[dns-operations] Validation anomalies under gpo.gov
bsomers at opendns.com
Fri Apr 3 19:18:57 UTC 2020
The gpo.gov domain came up recently as being something that likes to compress the RRSIG signer field, but something even more disturbing has now come up and, of course, customers like to compare the behaviour of different recursive resolvers!
In summary, looking at permanent.access.gpo.gov, it’s a complete mess:
* gpo.gov/RRSIG/DNSKEY has a compressed signer
* access.gpo.gov is a delegation point
* access.gpo.gov/DS is denied without an SOA and with a fabricated, irrelevant NSEC3 RR
* permanent.access.gpo.gov/A comes with an RRSIG with a signer field of gpo.gov
However, it seems that both 18.104.22.168 and 22.214.171.124 are happy to respond with an answer, and worse still, 126.96.36.199 also sets the AD bit in the response.
Cloudflare gets it right and returns SERVFAIL.
More information about the dns-operations