servfail from resolvers, all resolvers

I just moved a domain from one DNS host to another, and found that while my manual "dig foo.net ns @a.gtld-servers.net., dig foo.net ns @$NS" worked fine, actually trying to use the domain caused apps (well, curl) to claim it didn't resolve. Fair enough, I probably screwed something up. Let's try asking the local recursive resolver directly - dig foo.net @127.0.0.1. Hm, also doesn't work. Nothing in the logs. Oh wait, dig says SERVFAIL...how could I screw up a simple redelegation so much?

Eventually I started scrolling through the help forum for the webhost and saw a mention of DNSSEC and suddenly realised what I'd done wrong, oops - gotta delete those records from the parent zone or everyone is gonna be pissed.