This morning’s unpleasant surprise: I could no longer resolve any subdomains of ec.europa.eu (nslookup error SERVFAIL); disabling DNSSEC was the only way to get back to work. Verisign DNSSEC analyzer shows that the issue is not with the European Commission’s DNS servers, so I’m assuming that the problem is either in my Turris Omnia [freshly updated and rebooted to re-test], or in the forwarder (I’ve tried Google, CloudFlare, and my ISP’s DNS resolver). Any suggestions on how to diagnose this?
Well, the problem boils down to the same origin as the SERVFAIL I posted. europa.eu SOA is not served signed, for whatever reason. So whenever any validator encounters a negative response, it can’t succeed because SOA is mandatory in there.
Now myremote.ec.europa.eu should be OK if you turn off forwarding (works on my Omnia), but Knot Resolver’s forwarding algorithm is unable to avoid some intermediary queries which get negative replies here – so it runs into this SOA bug here and gets stuck.