-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stephane, Yes that is a bug. The validator marks the result as bogus because it cannot find RRSIG(RRSIG). Fixed in trunk r1565. (it simply omits validation, no AD bit) Best regards, Wouter Stephane Bortzmeyer wrote: > The domain souissi.net is in the ISC DLV registry. > >>From Unbound 1.2.0, I can get the MX or the SOA: > > % dig +dnssec MX souissi.net > ... > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 9 > ... > > But not the RRSIG: > > % dig +dnssec RRSIG souissi.net > ... > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45731 > ... > > BIND 9.5.1 has no problem getting the RRSIG > _______________________________________________ > Unbound-users mailing list > Unbound-users at unbound.net > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAknQkusACgkQkDLqNwOhpPhZ2wCgtSXOYpCqd5xy4W313n7OXXhe 3xAAmwcbgu+ZjcSxnYINkdGbe/9GRCHc =NHlz -----END PGP SIGNATURE-----