DNSSEC issues when using WARP

Hi,

I noticed an issue with DNSSEC when connected to WARP while testing DNSSEC for some our domains.

When connected with WARP and using the default resolver:

# Check the DNS server
$ dig whoami.akamai.net +short
172.69.60.103

$ delv dnssec.works
;; no valid RRSIG resolving 'works/DS/IN': 127.0.2.3#53
;; no valid RRSIG resolving 'works/DS/IN': 127.0.2.2#53
;; broken trust chain resolving 'dnssec.works/A/IN': 127.0.2.2#53
;; resolution failed: broken trust chain

# We can see that dig doesn't return the RRSIG record
$ dig dnssec.works +dnssec +multi

; <<>> DiG 9.18.26 <<>> dnssec.works +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14967
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec.works.		IN A

;; ANSWER SECTION:
dnssec.works.		60 IN A	162.159.36.12

;; Query time: 24 msec
;; SERVER: 127.0.2.2#53(127.0.2.2) (UDP)
;; WHEN: Fri May 03 12:12:17 AEST 2024
;; MSG SIZE  rcvd: 57

It works if pointing to 1.1.1.1:

$ delv dnssec.works @1.1.1.1
; fully validated
dnssec.works.		3600	IN	A	5.45.107.88
dnssec.works.		3600	IN	RRSIG	A 8 2 3600 20240516092800 20240416084749 63306 dnssec.works. 2mMR1n1pOyRLC2bAe4BqYwz3zZYcj9bBPjIT0pZu9rTqn9SBWaZ2kLh0 zLrtHdnRaTpA6BXa9V1IARkqht9JZuKeJClNz0ShyecJDw/aXLegGIUp h6MTZEK+4NW4uzz/dmu0w109jsOZq9Xqvxe2qfgIqTMO6371BoN6rxCA Nxas7lwlTude3bq9tff/trvVfPTDefiS6gQ39Ml5x7hTgBerMTmxo5Yd JCrBRkAOS/cMrxeTYe9GVLftCSr9kTvk

# We can see the RRSIG record and the `ad` flag
$ dig dnssec.works +dnssec +multi @1.1.1.1

; <<>> DiG 9.18.26 <<>> dnssec.works +dnssec +multi @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42035
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dnssec.works.		IN A

;; ANSWER SECTION:
dnssec.works.		2518 IN	A 5.45.107.88
dnssec.works.		2518 IN	RRSIG A 8 2 3600 (
				20240516092800 20240416084749 63306 dnssec.works.
				2mMR1n1pOyRLC2bAe4BqYwz3zZYcj9bBPjIT0pZu9rTq
				n9SBWaZ2kLh0zLrtHdnRaTpA6BXa9V1IARkqht9JZuKe
				JClNz0ShyecJDw/aXLegGIUph6MTZEK+4NW4uzz/dmu0
				w109jsOZq9Xqvxe2qfgIqTMO6371BoN6rxCANxas7lwl
				Tude3bq9tff/trvVfPTDefiS6gQ39Ml5x7hTgBerMTmx
				o5YdJCrBRkAOS/cMrxeTYe9GVLftCSr9kTvk )

;; Query time: 27 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri May 03 12:31:32 AEST 2024
;; MSG SIZE  rcvd: 293

Similarly, if I disconnect from WARP (note: that I’m using 1.1.1.1 as DNS server):

$ dig whoami.akamai.net +short
108.162.248.115

$ delv dnssec.works
; fully validated
dnssec.works.		3127	IN	A	5.45.107.88
dnssec.works.		3127	IN	RRSIG	A 8 2 3600 20240516092800 20240416084749 63306 dnssec.works. 2mMR1n1pOyRLC2bAe4BqYwz3zZYcj9bBPjIT0pZu9rTqn9SBWaZ2kLh0 zLrtHdnRaTpA6BXa9V1IARkqht9JZuKeJClNz0ShyecJDw/aXLegGIUp h6MTZEK+4NW4uzz/dmu0w109jsOZq9Xqvxe2qfgIqTMO6371BoN6rxCA Nxas7lwlTude3bq9tff/trvVfPTDefiS6gQ39Ml5x7hTgBerMTmxo5Yd JCrBRkAOS/cMrxeTYe9GVLftCSr9kTvk

# See `ad` flag and RRSIG
$ dig dnssec.works +dnssec +multi

; <<>> DiG 9.18.26 <<>> dnssec.works +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9924
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: fb778b74a822dea8 (echoed)
;; QUESTION SECTION:
;dnssec.works.		IN A

;; ANSWER SECTION:
dnssec.works.		2195 IN	A 5.45.107.88
dnssec.works.		2195 IN	RRSIG A 8 2 3600 (
				20240516092800 20240416084749 63306 dnssec.works.
				2mMR1n1pOyRLC2bAe4BqYwz3zZYcj9bBPjIT0pZu9rTq
				n9SBWaZ2kLh0zLrtHdnRaTpA6BXa9V1IARkqht9JZuKe
				JClNz0ShyecJDw/aXLegGIUph6MTZEK+4NW4uzz/dmu0
				w109jsOZq9Xqvxe2qfgIqTMO6371BoN6rxCANxas7lwl
				Tude3bq9tff/trvVfPTDefiS6gQ39Ml5x7hTgBerMTmx
				o5YdJCrBRkAOS/cMrxeTYe9GVLftCSr9kTvk )

;; Query time: 32 msec
;; SERVER: 10.1.0.3#53(10.1.0.3) (UDP)
;; WHEN: Fri May 03 12:32:22 AEST 2024
;; MSG SIZE  rcvd: 329

Any idea what this is happening?

Interestingly, this DNSSEC Resolver Test works both when connected to WARP or not…