On several IPFire systems, I use to limit outgoing DNS traffic. (DNS, in fact, is considered a low-risk protocol. It certainly is not.)
Only traffic to the used upstream nameservers are allowed (restricted to port 53 TCP & UDP). Source is set to "firewall|all interfaces". So far, so good.
If the source is changed to "firewall|RED", DNSSEC validation is disabled after reboot (as described in #11917) because test_name_servers() in /etc/init.d/unbound fails to reach any of the servers.
This sounds like outgoing packages from RED are dropped because of an unknown reason directly after (re)booting the machine. The bug can be reproduced by following the steps above.