I can reproduce it with plain Knot Resolver (without forwarding). TL;DR: I see their nameserver replies incorrectly, and perhaps some other resolvers manage to recover from that. Detailed analysis below, for reference.
The first weird reply I see is:
[20505.06][resl] => id: '47107' querying: '8.20.243.107#00053' score: 10 zone cut: 'fressnapf.com.' qname: 'os.FrESsnApf.coM.' qtype: 'NS' proto: 'udp'
[20505.06][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 47107
;; Flags: qr aa cd QUERY: 1; ANSWER: 4; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
os.fressnapf.com. NS
;; ANSWER SECTION
os.fressnapf.com. 3600 NS ns1-04.azure-dns.com.
os.fressnapf.com. 3600 NS ns2-04.azure-dns.net.
os.fressnapf.com. 3600 NS ns3-04.azure-dns.org.
os.fressnapf.com. 3600 NS ns4-04.azure-dns.info.
;; ADDITIONAL SECTION
[20505.06][iter] <= rcode: NOERROR
[20505.06][iter] <= continuing with qname minimization
here the ns?.eurodns.com.
server replies authoritatively, although I expect that it really wanted to reply with a referral (without AA flag; EDIT: and with NS records in AUTHORITY section instead of ANSWER). Consequently, kresd also sends the deeper media.os.fressnapf.com
queries to the same set of servers
[20505.07][resl] => id: '13137' querying: '8.20.243.108#00053' score: 10 zone cut: 'os.fressnapf.com.' qname: 'mEDIA.Os.FRESSnAPf.coM.' qtype: 'A' proto: 'udp'
[20505.07][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13137
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
media.os.fressnapf.com. A
;; AUTHORITY SECTION
os.fressnapf.com. 3600 NS ns1-04.azure-dns.com.
os.fressnapf.com. 3600 NS ns2-04.azure-dns.net.
os.fressnapf.com. 3600 NS ns3-04.azure-dns.org.
os.fressnapf.com. 3600 NS ns4-04.azure-dns.info.
;; ADDITIONAL SECTION
[20505.07][iter] <= rcode: NOERROR
[20505.07][iter] <= lame response: non-auth sent negative response
at which point it apparently attempts referral, but the server has already answered authoritatively on os.fressnapf.com
and now we’re deeper, so kresd gets completely confused (wrt. what the other server apparently meant).