3/25/2020 10:40 PST. Mail delivery delays.
3/25/2020 11:10 PST. All mail has now been delivered and no mail was lost.
At 2020-03-25 16:04 hours, the ISC stopped refreshing signatures for secure DNS. Our servers were configured to use this to always use secure lookups for all DNS queries. The expiration of the root signatures caused our DNS lookups of outside IP addresses set to use secure DNS to fail, causing mail to back up on our servers, since we couldn't, in many cases, resolve the address of where to relay email. We disabled the "secure-dns-only" option in our name servers, and all mail started flowing again. Nothing has been lost, but we do apologize for the delay that this has caused.
The ISC has issued this response to the cause:
ISC (@ISCdotORG) Tweeted:
We are actively working to fix an issue with https://t.co/cgnpRHnm2g (the moth-balled DNSSEC lookaside validator) which is causing trouble for some @bind9 servers that still have the dlv configured. Very sorry for impacts some of you may be seeing from this legacy domain.