> If the problem was that .de's keys expired, you'd have the same problem when Let's Encrypt's keys expired.

Even this incident proves that’s not the case.

If LetsEncrypt has a temporary availability issue, my users don’t notice unless it spans longer than my need to renew a cert.

If LetsEncrypt has a CA cert expire, I can get a cert from another provider.

If DENIC’s DNSSEC records break, either due to an operational error or an expiry issue, my .de site becomes inaccessible and my users see a DNS lookup failure. My only option is to hope resolvers do what Cloudflare did, or move my site to a new TLD and just pray that TLD never has the same problem.