> On 11 Oct 2018, at 19:07, pg...@dev-mail.net wrote:
>
>> The switch to the new KSK seems the most likely cause, assuming DNSSEC
>> validation always worked for you before then.
>
> It's been 'working' for ages. Yes, I could have been 'just lucky for a long
> time'.
DNSSEC is very brittle. Either it works perfectly or not at all. Luck has
nothing to do with it. Ending up with a working DNSSEC setup is something that
rarely if ever happens by accident. If your validators don’t/can’t maintain up
to date trust anchors they *will* fail at some point. Today might well have
been that day for you.
Ensuring trust anchor(s) are current is critical to DNSSEC validation. It’s not
a matter of luck if this doesn’t get configured correctly. And it’s not a
matter of luck if someone’s failed to plan for today’s KSK rollover or been
unaware of this high profile event. Sorry.
