 'trstech.net/ANY/IN': 2001:4f8:feec::1#53

Despite the:

logging {
channel dnssec_log { // a DNSSEC log channel
file "/var/tmp/bindlog/dnssec.log" size 20m;
print-time yes; // timestamp the entries
print-category yes; // add category name to entries
print-severity yes; // add severity level to entries
severity debug 3;
};

category dnssec { dnssec_log; };

There is nothing in /var/tmp/bindlog/dnssec.log.

This seems BIND specific. Using OARC DNSSEC resolvers, I see the same
behavior on their BIND resolver (149.20.64.20) but not on the Unbound
one (149.20.64.21).