Den 08-12-2021 kl. 14:35 skrev Marco Davids (Private) via NANOG:
Hi Laura,
Something seems the matter, indeed:
https://dnsviz.net/d/european-union.europa.eu/YbCzrQ/dnssec/
It's weird; 1.1.1.1 resolves, 8.8.8.8 and 9.9.9.9 return SERVFAIL.
It is my understanding that the CNAME should never have been followed,
since there isn't any covering RRSIG for the actual CNAME, exactly as
the elaborative message on dnsviz.net claims.
As such, the CNAME record cannot be verified to be authentic.
To me, that part of it also points towards a broken implementation at
CloudFlare, letting a bogus (insecure) responses take effect anyway.
--
Med venlig hilsen / Kind regards,
Arne Jensen