You might need to urgently consider having the Hub 5 in Modem mode with a 3 party Router that is under your management, I believe that will ease your DNSSEC issue. Perhaps buy from Amazon for ease of returns.

If we are issued a Hub 5 I will have a 3rd party router here to meet it and to operate with it from hour one, the Hub 5 does appear to be a decent modem for the sophisticated home user, but in router mode my list of concerns grows weekly and are set out below.

Hub 5 Router mode, current reported issues:
1. Wi-Fi & DHCP Fail when both SSIDs are changed. ( in the Wizard and in the Menu )
2. DHCP Fails with multiple DHCP devices.
3. DHCP Reserved IP list fails to accept entries.
4. DNS All queries are being intercepted by the Hub 5.
5. DNS Queries for AWS hosts time out with both VM DNS & Public DNS.
6. DNS DNSSEC queries fail.
7. Port Forwarding may not work.
8. RTSP stream / VRChat crashes & reboots Hub 5.
9. Wi-Fi 6 / 802.11ax Fails to be visible to many 2.4GHz only devices.
10. (Suspected) A laptop connected via 5GHz Wi-Fi may be unable to access a printer connected by 2.4GHz. May also mean mobile Phone on 5GHz is unable to detect / manage IoT on 2.4GHz.

Wi-Fi 6 / 802.11ax

Hub 5 has Wi-Fi 6 / 802.11ax on both the 2.4GHz and 5GHz bands.

This is proving to have poor or no compatibility with some 2.4GHz only IoTs and main brand (Dell &HP) laptops.

Symptoms are the device does not see the Wi-Fi service from the Hub 5.

If the device does not have updated drivers available, a workaround that has worked is to use a TP-LINK RE450 / AC1750 Wireless Repeaters as a bridge from the Hub 5's Wi-Fi 6 to the more compatible 2.4GHz Wi-Fi 4 & 5GHz Wi-Fi 5 that the IoTs / Laptops can use.  Other brands and models of Wi-Fi equipment that can perform a similar task may be equally suitable.

For laptops / desktop a USB dual band Wi-Fi adaptor is good option.

Sadly my OPNSense server died the week before the change in router. I had always used Virgin's routers in modem mode. I was rather enjoying the reduction in electricity bill without the server. I don't use the Hub 5's wifi or DHCP.. I am reading Imiss Telewest's posts on her reaction to her Hub 5. DNSSEC is working here with the exception of the gov.uk domain. 

Outgoing TCP port 53 blocked in router mode maybe? surely not!

do a tracetcp 

tracetcp - download (simulatedsimian.github.io)

tracetcp 128.86.1.20:53 

I can get the DNSKEY from a public DNS server but not from the server authorative for that domain. That tells me the problem is probably upstream from me. 

So I am in modem mode in a completely different address range and gov.uk resolves.

So I have 2 questions for myself.

• Which is more secure? Use Hub 5 in router mode and struggle with DNSSEC or use modem mode, an old netgear router and working DNSSEC
• Can my netgear router clone the mac address of the hub 5 and get back the Hub 5's address to see if it is the network address range or the Hub5 that is the problem.

It's late. Time for bed.