[dns-operations] Validation anomalies under gpo.gov

Shumon Huque shuque at gmail.com
Sat Apr 4 04:47:59 UTC 2020

On Fri, Apr 3, 2020 at 4:54 PM Viktor Dukhovni <ietf-dane at dukhovni.org>

> The AD=1 replies from Google and Verisign are not "wrong".  They just
> reflect the fact that any ancestor zone is in principle free to bypass
> delegation and return "unexpected" signed answers for a child domain,
> legitimately or otherwise.

In this case, I think the explanation might be a bit simpler. The parent
isn't really bypassing anything. The behavior is likely a result of the
fact that
both the parent (gpo.gov) and child (access.gpo.gov) are served by the same
set of nameservers. An incoming query containing the full qname (as opposed
qname minimization), will cause most authoritative servers to find the
enclosing zone for the query (i.e. the child zone) and answer directly from
And since the signer for permanent.access.gpo.gov is claimed to be gpo.gov,
it validates, and the broken delegation isn't even being seen.

Cloudflare I believe does qname minimization, so is likely reacting to
of the broken delegation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200404/e4a9bae8/attachment.html>

More information about the dns-operations mailing list