I have implemented a DNSSEC monitoring solution which does a number of checks and reports and logs the results. Among others it queries 188.8.131.52 (Cloudflare DNS). This has been running for a couple of months now, so I have a fair amount of data.
Sporadically I get errors where RRSIGs can not be verified, even for the domain desec.io! I also get errors (with an ever higher frequency) for another DNS provider when using their DNSSEC solution. Over time the frequency of the errors seems to be increasing.
For example from a report dated 2021.01.12 20:00:58 +0100:
: ERROR: DNSSEC verification failed for 2 TXT records using DNS resolver 184.108.40.206! For desec.io TXT (#2033) · · ·▷ desec.io. TXT "v=spf1 a mx -all" · · ·▷ desec.io. TXT "google-site-verification=kHvNl9DPVIQMSbpPgc-j_hZrNTYFxgEcICtgtJaogXA" · · ·▷ desec.io. RRSIG TXT 8 2 900 20210121000000 20201231000000 32110 desec.io. K41jLast0ud+gc1cicxYmEj7NFjlMA7ayOVuMKu2aaxWaJHdnwBlM2mr OoNsXVdkQAJvqPlIhFXI7uREDQDqXr6EWwktLAE6/Xbhjz3oHYuRticL e/czTnqkD34hxOYtfWQ6cICB979XqKHIwfrt5GzNqxnX1LSGoD/jbteM ZwE=
The same queries to 220.127.116.11 (Google Public DNS) and to the local verifying DNS Resolver OpenBSD 6.8 unbound(8) made virtually at the same time do not result in these errors. That leaves me to conclude that Cloudflare DNS is broken w.r.t. DNSSEC.
Unfortunately I have not found any way to contact their support. If someone knows a way to contact them, please let me know.
Anyway, I wanted to let people know that at this time I can not recommend using 18.104.22.168 when using DNSSEC. Or even in general as more and more domains are DNSSEC secured and may exhibit similar problems leading to outages. Otherwise 22.214.171.124 has proven to be very fast and reliable so a deficiency like this is very unfortunate.