RFC 8914 - DNSSEC validation failures

From an ISC support customer, another specific use case for extended errors:

"I think our main interest is distinguishing between the class of Server Failed errors that indicate a DNSSEC validation failure and the more transitory sorts (network errors, no authoritative DNS servers available, etc.). We have situations in which we have a DNS server with DNSSEC validation enabled forwarding to another DNS server with validation enabled, and when the forwarder returns Server Failed, it's unclear whether to return that answer to the querier or retry resolution without the forwarder. Does that make sense?"