On Fri, Apr 3, 2020 at 4:54 PM Viktor Dukhovni <[email protected]> wrote:
> > The AD=1 replies from Google and Verisign are not "wrong". They just > reflect the fact that any ancestor zone is in principle free to bypass > delegation and return "unexpected" signed answers for a child domain, > legitimately or otherwise. In this case, I think the explanation might be a bit simpler. The parent zone isn't really bypassing anything. The behavior is likely a result of the fact that both the parent (gpo.gov) and child (access.gpo.gov) are served by the same set of nameservers. An incoming query containing the full qname (as opposed to qname minimization), will cause most authoritative servers to find the closest enclosing zone for the query (i.e. the child zone) and answer directly from that. And since the signer for permanent.access.gpo.gov is claimed to be gpo.gov, it validates, and the broken delegation isn't even being seen. Cloudflare I believe does qname minimization, so is likely reacting to discovery of the broken delegation. Shumon.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
