<div dir="auto"><div>There's a validated insecure delegation from <a href="http://treasury.gov">treasury.gov</a> to <a href="http://fiscal.treasury.gov">fiscal.treasury.gov</a>.</div><div dir="auto"><br></div><div dir="auto">I can't say why any RRSIGs or other DNSSEC records are being returned for queries for records in <a href="http://fiscal.treasury.gov">fiscal.treasury.gov</a>, however those records are spurious. As DNSVIZ does show, the delegation from the last secure zone, <a href="http://treasury.gov">treasury.gov</a>, to <a href="http://fiscal.treasury.gov">fiscal.treasury.gov</a> is insecure. And thus the subsequent delegation from <a href="http://fiscal.treasury.gov">fiscal.treasury.gov</a> to <a href="http://igt.fiscal.treasury.gov">igt.fiscal.treasury.gov</a> is also insecure. Once the chain of trust is properly broken and the status moves to insecure, everything below that point is also insecure.</div><div dir="auto"><br></div><div dir="auto">DNSVIZ is attempting to make some sense of the spurious DNSSEC records and show what the state would be if there weren't an insecure delegation at <a href="http://treasury.gov">treasury.gov</a>. Or at least that's my guess at what it's doing.</div><div dir="auto"><br></div><div dir="auto">I haven't found any public resolver or other implemented validator that doesn't properly validate <a href="http://qa.ws.igt.fiscal.treasury.gov">qa.ws.igt.fiscal.treasury.gov</a> as insecure.</div><div dir="auto"><br></div><div dir="auto">Scott</div><div dir="auto"><br></div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Tue, Oct 18, 2022, 15:35 Casey Deccio <<a href="mailto:casey@deccio.net">casey@deccio.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">> On Oct 18, 2022, at 1:58 PM, Mark Andrews <<a href="mailto:marka@isc.org" target="_blank" rel="noreferrer">marka@isc.org</a>> wrote:<br>
> <br>
> Not for DS as it is part of the parent zone. <br>
> <br>
<br>
Right. What I meant (but didn't say) was this:<br>
<br>
The following is a query for testing for the presence of a DS record in the <a href="http://igt.fiscal.treasury.gov" rel="noreferrer noreferrer" target="_blank">igt.fiscal.treasury.gov</a> zone. The signer for the records in the response should be the parent zone of <a href="http://igt.fiscal.treasury.gov" rel="noreferrer noreferrer" target="_blank">igt.fiscal.treasury.gov</a>, which is <a href="http://fiscal.treasury.gov" rel="noreferrer noreferrer" target="_blank">fiscal.treasury.gov</a>. However, the the signer for the records in the observed response is <a href="http://treasury.gov" rel="noreferrer noreferrer" target="_blank">treasury.gov</a>.<br></blockquote></div></div></div>