During the ZSK and KSK rotation, we encountered DNSSEC validation issues with the published records. It would be useful to set up (ideally external) monitoring of our DNSSEC zones to ensure that they're validating correctly.
We found that the dnsviz tool  was able to identify issues realtime, without any interference from DNS caches.
(If this service is provided by Akamai, then this bug would be resolved by some sort of link between our monitoring and Akamai's.)
Punting over to infra to figure out how we'd do it. The SREs can help implement.
Initially I was looking into server-side tools to perform recursive dnssec validated lookups. I found a few options but nothing was a good fit for what we need.
I think the simplest solution is to perform dns queries against Google's public dnssec validating resolver, and check for the proper response.
bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @220.127.116.11
bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @18.104.22.168
Landed this fix in r70179.