We use Dynu as the authoritative DNS provider for multiple domains with DNSSEC enabled, and our registrar publishes the DS records supplied by Dynu. We are observing DNSSEC validation failures along the MX delivery path, which lead strict senders (e.g., Microsoft Exchange Online) to defer or reject email and to ignore our DANE/TLSA records.

Representative domains:
adoptieplatform.nl (mail delivered directly to our own MTA, not via Microsoft)
bcworkum.nl (also not using Microsoft Exchange for inbound email)
pchulpfriesland.nl (uses Microsoft Exchange; included for completeness)
(additional Dynu‑hosted signed zones can be provided on request)

Current configuration (example: adoptieplatform.nl):

Authoritative NS (at registrar): ns10.dynu.com, ns11.dynu.com, ns12.dynu.com, ns4.dynu.com, ns5.dynu.com
Parent DS (.nl):

Key Tag: 24419
Algorithm: 13 (ECDSA P‑256)
Digest Type: 2 (SHA‑256)
Digest: DFDE86224E33A9405703328B4AF8F1CA5D9743C2444AFE72D6F72AB080A2E382

KSK (flags 257, public key):
ggHN0GX6CfHDwDxhTCRhd786RcY56AJbkmPSB0rVDL7Hn21jsLipMU1M2LGEW2L/dp7r94+YuokTLZ1zVZ+hVw==
MX path: adoptieplatform.nl → mail.adoptieplatform.nl → 81.172.214.26
DANE/TLSA: _25._tcp.adoptieplatform.nl TLSA 3 1 1 A463C0D53C...75689E82F9
Observed delivery error (Microsoft Exchange Online trace):
450 4.7.324 dnssec-invalid: Destination domain returned invalid DNSSEC records (deferred when attempting delivery to 81.172.214.26:25)

What we need your help with (for all affected zones):

1. Full zone signing coverage — Please verify that all RRsets (SOA/NS/MX/A/AAAA/TXT/DKIM/DMARC, etc.), including hostnames referenced by the MX records (e.g., mail.<domain>), are covered by valid, current RRSIGs.

2. DNSKEY/ZSK usage — Ensure every published ZSK (flags 256) is actually used to sign the relevant RRsets (no stale/unused keys), and that the KSK (flags 257) aligns with the DS in the parent.

3. Parent DS alignment — Confirm there is exactly one active DS in the parent per domain, and that it matches the current KSK that Dynu publishes. If a rollover is advisable, please supply the new DS so we can update the registrar.

4. DANE compatibility — Please confirm that TLSA RRsets (e.g., _25._tcp.<domain>) are served from a fully signed zone without validation gaps, so DANE can be reliably honored by senders.

5. Operational guidance — If any Dynu settings impact complete zone signing (e.g., subdomains or specific RR types), please advise how to enable complete signing or make the necessary changes on your side.

We can attach current DNS visualizations (DNSViz outputs for both /dnssec and /MX views) and additional message‑trace samples on request. Our goal is to keep DNSSEC + DANE active for inbound SMTP and our websites, while ensuring that strict validators (like Microsoft) accept our zones without errors.