Please follow the below template, it will help us to help you!
Expected Behaviour:
when dns sec turned on and dns upstream set to opendns or cloudfare for families ui.com and subdomains should resolve. I should not have to whitelist.
Actual Behaviour:
All ui.com and subdomains dont resolve when the dns sec is turned on and I try to use either opendns or cloudfare for families. I even tried to whitelist the entire domain which didnt work. I know its the pihole as when I configure the ip manually on the client for dns resolution it works. If I uncheck "use dnssec" it also works. All other websites work.
Notably in the second example - the red scribbled over part it doesnt show the ip address, it shows the hostname. Not sure if this is a clue. This is bizarre as no other websites are blocked. It also doesnt matter who the upstream dns resolver is (cisco family or cloudfare).
ok no update, no solution but thats ok as my assumption is that when I turn on dnssec it must cause some issue to that domain with that isp from my setup. It's repeatable so i assume its using dnssec anyway as that dns supports it and maybe trying to force it may be the problem.
Your screenshots show that Pi-hole has forwarded requests for ww.ui.com to 1.1.1.1, but DNSSEC validation failed because the NSEC(3) record was missing, so the corresponding reply (if any) would have been discarded.
Run from your machine hosting Pi-hole, what's the result of: