Not sure if this is really a bug but I would like to note this. Trying to resolve "sas.com" fails with unbound (head) if dnssec-validation is enabled:

2024-01-04T10:40:01 sdb unbound: [898890:1] info: validation failure <sas.com. A IN>: signature for expected key and algorithm missing from 40.120.32.101 for key sas.com. while building chain of trust
2024-01-04T10:40:01 sdb unbound: [898890:2] info: validation failure <sas.com. HTTPS IN>: signature for expected key and algorithm missing from 40.120.32.101 for key sas.com. while building chain of trust
2024-01-04T10:40:01 sdb unbound: [898890:1] info: validation failure <sas.com. AAAA IN>: signature for expected key and algorithm missing from 15.197.178.251 for key sas.com. while building chain of trust
2024-01-04T10:40:01 sdb unbound: [898890:3] info: validation failure <sas.com. A IN>: signature for expected key and algorithm missing from 3.33.177.68 for key sas.com. while building chain of trust
2024-01-04T10:40:01 sdb unbound: [898890:0] info: validation failure <sas.com. AAAA IN>: signature for expected key and algorithm missing from 15.197.178.251 for key sas.com. while building chain of trust
2024-01-04T10:40:01 sdb unbound: [898890:0] info: validation failure <sas.com. HTTPS IN>: signature for expected key and algorithm missing from 3.33.177.68 for key sas.com. while building chain of trust

Checking dnssec-setup with verisign says everything is fine:

https://dnssec-analyzer.verisignlabs.com/sas.com#

Checking against dnsviz.net. As far as I understand there seems to be a valid path and also an invallid path in the trust-chain:

https://dnsviz.net/d/sas.com/dnssec/

For my very limited understanding of dnssec the chain of trust has at least one valid path and for this unbound should resolve - or am I wrong here?