According to http://dnsviz.net/d/repos.fedorapeople.org/VfGhbA/dnssec/ the fedorapeople.org web is signed through DLV but does not have DS records in org domain so validation from root domain down ends as insecure.

DLV is being deprecated and current situation is kind of confusing because some clients use DLV and some others not.

It would be good if fedorapeople.org was properly signed (which seems to be even now!) and the DS records were put to the org. domain. That would allow proper validation for all clients and it would not depend on DLV.

Yes, we are aware and have put in the request for this, it's just not happened yet. ;)

Hello, any progress with this?

No. We are going to try and restart the process and see if we can get the attention of the folks who can actually make this change. Sorry for the long delays here.

@puiterwijk and/or @smooge can you try this again now and see if we can get anywhere getting DS records added to fedorapeople.org (and any other of our domains we sign but don't have DS records for)?

I am trying to get this dealt with internally again.

This should be fixed as of today.

It seems to work, huray!
http://dnsviz.net/d/repos.fedorapeople.org/WxjZ7w/dnssec/

BTW you might want to purge obsolete DNSKEYs from the zone, it just inflates the zone and DNS traffic unnecessairly. There is 2048 B key id=301 and 1024 B key id=378 and these two are unnecessary because there is also 4096 B key id=16241.

If you want to do something secure, small and fast at the same time I would recommend going to ECDSA. This is not an experiment because it is massively deployed by Cloudflare and CZ TLD, details at:
https://en.blog.nic.cz/2018/06/01/transition-to-elliptic-curves-in-the-cz-domain/