If you have systemd-resolved, it tries to validate DNSSEC by default and replies with SERVFAIL if it fails. Same happens here, I go through some privacy focused DNS servers and they sometimes remove the signature.

$ resolvectl query z.ai

z.ai: resolve call failed: DNSSEC validation failed: no-signature