That's cool, ty for that. The only one I put credentials into is Amazon it is unsigned. [1] There probably needs to be a DNSSECv2 .vbis that reduces risk somehow to get more adoption.
For what it's worth, technically we're already on something like DNSSEC-ter or DNSSEC-quater. -bis was back in the early 2000s with the typecode roll. It was really called DNSSEC-bis!
Do we know what their root mistake was? I've studied and deployed DNSSEC, and as I see it, the current version is pretty much the simplest thing that could possibly work, given the way DNS works.
The root cause of the disruption has not yet been fully identified. DENIC’s technical teams are working intensively on analysis and on restoring stable operations as quickly as possible.
That's their current official statement. I could guess but I would rather wait until they have an official statement. I would imagine they must know but they are probably going back and forth with their legal team to word it very carefully, or at least that is what I would be doing if I were in their situation.
Good news though, if you add domain-insecure: "de" to your unbound config everything works fine