Oh, I'll agree that looks interesting. Let's Encrypt queries with the equivalent of dig's +bufsize=1232 (which was a change last year from 512), and DNSSEC-including responses are more likely to be big enough to trigger that limit and require a switch from UDP to TCP.
3 Likes