This nameserver doesn't even understand DNSSEC, but a recursive DNSSEC resolver will return SERVFAIL in this case which is not an acceptable answer for DANE and the website breaks.
A DANE client should not expect that all nameservers will answer reliably for the TLSA record type.
To avoid breaking services that use such nameservers, we should:
Determine if either A or AAAA records of the host are in a DNSSEC-signed zone
If the zone is unsigned, it's safe to skip result of the TLSA lookup without risking a downgrade attack.
Credits to @vdukhovni for telling me about this idea
Some nameservers timeout or return SERVFAIL for any record type they don't understand
An example of such a server found in the wild (at the time of writing)
This nameserver doesn't even understand DNSSEC, but a recursive DNSSEC resolver will return SERVFAIL in this case which is not an acceptable answer for DANE and the website breaks.
A DANE client should not expect that all nameservers will answer reliably for the TLSA record type.
To avoid breaking services that use such nameservers, we should:
Credits to @vdukhovni for telling me about this idea