PowerDNS Auth and Recursor - Bug with one domain?

I have a problem with one of my domains on my private DNS. I have two servers.

Server 1 with dnsdist. It directs to port 54 to server 2

Server 2 with powerdns (port 53) and powerdns-recursor (port 54)

My configuration is working fine.

pdns.conf

allow-axfr-ips=X.X.X.X

also-notify=X.X.X.X

only-notify=X.X.X.X

daemon=yes

default-soa-content=ns1.example.eu1. admin.example.eu. 0 10800 3600 604800 3600

default-ttl=3600

disable-axfr=no

guardian=yes

include-dir=/etc/powerdns/pdns.d

launch=

local-address=X.X.X.X

local-port=53

log-dns-details=on

loglevel=4

master=yes

receiver-threads=2

setgid=pdns

setuid=pdns

slave=no


query-cache-ttl=60

Recursor.conf

dont-query=127.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32
allow-from=10.0.0.0/8, 127.0.0.0/8, 10.12.0.0/16, 10.13.0.0/16, 195.88.50.0/26, 10.66.0.0/16, 10.64.0.0/16
local-address=X.X.X.X
local-port=54
forward-zones=admin=X.X.X.X:53
max-negative-ttl=300

And I am getting records from the internet correctly. For example:

dig gmail.com TXT @X.X.X.X

; <<>> DiG 9.10.6 <<>> gmail.com TXT @X.X.X.X
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21866
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gmail.com.         IN  TXT

;; ANSWER SECTION:
gmail.com.      103 IN  TXT "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
gmail.com.      103 IN  TXT "v=spf1 redirect=_spf.google.com"

But I ran into a problem with one domain. More specifically, with one TXT record. It returns me the A, NS record correctly. But not TXT.

dig domain.pl TXT @X.X.X.X

(this domains is example ;) )

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47032
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.pl.         IN  TXT

When I add 8.8.8

dig domain.pl TXT @8.8.8.8 

It gets correctly

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10134
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;domain.pl.         IN  TXT

;; ANSWER SECTION:
domain.pl.      3600    IN  TXT "FHEdYvpM4TH6rmkf5U/YZ9I7VY6j3YftBJ1W7TVNh+ymbXU++rhkb1sXGnleSybC8NnUtP2ALk7/mAHE9LVgGg=="

And it's not a cache. It was cleaned. It just doesn't see the TXT record every time.

Anyone have any ideas?

In the logs, I see:

Failed to resolve via any of the 2 offered NS at level
failed (res=-1) 

Ok, am găsit problema. Acum merge bine. în recursor conf am adăugat dnssec=off