Hey! Multi-Signer DNSSEC is easy.

This domain is signed by NS1, Cloudflare, and Knot DNS.

The setup uses Model 2 described in RFC 8901: Multi-Signer DNSSEC Models.

Check out DNSViz and Verisign's DNSSEC Debugger. Note that the errors reported by DNSViz are arguably false positives. We are sorting these out.

DNS query for rfc8901.dev TXT record will tell you which provider was used to answer your query:

$ dig @8.8.8.8 +dnssec rfc8901.dev. TXT

; <<>> DiG 9.16.29-RH <<>> @8.8.8.8 +dnssec rfc8901.dev. TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19307
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;rfc8901.dev.           IN TXT

;; ANSWER SECTION:
rfc8901.dev.        31  IN  TXT    "Served and signed by NS1."
rfc8901.dev.        31  IN  RRSIG  TXT 13 2 60 20220618141319 20220616141319 44688 rfc8901.dev. HJM0uno3jK3xPKzNay9LTjdjEMxbFGucmrw8rXMmlQBtL8rujUgzKFnZ P/miuKHRLDlE64dnUbFLnrgg+0x9QQ==

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 17 16:13:48 CEST 2022
;; MSG SIZE  rcvd: 185

Contact me on jan@ns1.com.