Hay’s DNS servers adhere to modern security practices such as DNSSEC (involving signed reverse zones).
Some companies may be implementing DNSSEC (ie: Shopify) but are not actually fully prepared or expecting company’s to adhere and honor their DNSSEC declarations.
In the case of Shopify we know, via Clear Cable, that they are rolling out DNSSEC but they appear to be doing it in bits and pieces rather than enable it when they are fully ready across all their domains and sub domains.
Basically this is to clarify that it is not Hay’s DNS servers that are the problem as we are just honoring what Shopify is indicating. We can bypass this by using changing DNS servers to Google DNS, which currently is not so strict in regards to DNSSEC, and we can have the customer issue a support ticket to Shopify regarding this indicating the DNSSEC problem so they hopefully speed up the process of updating their side fully if that is what they are trying to do.