this issue can be reproduced with the unicast instance of that provider as well:
[root@maverick ~]# kdig @188.8.131.52 +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=unicast.censurfridns.dk -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(184.108.40.206), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=unicast.censurfridns.dk
;; DEBUG: SHA-256 PIN: INSZEZpDoWKiavosV2/xVT8O83vk/RRwS+LTiL+IpHs=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The revocation or OCSP data are old and have been superseded.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 220.127.116.11@853(TCP)
Interesting to see, will dig deeper in order to find out what exactly goes wrong here…
EDIT: This looks like the certificate comes with the “OCSP must staple”-flag set, but the OCSP information provided is too old - perhaps a broken cron job at the operators’ side?
Thanks, and best regards,