I'm running unbound 1.9.1 from the FreeBSD package. I have dnssec validation turned on.
When I try to look up the XN--MGBA3A4F16A. TLD, after a delay I get SERVFAIL. I'm using a local root served by NSD which handles the query without trouble. I turned off the local root, same problem. This happens to be the IDN version of .ir which resolves without trouble. Public resolvers like 8.8.8.8 resolve it too. Any suggestions? (In case you were wondering, I ran a script which checks the NS records of every TLD that's supposed to be in the root, and I found that one and only that one failed.)