I think I figured it out.
Here's a typical query to the TLD for chattanoogastate.edu:
$ dig +dnssec +norecurse @m.edu-servers.net. chattanoogastate.edu
; <<>> DiG 9.13.4-1+ubuntu16.04.1+deb.sury.org+1-Ubuntu <<>> +dnssec +norecurse @m.edu-servers.net. chattanoogastate.edu
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33280
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;chattanoogastate.edu. IN A
;; AUTHORITY SECTION:
chattanoogastate.edu. 172800 IN NS ns2.chattanoogastate.edu.
chattanoogastate.edu. 172800 IN NS ns1.chattanoogastate.edu.
chattanoogastate.edu. 86400 IN DS 10114 5 2 A22479C3577ABDDA48962F74EECCE16D3EFE14B5C95FD9463BA5A28F CD67CF3A
chattanoogastate.edu. 86400 IN DS 10114 5 1 2CA51C740D54B8B3EBE5D58BD012196D5584A895
chattanoogastate.edu. 86400 IN DS 10618 5 1 F8B1C75138745E23976CAD453E812D89E366E5A1
chattanoogastate.edu. 86400 IN DS 10618 5 2 54592BC341F637A43C0D14F0704B58913A2B1B702266083AAEEF11B8 96E84400
chattanoogastate.edu. 86400 IN DS 4483 5 1 5BC068184A5BEC46EC3C786AB8722C8E74559A3B
chattanoogastate.edu. 86400 IN DS 4483 5 2 D19A8289B0EA70DF1F986138200EE3D5BDF5CA4FAEECD439C72847A6 965AF362
chattanoogastate.edu. 86400 IN RRSIG DS 8 2 86400 20181224062829 20181217051829 37217 edu. jLT2oLNFOmlpS1uDHzIZFNyQwIJkl/EEIXjtaDMZJeMztVgERedHnpb7 yRwTnTLrIaAFIAA3lEPJS64Awfgg1ilHnIIOPJ8m3CNRH9W7N/7EIoka dW2iwkPAwrN5eUwnavIlHvSqUYPnZUPO3J+2qEwPh72ijVLOmIP/ddyy TLs=
;; ADDITIONAL SECTION:
ns2.chattanoogastate.edu. 172800 IN A 192.230.240.252
ns1.chattanoogastate.edu. 172800 IN A 192.230.240.3
;; Query time: 16 msec
;; SERVER: 2001:501:b1f9::30#53(2001:501:b1f9::30)
;; WHEN: Tue Dec 18 14:15:52 UTC 2018
;; MSG SIZE rcvd: 532
However, Let's Encrypt recently changed their EDNS buffer size to only 512 bytes.
Here's a query similar to that:
$ dig +dnssec +norecurse +bufsize=512 @f.edu-servers.net. chattanoogastate.edu
; <<>> DiG 9.13.4-1+ubuntu16.04.1+deb.sury.org+1-Ubuntu <<>> +dnssec +norecurse +bufsize @f.edu-servers.net. chattanoogastate.edu
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23970
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;chattanoogastate.edu. IN A
;; AUTHORITY SECTION:
chattanoogastate.edu. 172800 IN NS ns2.chattanoogastate.edu.
chattanoogastate.edu. 172800 IN NS ns1.chattanoogastate.edu.
chattanoogastate.edu. 86400 IN DS 10114 5 2 A22479C3577ABDDA48962F74EECCE16D3EFE14B5C95FD9463BA5A28F CD67CF3A
chattanoogastate.edu. 86400 IN DS 10114 5 1 2CA51C740D54B8B3EBE5D58BD012196D5584A895
chattanoogastate.edu. 86400 IN DS 10618 5 1 F8B1C75138745E23976CAD453E812D89E366E5A1
chattanoogastate.edu. 86400 IN DS 10618 5 2 54592BC341F637A43C0D14F0704B58913A2B1B702266083AAEEF11B8 96E84400
chattanoogastate.edu. 86400 IN DS 4483 5 1 5BC068184A5BEC46EC3C786AB8722C8E74559A3B
chattanoogastate.edu. 86400 IN DS 4483 5 2 D19A8289B0EA70DF1F986138200EE3D5BDF5CA4FAEECD439C72847A6 965AF362
chattanoogastate.edu. 86400 IN RRSIG DS 8 2 86400 20181224062829 20181217051829 37217 edu. jLT2oLNFOmlpS1uDHzIZFNyQwIJkl/EEIXjtaDMZJeMztVgERedHnpb7 yRwTnTLrIaAFIAA3lEPJS64Awfgg1ilHnIIOPJ8m3CNRH9W7N/7EIoka dW2iwkPAwrN5eUwnavIlHvSqUYPnZUPO3J+2qEwPh72ijVLOmIP/ddyy TLs=
;; Query time: 94 msec
;; SERVER: 2001:503:d414::30#53(2001:503:d414::30)
;; WHEN: Tue Dec 18 14:16:17 UTC 2018
;; MSG SIZE rcvd: 500
It's useless! It fits in 512 bytes, but there are no A records, so it's impossible to proceed! That's why Unbound returns SERVFAIL.