This domain is signed by IBM NS1 Connect, Cloudflare, and Knot DNS.
The setup uses Model 2 described in RFC 8901: Multi-Signer DNSSEC Models. Each DNS provider has a dedicated key-signing key (KSK) and zone-signing key (ZSK).
Check out DNSViz and Verisign's DNSSEC Debugger. Note that the errors reported by DNSViz are arguably false positives caused by inconsistencies between how the individual providers implement DNSSEC signing. However, DNSSEC resolution works and the individual answers are signed correctly.
DNS query for rfc8901.dev TXT record will tell you which provider was used to answer your query:
% kdig @2620:fe::fe rfc8901.dev. TXT +dnssec ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11113 ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 512 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; rfc8901.dev. IN TXT ;; ANSWER SECTION: rfc8901.dev. 60 IN TXT "This is DNSSEC multi-signer setup. This answer was served and signed by Knot DNS." rfc8901.dev. 60 IN RRSIG TXT 13 2 60 20260302082309 20260216065309 43808 rfc8901.dev. ISNN4PctbAK57SxdWI777EOnYxLQcksVlFihUMraTbTDmY6Zui2wGm5lSor+qmmrnYgqLfZh2BUcDWPfIu6BIA== ;; Received 241 B ;; Time 2026-02-16 09:45:00 CET ;; From 2620:fe::fe@53(UDP) in 256.8 ms
Contact me on jan.vcelak@ibm.com.