DoH fails with DNSSEC

[jol64]

"dig @192.168.177.18 +dnssec +https cloudflare.com" fails with ;; communications error to 192.168.177.18#443: failure ;; communications error to 192.168.177.18#443: failure ;; communications error to 192.168.177.18#443: failure

/var/log/nginx/error.log contains

2025/01/23 19:51:17 [warn] 922#922: *775 js: process_doh_request: DNS Req ID: 28296 2025/01/23 19:51:17 [warn] 922#922: *775 js: process_doh_request: DNS Req Name: cloudflare.com 2025/01/23 19:51:17 [warn] 922#922: *775 js: DNS Res: 6e8881a000010003000000010a636c6f7564666c61726503636f6d0000010001c00c00010001000001100004681084e5c00c00010001000001100004681085e5c00c002e000100000110006200010d020000012c6793fd2367913e0386c90a636c6f7564666c61726503636f6d00b3e890a70224d61cc2c220c8c44783fee58b131666fbfccde03ab283a1bcfad1c10291fe177d9cf03243fc6761e22c416e232b5f76647a9c091e25bfdb2432db00002904d000008000001c000a0018aeecad961513a95d0100000067929db5a628e4b04ac4e302 2025/01/23 19:51:17 [warn] 922#922: *775 js: DNS Res Packet: [["id",28296],["flags",129],["codes",160],["min_ttl",272],["qd",1],["an",3],["ns",0],["ar",1],["data",{"type":"Buffer","data":[10,99,108,111,117,100,102,108,97,114,101,3,99,111,109,0,0,1,0,1,192,12,0,1,0,1,0,0,1,16,0,4,104,16,132,229,192,12,0,1,0,1,0,0,1,16,0,4,104,16,133,229,192,12,0,46,0,1,0,0,1,16,0,98,0,1,13,2,0,0,1,44,103,147,253,35,103,145,62,3,134,201,10,99,108,111,117,100,102,108,97,114,101,3,99,111,109,0,179,232,144,167,2,36,214,28,194,194,32,200,196,71,131,254,229,139,19,22,102,251,252,205,224,58,178,131,161,188,250,209,193,2,145,254,23,125,156,240,50,67,252,103,97,226,44,65,110,35,43,95,118,100,122,156,9,30,37,191,219,36,50,219,0,0,41,4,208,0,0,128,0,0,28,0,10,0,24,174,236,173,150,21,19,169,93,1,0,0,0,103,146,157,181,166,40,228,176,74,196,227,2]}],["question",{"name":"cloudflare.com","type":1,"class":1,"qend":32}],["answers",[{"name":"cloudflare.com","type":1,"class":1,"ttl":272,"rdlength":4,"rdata":"104.16.132.229"},{"name":"cloudflare.com","type":1,"class":1,"ttl":272,"rdlength":4,"rdata":"104.16.133.229"},{"name":"cloudflare.com","type":46,"class":1,"ttl":272,"rdlength":98,"rdata":{"type":"Buffer","data":[0,1,13,2,0,0,1,44,103,147,253,35,103,145,62,3,134,201,10,99,108,111,117,100,102,108,97,114,101,3,99,111,109,0,179,232,144,167,2,36,214,28,194,194,32,200,196,71,131,254,229,139,19,22,102,251,252,205,224,58,178,131,161,188,250,209,193,2,145,254,23,125,156,240,50,67,252,103,97,226,44,65,110,35,43,95,118,100,122,156,9,30,37,191,219,36,50,219]}}]],["authority",[]],["additional",[{"name":"","type":41}]],["offset",201],["edns",{"opts":{},"size":1232,"rcode":0,"version":0,"z":32768,"rdlength":28}]] 2025/01/23 19:51:17 [error] 922#922: *773 upstream sent invalid header: "X-DNS-Answers: [A:104.16.132.229],[A:104.16.133.229],[undefined:\x00..." while reading response header from upstream, client: 192.168.177.18, server: , request: "POST /dns-query HTTP/2.0", upstream: "http://127.0.0.1:8053/dns-query", host: "192.168.177.18:443"

"dig @192.168.177.18 +dnssec +tls cloudflare.com" works fine, thus it does not appear to be the issue in https://github.com/TuxInvader/nginx-dns/issues/17.