On Tue, Sep 08, 2009 at 05:08:23PM +0200, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote a message of 126 lines which said: > % dig SOA pr. > > ; <<>> DiG 9.5.1-P3 <<>> SOA pr. > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 940 It works now. The DLV registry at ISC updated the key. Apparently, the .PR people rolled over with a very short notice and anyone using DLV or manual tracking of keys will have experienced the problem. Lesson learned: activating DNSSEC validation today is only for playing and should not be done in a production environment.