Comment by fer
21 hours ago
If you have systemd-resolved, it tries to validate DNSSEC by default and replies with SERVFAIL if it fails. Same happens here, I go through some privacy focused DNS servers and they sometimes remove the signature.
$ resolvectl query z.ai
z.ai: resolve call failed: DNSSEC validation failed: no-signature
That seems to be it, thanks for the explanation :)