Suspected lack of updating LRU on records used for DNSSEC validation
If this is true, then it can lead to situations where a cache goes overmem and starts discarding records with an LRU of "never", but which happen to be necessary for validating other records and thus need to be refetched, causing an increase in upstream recursion and also in validation (as all of those records needed for validation need to be validated before they can be used).
See https://support.isc.org/Ticket/Display.html?id=16212 and supporting documents for the data that led to this tentative conclusion.