Did you perform a tcpdump to see if a TCP connection was initiated from dotgov and arrived at your GTM?
We encountered a strange situation in our environment that I want to bring up as a consideration if you have Cisco Nexus switches in your network. We noticed some DNSSEC queries were failing and upon digging into it, we found our Nexus 7k was doing some fragment inspection and dropping the fragments. The command to turn off fragment inspection is 'no hardware ip verify fragment'. You can check if it's enabled by running 'show hardware ip verify'.