Hi, On Thu, Aug 07, 2008 at 03:05:47PM +0200, Wouter Wijngaards wrote: > It was fixed because some legacy boxes (adsl I think) did not like > getting AD bits in their replies and crash or hang on it. Grr! That's annoying. You're right; I'm using BIND 9.3 on the DNSSEC resolvers. > That means getting your stub resolver to set 'AD' in queries. > Sorry for the breakage, lol No problem - it's not your fault :) My stub has a RES_USE_DNSSEC macro to set DO if I recompile (yuk) but not a ready-made knob to set AD. I'll experiment with DO and see how it goes. I don't particularly want my stub getting all the RRSIGs, etc. Ah well. It looks like I'll have to keep BIND 9.3 for the short-term :/ Thanks for your reply (and for Unbound)! All the best, james -- Times flies like an arrow. Fruit flies like bananas.