See https://dnsviz.net/d/pop3.pauperis.org/YifJYQ/dnssec/
this name has huge DNSSEC misconfiguration (typical case of mismatch of DS record at parent aka registry, and the DNSKEY records found in child). This needs to be solved before the whole domain works correctly.
Easy to spot also by comparing a normal answer through a validating resolver (hence with DNSSEC validation) and then explicitly forbidding DNSSEC validation:
$ dig pop3.pauperis.org @9.9.9.9
; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39260
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c145784edda54901
;; QUESTION SECTION:
;pop3.pauperis.org. IN A
;; QUERY SIZE: 58
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39260
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 9 (DNSKEY Missing)
SERVFAIL can be a lot of things but DNSSEC fatal errors are always SERVFAIL error code, and then note in passing the Extended DNS Error: DNSKEY Missing .
And then the same bypassing DNSSEC (thanks to dig +cd flag):
$ dig pop3.pauperis.org @9.9.9.9 +cd
; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9 +cd
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c028e114f2c210f8
;; QUESTION SECTION:
;pop3.pauperis.org. IN A
;; QUERY SIZE: 58
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pop3.pauperis.org. IN A
;; ANSWER SECTION:
pop3.pauperis.org. 1h IN CNAME pauperis.org.
pauperis.org. 1h IN A 91.121.85.222
Now you get NOERROR. The simple fact of removing the DNSSEC validation makes things work is a good proof that the error is DNSSEC related.
