Although the following doesn’t apply to
www.interlegis.leg.br, for anyone else coming to this if they have a problem with leg.br domains on 126.96.36.199 (and for the CloudFlare team supporting it):
This is a problem with the
infra.leg.br name servers that breaks implementations (like CloudFlare 188.8.131.52 and Google Public DNS 184.108.40.206) that synthesize negative answers from cached DNSSEC NSEC records, as described in RFC 8198.
Basically, the name servers for
infra.leg.br implement DNSSEC in a very simple (and broken) way, using an NSEC record that securely proves there are no subdomains of
infra.leg.br whenever they need to return an NXDOMAIN response.
It is simple because they can use the same NSEC record for any NXDOMAIN response. It is broken because this same NSEC record also proves the non-existence of any subdomain that actually does exist. That can cause security vulnerabilities with CAA or TLSA records, where falsely proving the non-existence of a domain allows an attacker to disable security protections.
In the spirit of DNSSEC “white lies” and “black lies” I call these over-broad NSEC records proving the non-existence of all subdomains “bald-faced lies.”
As long as you only ask for existing domains, the
infra.leg.br name servers return positive responses, which public resolvers implementing RFC 8198 use and cache normally. But as soon as anyone asks an RFC 8198 resolver for a non-existent domain, that resolver will cache the bald-faced lie NSEC record and start returning NXDOMAIN responses for all subdomains that are not already cached, until the bald-faced lie NSEC record expires.
Google Public DNS resolved this problem by disabling RFC 8198 negative synthesis for
infra.leg.br and all its subdomains (see https://issuetracker.google.com/issues/37414272#comment2 – which also provides examples of the bald-faced lie NSEC records). I don’t know if the Knot resolver used by 220.127.116.11 has the ability to disable RFC 8198 on a per-domain or per-zone basis, or if that is not possible, to disable DNSSEC entirely for
The real fix for this problem is to replace the name servers for
infra.leg.br with ones that don’t make bald-faced lies.