Another bit of digging makes me think the root cause here was an update to my UDM-SE yesterday to v8.6.9
If I do dig @192.168.0.1 +tcp DNSKEY +dnssec weather.gov it just hangs.
If I do the same command against my ISP's DNS server dig @192.152.0.1 +tcp DNSKEY +dnssec weather.gov it works.
I have my pihole's set up to just use my router as upstream DNS so that it just passes through the the ISP. Changing that to hard-code my ISP's DNS in the pihole fixes the weather.gov lookups