For what it’s worth, i have a resolver using the same software Let’s Encrypt uses (Unbound), though it’s configured totally differently. Mine also returns SERVFAIL.
I would guess that Unbound considers the above DNSSEC problem a fatal error, but i can’t say for certain.
The problem was with DirectAdmin adding a subdomain as new zone confusing DNSSEC in different key records since the zone test.forcedesign.nl did not have any but forcedesign.nl did