I finally found the reason why my DNS resolvers could not resolve records from the docker.com zone.
The cause was that I used a script to block IPs from hosts that spammed my resolvers with malicious requests. The script created a block rule with nftables to filter packages from the respective networks. Since DNS uses mostly UDP packets, the response packet of the corresponding name server was also filtered out, so that the resolver is running in a timeout re when resolving.
The solution was now to include the destination port 53 as a filter in the rule in addition to the source IP.