Broken 1.1.1.1 (Inconsistent Result for Misconfigured domain)

Your public DNS servers (1.1.1.1) provide inconsistent DNSSEC results for misconfigured domain nrsflorida.com While I understand the domain is misconfigured, the DNS resolver gives different results with seeming randomness. Here are two digs on the same domain, moments apart with different results. It is very inconsistent which result is given. Sometimes it gives the correct result (with the insecure DNSSEC records) others it gives the broken result.

It appears your resolver is getting confused by the fact that nrsflorida.com is not properly configured. The best guess for the issue is that the (not allowed) CNAME on the nrsflorida.com apex confuses 1.1.1.1 and overrides the DS from the parent.

[email protected]:~$ dig ds nrsflorida.com @1.1.1.1 +dnssec

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> ds nrsflorida.com @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31216
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;nrsflorida.com. IN DS

;; AUTHORITY SECTION:
ck0pojmg874ljref7efn8430qvit8bsm.com. 86317 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
ck0pojmg874ljref7efn8430qvit8bsm.com. 86317 IN RRSIG NSEC3 8 2 86400 20200122054915 20200115043915 12163 com. FNlrPrqpKfVHKASgkcTgT29br3HmpcXgRzMcdX4Ctkbi1zE22CbnfCTh SjAoyiUDjN5IJ+oGTKuTEjfMIFAEgjUW8b2xVYlmGCiEtrapua407X2t Dw3Dtkn4d5EGYjFORD32d9+gBVGkOEiimWZvL4uCH2gUy/uBPW1PLJAS NQNt45Eu6uTLVDvptAmn5uc2MbRvpkEHr6dsmB587FJQsw==
com. 817 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1579193389 1800 900 604800 86400
com. 817 IN RRSIG SOA 8 1 900 20200123164949 20200116153949 56311 com. F1vZjUvIyYv5mEllY/1vb30HJ4RH5KdodegY0UexUch+XpAn+PsXDMvr M/kVgG95xyAayOy0OWWzcefZRL054x4ekUP2RCJ23w8tyefqjf3CMR3f p5c6lh+RVBN8MQATllXSGwzwRBuSOk3AxcExh7+nAdotKz56iN09JH3U aYj3OYb2VlwCoFeL/JhQ2/Ud1utAcCwdzrzVOBp7DgCXVg==
jkfof4fpn5ckpe8ljlkhk5442trbcj5b.com. 86317 IN NSEC3 1 1 0 - JKFQ08B9TDOVJQ5FDIPSG7DGJPUMDNR7 NS DS RRSIG
jkfof4fpn5ckpe8ljlkhk5442trbcj5b.com. 86317 IN RRSIG NSEC3 8 2 86400 20200121053649 20200114042649 12163 com. WnacUry+f1jRkCbxumdCqh9Z31OLzXOxnd3P7slfiwu7Mrm+xCZGE34N KNsRTujhWPzh9ZyeMAreUNYvZ0kJbM5UVL/0BoU4XBD5eCSWBtcf7kPM R+NrCwY2L86LAEJpWaf930dItTSmbo9eJmtw57rNwsWqNERF4fmP267T t+axpwsYLdfpO/3pVgoIDVxQfxWfM2pmJj6EIL7RC6W9Og==

;; Query time: 16 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jan 16 16:51:26 UTC 2020
;; MSG SIZE rcvd: 863

[email protected]:~$ dig ds nrsflorida.com @1.1.1.1 +dnssec

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> ds nrsflorida.com @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29609
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;nrsflorida.com. IN DS

;; ANSWER SECTION:
nrsflorida.com. 295 IN CNAME imedia-e.nrsforu.com.

;; AUTHORITY SECTION:
nrsforu.com. 300 IN SOA nns1a.nationwide.com. dns-admin.nationwide.com. 192 10800 3600 2592000 300

;; Query time: 57 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jan 16 16:51:45 UTC 2020
;; MSG SIZE rcvd: 145