[dns-operations] Validation anomalies under gpo.gov

[Brian Somers]

Hi,

The gpo.gov domain came up recently as being something that likes to compress the RRSIG signer field, but something even more disturbing has now come up and, of course, customers like to compare the behaviour of different recursive resolvers!

In summary, looking at permanent.access.gpo.gov, it’s a complete mess:
* gpo.gov/RRSIG/DNSKEY has a compressed signer
* access.gpo.gov is a delegation point
* access.gpo.gov/DS is denied without an SOA and with a fabricated, irrelevant NSEC3 RR
* permanent.access.gpo.gov/A comes with an RRSIG with a signer field of gpo.gov

However, it seems that both 8.8.8.8 and 9.9.9.9 are happy to respond with an answer, and worse still, 8.8.8.8 also sets the AD bit in the response.
Cloudflare gets it right and returns SERVFAIL.

Comments?

—
Brian