This is one of the three example domain names setup by HKIRC for testing the effect of DNSSEC validation. The three domain names are:

Depending on the DNS resolver that you are using, the expected results of accessing these example domain names will be different. They are illustrated in the table below.

disabled.dnssec.hkirc.hk enabled.dnssec.hkirc.hk failed.dnssec.hkirc.hk
DNSSEC validating resolver

OK

OK

Not OK

DNSSEC non-validating resolver
(or misconfigured validating resolver)

OK

OK

OK

You can see this page because:

What's happening under the hood:

As DNSSEC validating resolver able to detect its a spoofy (or misconfigured) response but non-validating resolver continue to serve the spoofed record, only device not using a dnssec validating resolver will see this webpage.

When dig this domain name from any dnssec validating resolver, SERVFAIL should be returned and no records are responsed which indicated this answer is spoofed or authoritative name servers are not correctled configured

When dig this domain name from resolver which does not perform dnssec validatiion, it will still returning the response with no AD flag which indicate that this answer is not authoritative (cannot tell whether its spoofing resposne or not)

Addition DNSSEC information

HKIRC DNSSEC