<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Oct 18, 2022, at 4:02 PM, Scott Morizot <<a href="mailto:tmorizot@gmail.com" class="">tmorizot@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" class=""><div dir="auto" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">I can't say why any RRSIGs or other DNSSEC records are being returned for queries for records in<span class="Apple-converted-space"> </span><a href="http://fiscal.treasury.gov/" class="">fiscal.treasury.gov</a>, however those records are spurious. As DNSVIZ does show, the delegation from the last secure zone,<span class="Apple-converted-space"> </span><a href="http://treasury.gov/" class="">treasury.gov</a>, to<span class="Apple-converted-space"> </span><a href="http://fiscal.treasury.gov/" class="">fiscal.treasury.gov</a><span class="Apple-converted-space"> </span>is insecure. And thus the subsequent delegation from<span class="Apple-converted-space"> </span><a href="http://fiscal.treasury.gov/" class="">fiscal.treasury.gov</a><span class="Apple-converted-space"> </span>to<span class="Apple-converted-space"> </span><a href="http://igt.fiscal.treasury.gov/" class="">igt.fiscal.treasury.gov</a><span class="Apple-converted-space"> </span>is also insecure. Once the chain of trust is properly broken and the status moves to insecure, everything below that point is also insecure.</div><div dir="auto" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br class=""></div><div dir="auto" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">DNSVIZ is attempting to make some sense of the spurious DNSSEC records and show what the state would be if there weren't an insecure delegation at<span class="Apple-converted-space"> </span><a href="http://treasury.gov/" class="">treasury.gov</a>. Or at least that's my guess at what it's doing.</div></div></blockquote></div><br class=""><div class="">I agree with both points. I just don't know what's going on. As it turns out, writing a piece of software to try to visualize complex configurations is, um, complex. I'll add it to my list. Just know that I'm a little behind... :)</div><div class=""><br class=""></div><div class="">Casey</div></body></html>