<div dir="ltr"><div dir="ltr">On Fri, Apr 3, 2020 at 4:54 PM Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org">ietf-dane@dukhovni.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
The AD=1 replies from Google and Verisign are not "wrong". They just<br>
reflect the fact that any ancestor zone is in principle free to bypass<br>
delegation and return "unexpected" signed answers for a child domain,<br>
legitimately or otherwise. </blockquote><div><br></div><div>In this case, I think the explanation might be a bit simpler. The parent zone</div><div>isn't really bypassing anything. The behavior is likely a result of the fact that</div><div>both the parent (<a href="http://gpo.gov">gpo.gov</a>) and child (<a href="http://access.gpo.gov">access.gpo.gov</a>) are served by the same</div><div>set of nameservers. An incoming query containing the full qname (as opposed to</div><div>qname minimization), will cause most authoritative servers to find the closest</div><div>enclosing zone for the query (i.e. the child zone) and answer directly from that.</div><div>And since the signer for <a href="http://permanent.access.gpo.gov">permanent.access.gpo.gov</a> is claimed to be <a href="http://gpo.gov">gpo.gov</a>,</div><div>it validates, and the broken delegation isn't even being seen.</div><div><br></div><div>Cloudflare I believe does qname minimization, so is likely reacting to discovery</div><div>of the broken delegation.</div><div><br></div><div>Shumon.</div><div><br></div></div></div>