We have discovered a way for DNSSEC to go wrong that is entirely novel to me

When the registrar’s DNS hosting doesn’t realise you’re not delegated to it anymore, rolls the KSK and helpfully updates the DS records in the parent zone for you…

