Hi Peter,
Please see my response to your other post in the Labs section -- your previous registration setup at Google Domains had a DNSSEC Domain Signing (DS) key set up that stayed in place when the domain transferred over to us. (This is expected behavior, because your registrar may not be the same as your Authoritative DNS provider, so those records need to stay in place to ensure the domain continues to resolve.) The downside to switching DNS providers is that unless the configuration is imported or configured ahead of time, critical records such as the RRSIG will be missing at the new DNS provider, which will break the domain for any (most) DNS servers that do DNSSEC validation.
The fix here was for someone on our side (me) to remove the DNSSEC keys at the registry level, which then removes the (now broken) DNSSEC signing and makes the domain act like a traditional (non-signed) one.
-- Joe M
Sonic System Operations