Hit my first DNSSEC failure, couldn’t resolve www.cdc.gov from Entanet DNS cache.
My DNS troubleshooting is too old fashioned and I couldn’t see anything wrong other than extremely convoluted DNS resolution (CNAME chain, authoritative servers renamed, one dead server in chain, two delegated servers not listed in zone etc). Using dig with “+trace” worked to get the address.
Queried it with Entanet hostmaster who replied over Friday night that records are failing DNSSEC validation and so rejected (as intended by their configuration), and sent me links to DNSVIZ showing the problem.
Fortunately I wasn’t after information about an imminent zombie apocalypse.
Credit to Entanet and their hostmaster for a prompt and accurate response.