Hi The current set of trust anchors distributed by RIPE NCC (<https://www.ripe.net/projects/disi/keys/ripe-ncc-dnssec-keys-new.txt>) includes the domains disi.nl example.net pwei.net None of these currently have any DNSSEC resource records (i.e. they are insecure), which effectively brakes those zones for everybody who uses that particular set of trust anchors. I guess this shows one of the operational problems with trust anchor management. These zones are not maintained by RIPE NCC itself and the administrators probably didn't bother to tell them that they've disabled DNSSEC (if they know or remember at all that their keys are distributed by a third party). I guess it would be more prudent for RIPE NCC to only distribute the keys for their own zones (those listed on <https://www.ripe.net/projects/disi//keys/>). -- Alex