I’ve been having this problem recently (the last few months at most) where I sometimes end up in situation where some new or modified DNS records don’t get properly signed which means that lookup of those particular records fail for resolvers that verify the signature. The rest of the records resolve fine with or without DNSSEC validation and all DNSSEC testing tools agree that it is correctly configured.
It first happened when adding SSHFP records where I noticed I made a mistake and modified them. After that they no longer had valid signatures. I got it working in the end by removing all the SSHFP records and then re-adding them. At the time, I figured it was just a temporary issue and forgot about it.
A few hours ago however, I modified an NS record for a subdomain, only to realize the change I made might have some side effects in some edge cases so I changed it back. That record is now no longer signed correctly and removing and subsequently re-adding it makes no difference.
Has anyone else had this same issue?
The domain in question is 32.rs and the broken NS record is set for dns.32.rs.