in-bailiwick nameservers (possibly) not re-probed
There is some possibility of getting into a situation when NS is never retried. Here's a 2.3.0 log (from Omnia):
[ 0][plan] plan 'ns.udag.de.' type 'A'
[22310][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[22310][cach] => skipping exact RR: rank 030 (min. 030), new TTL -7934
[22310][cach] => trying zone: udag.de.
[22310][cach] => NSEC sname: range search found stale or insecure entry
[22310][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[22310][resl] => NS is provably without DS, going insecure
[11561][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ ][nsre] probing timeouted NS: 185.61.8.11, score 1910
[11561][plan] plan 'ns.udag.net.' type 'A'
[58910][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[58910][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[58910][cach] => trying zone: udag.net.
[58910][cach] => NSEC sname: range search found inconsistent entry
[58910][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[58910][resl] => NS is provably without DS, going insecure
[20592][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[20592][resl] => unresolvable NS address, bailing out
[20592][resl] => circular dependepcy, retrying with non-minimized name
[ 2400][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[ 2400][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[ 2400][resl] => NS is provably without DS, going insecure
[ 2400][resl] => unresolvable NS address, bailing out
Last message '[ 2400][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[ 2400][resl] => no valid NS left
[18717][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 11561
[18717][resl] => no valid NS left
[37402][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[37402][resl] => unresolvable NS address, bailing out
[37402][resl] => circular dependepcy, retrying with non-minimized name
[ 9258][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[ 9258][zcut] found cut: udag.de. (return codes: DS 1, DNSKEY 1)
[ 9258][resl] => NS is provably without DS, going insecure
[ 9258][plan] plan 'ns.udag.net.' type 'A'
[43035][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[43035][cach] => skipping exact RR: rank 030 (min. 000), new TTL -4331
[43035][cach] => trying zone: udag.net.
[43035][cach] => NSEC sname: range search found inconsistent entry
[43035][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[43035][resl] => NS is provably without DS, going insecure
[49223][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[49223][resl] => circular dependepcy, retrying with non-minimized name
[16076][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[16076][zcut] found cut: udag.net. (return codes: DS 1, DNSKEY 1)
[16076][resl] => NS is provably without DS, going insecure
[16076][resl] => unresolvable NS address, bailing out
Last message '[16076][resl] =>' repeated 1 times, suppressed by syslog-ng on turris
[16076][resl] => no valid NS left
[ 9260][iter] 'ns.udag.net.' type 'A' id was assigned, parent id 9258
[ 9260][resl] => no valid NS left
[43246][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[43246][resl] => unresolvable NS address, bailing out
Last message '[43246][resl] => u' repeated 1 times, suppressed by syslog-ng on turris
[43246][resl] => no valid NS left
[48690][iter] 'ns.udag.de.' type 'A' id was assigned, parent id 0
[48690][resl] => no valid NS left
[ 0][resl] AD: secure (start)
[ 0][resl] AD: secure (between ANS and AUTH)
[ 0][resl] AD: secure (1)
[48690][resl] finished: 0, queries: 3, mempool: 49176 BATM I only estimate the characteristics/causes.