When all fallbacks fail (which they always do due to bug #1109292), dnssec-triggerd configures unbound to use full recursion (which will be often blocked) without checking whether the full recursion is working or not. The result is a user without DNS resolution but also without any information suggesting why that happens and how to at least get connectivity not secured by DNSSEC, which may well be the only way to access internet resources.
We talked about this and the conclusion is that full recursion is currently considered a good way to offload the infrastructure servers, so it's not only set up when fallbacks don't work, but it's even attempted first.