Missing RRSIGs for www.icann.org


#1

Sometimes, both 1.1.1.1 and 1.0.0.1 will not return RRSIGs for A records.

$ dig www.icann.org @1.1.1.1 +dnssec +cd

; <<>> DiG 9.11.3-RedHat-9.11.3-6.fc28 <<>> www.icann.org @1.1.1.1 +dnssec +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55171
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;www.icann.org.			IN	A

;; ANSWER SECTION:
www.icann.org.		1631	IN	CNAME	www.vip.icann.org.
www.icann.org.		1631	IN	RRSIG	CNAME 7 3 3600 20180628070008 20180607104038 43515 icann.org. JmvAclougIA+LQQgSc5+8Csp45eNEchoxGIYgGmqWzZx2i2X9RAI3PRB HHRkWk85NDNJ9dUJ9URj29bC7+znUy9pcSYG9P+DvN8ftmjcuCQXmjHU hixkb4RxwmHrLkxn43aZfBAiqhU++MInUsSUQLZQNuSoIqf+6kcpMAIC D7Y=
www.vip.icann.org.	24	IN	A	192.0.32.7

;; Query time: 0 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Jun 18 10:41:52 CEST 2018
;; MSG SIZE  rcvd: 257

Sometimes they do:

$ dig www.icann.org @1.1.1.1 +dnssec +cd

; <<>> DiG 9.11.3-RedHat-9.11.3-6.fc28 <<>> www.icann.org @1.1.1.1 +dnssec +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55643
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;www.icann.org.			IN	A

;; ANSWER SECTION:
www.icann.org.		1578	IN	CNAME	www.vip.icann.org.
www.icann.org.		1578	IN	RRSIG	CNAME 7 3 3600 20180628070008 20180607104038 43515 icann.org. JmvAclougIA+LQQgSc5+8Csp45eNEchoxGIYgGmqWzZx2i2X9RAI3PRB HHRkWk85NDNJ9dUJ9URj29bC7+znUy9pcSYG9P+DvN8ftmjcuCQXmjHU hixkb4RxwmHrLkxn43aZfBAiqhU++MInUsSUQLZQNuSoIqf+6kcpMAIC D7Y=
www.vip.icann.org.	30	IN	A	192.0.32.7
www.vip.icann.org.	30	IN	RRSIG	A 7 4 30 20180624151308 20180617151308 18317 vip.icann.org. VGOGMjIp1RIy/m6hoA5zhrIczKhTWGqIoR+4+cwqGSzXdBF08O1OFouo nErtq1Uvv9+LvVw7aLWiCyYT3msm7eFG4Lwa4PK85iBCRFoCXL/w28vR G+WPzDZFnHF1eWrCrCiHL20hpi70Bi1g2nsoQEIlKhfKvIqQHBMa7c2m Czo=

;; Query time: 93 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Jun 18 10:42:45 CEST 2018
;; MSG SIZE  rcvd: 430

Location seems to be stable “prg01” all the time

$ dig +short CHAOS TXT id.server @1.1.1.1
"prg01"

#2

This is an issue with revalidating forwarders using +cd and the shared cache implementation (which rejects insertion of unvalidated sigantures), it’s going to be fixed in the next rollout sometimes this week.