I’m using a stub resolver to connect to 188.8.131.52 over TLS. Checking the DNS debug page seems to get contradictory results: it says that I’m not connected to 184.108.40.206, but the reported AS is Cloudflare. Based on my configuration, the error is that I am connected to 220.127.116.11 (and the report that I’m not is wrong), rather than the AS being wrong.
Disable DNSSEC. The test displays false negatives when your client is validating DNSSEC.
That’d explain it. Is there an explanation for the explanation?
Explained here: *.is-cf.cloudflareresolve.com is not a valid DNSSEC zone