I’m noticing the AD bit is missing for certain responses to mail.mil queries. The same queries return AD bit from google and multiple other validating resolvers I use. Any idea why?
dig @220.127.116.11 mail.mil mx
dig @18.104.22.168 mail.mil mx
dig @22.214.171.124 www.disa.mil
Given that a query to 126.96.36.199 will not return any DNSSEC data, it appears likely that DNSSEC validation has been specifically disabled for mail.mil (when validation is disabled, the Knot resolver used for 188.8.131.52 will not send the DNSSEC_OK flag to authoritative servers and thus cannot provide that data to its own clients even if it is requested).
dig +dnssec @184.108.40.206 mail.mil
The reason for such a negative trust anchor is only known to Cloudflare, but it may have been related to other problems with DNSSEC validation for the domain. One possible cause might be that the DNSKEY response for mail.mil is 1497 bytes long (the IPv4 UDP response would then have an IP packet size of 1525, which will definitely require fragmentation).
dig +dnssec @220.127.116.11 mail.mil dnskey
I don’t see any other typical reasons for disabling DNSSEC validation, such as overbroad NSEC3 replies that prove nonexistence of records that do exist, but it is possible that there are other issues, as the .MIL domains have a pretty long track record of unusual behaviors related to DNSSEC.
One thing you could do to reduce the response size for the mail.mil/DNSKEY query would be to configure your name servers not to sign the DNSKEY RRSet with the ZSK:
$ dig +noall +answer +stats +nocrypto +dnssec mail.mil dnskey @18.104.22.168
mail.mil. 1400 IN DNSKEY 257 3 8 [key id = 30919]
mail.mil. 1400 IN DNSKEY 257 3 8 [key id = 28882]
mail.mil. 1400 IN DNSKEY 256 3 8 [key id = 40044]
mail.mil. 1400 IN RRSIG DNSKEY 8 2 3600 20190801134159 20190702134159 28882 mail.mil. [omitted]
mail.mil. 1400 IN RRSIG DNSKEY 8 2 3600 20190801134159 20190702134159 30919 mail.mil. [omitted]
mail.mil. 1400 IN RRSIG DNSKEY 8 2 3600 20190801134159 20190702134159 40044 mail.mil. [omitted]
;; Query time: 56 msec
;; SERVER: 22.214.171.124#53(126.96.36.199)
;; WHEN: Tue Jul 30 09:01:25 EDT 2019
;; MSG SIZE rcvd: 1497
Removing the unnecessary and redundant RRSIG for the key id 40044 would reduce the size of the response enough that it would probably fit in a single IPv4 UDP datagram.
If this pointless RRSIG is being generated by DNSSEC signing software that you bought from a vendor (I suspect it is), you should file a feature request with them to have the zone signing omit the ZSK signature for the DNSKEY RRSet, since only the KSK signatures are required or used in validating that RRSet.