Netcup (a European registrar) has had issues with parts of their DNSSEC infrastructure, leading to many domains advertised DS records not matching Netcups DNSSEC keys.

You can verify this by grabbing the DS records for one of the affected domains (pikz.cc):

    > dig @1.1.1.1 pikz.cc DS +short
    33487 8 2 4AF88BD043D909E290E2CC69626E619CC4BC54F98469042AB696027F DB981B8E

and comparing it to the DNSSEC key:

    > dig @root-dns.netcup.net pikz.cc DNSKEY +multiline
    <snip>
    ;; ANSWER SECTION:
    pikz.cc.  86400 IN DNSKEY 256 3 8 (
    <snip>
    ) ; ZSK; alg = RSASHA256 ; key id = 51649
    pikz.cc.  86400 IN DNSKEY 257 3 8 (
    <snip>
    ) ; KSK; alg = RSASHA256 ; key id = 37505

Note how neither 51649 nor 37505 are the advertised DS of 33487.

I noticed this issue on Saturday, and have contacted support three times. I received an "issue fixed, boss" on Monday, but issues have persisted.

The worst part is that this only shows up on DNS servers implementing DNSSEC, which apparently my uptime monitor does not use, so I never got a warning except for a dip in traffic and a "domain unreachable" error in my browser.

Google (8.8.8.8) and Cloudlflare (1.1.1.1) notably do enforce DNSSEC, so the pages are down when using their services.