As mentioned on Swinog IRC (yes we are alive there, join us! :):

admin.ch is unreachable due to broken DNSSEC.

See: https://dnsviz.net/d/admin.ch/dnssec/

8<---- ch to admin.ch: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (162.23.37.16, 162.23.37.160, 212.103.72.85, 2a00:c38:2:28:0:ffff:d467:4855, UDP_-_EDNS0_4096_D_K)

ch to admin.ch: The DS RRset for the zone included algorithm 8 (RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs the zone's DNSKEY RRset. (162.23.37.16, 162.23.37.160, 212.103.72.85, 2a00:c38:2:28:0:ffff:d467:4855, UDP_-_EDNS0_4096_D_K) ------>8

(I got a screencap of the page for later, just in case it get fixed/changed in the meantime; swinog only allows 40KiB attachments which would ruin the res too much for it to be useful :)

Thus for all ISPs on this list: tell your customers that it is an admin.ch issue, not something you can solve (unless you disable dnssec validation for admin.ch, which is an option, but kinda against dnssec). (Fortunately it is not tax time or something like that)

For folks working at admin.ch: I offer myself pro bono to help out resolving the issue, don't hesitate to reach out (email or contact details on my homepage).

We can then replicate a stable environment as described in:

https://jeroen.massar.ch/presentations/vid/SwiNOG35-Managing_sleep_with_a_re...

or otherwise likely improve the situation to avoid such outages.

Good luck folks at admin.ch in resolving this..

Greets, Jeroen