Description
This issue has been migrated from #8441.
Synapse has a trusted_key_servers config option which indicates where the server should reach out to acquire keys from. Most deployments will be able to reach out to the server directly, but in some cases they get verifiably-accurate keys from their trusted key servers.
By using the /key/v2/query endpoint, it is possible to see which servers the homeserver has decided to trust. For example, it is clear that matrix.org doesn't trust anyone except itself based upon its answer to querying t2bot.io (the server name being queried doesn't matter much, as long as it's remote and usually online). Mozilla on the other hand can clearly be seen as trusting matrix.org in its response to the same query - the trust is shown via two query responses, one of which happens to be signed by matrix.org, indicating it originated from there.
There is no need for /key/v2/query to include the signature from the upstream notary server; it should strip it out, either before storing the key in server_keys_json or when serving it up.