Bad NODATA proofs from authoritative servers
Described in the DVE. This is not really a problem in knot-resolver itself, but its users can relatively often run into this on various sites. There's at least one common DNS software that consistently gives such broken answers (for months).
Knot-resolver started to be affected with aggressive NSEC3 support, i.e. since 2.4.0.
What we might do (anyway) would be to devise some way of disabling aggressive caching from answers that were clearly generated by online-signing (they cover minimal ranges). In those cases the aggressiveness seems very unlikely to be helpful, and some problems would be avoided (like this one). It's well possible it would be an easy change (I haven't given it thought yet).