Cloudflare Resolver did not reply DNSSEC for a domain

dash-dns
dns-resolver
#1

Below command check the a domain (quad9.net) about it’s NS server, with DNSSEC query.
The reply from Cloudflare DNS @1.1.1.1 is not having DNSSEC respond.
Tested with Quad 9 and Google Public DNS, their respond are enabled with DNSSEC.

The details of the query is in the attachment.

#2

Looks like RRSIG record type is not returned by @1.1.1.1 if the DNSSEC respond is not valid (no AD flag).
On further check, quad9.net had RRSIG record type but they don’t have a valid DS record in the .net zone.

#3

When the chain of trust is provably broken (quad9.net has no DS), Knot Resolver didn’t even ask for DNSSEC records for the names underneath – because such domains are inherently insecure (from its point of view) and just asking used to confuse many servers.

However since recent 4.0.0 release this is changed, and it will return RRSIGs in such cases, including this particular one. I have no idea when CloudFlare deploys the change, though (I’m not affiliated).