Hi, I got report from one of our registrars, that there is a problem with validating mx.smtp.cz, which validates just fine on bind9. [1224510842] unbound[30691:0] info: super is <mx.smtp.cz. A IN> [1224510842] unbound[30691:0] debug: attempt DS match algo 5 keytag 28371 [1224510842] unbound[30691:0] debug: DS match digest ok, trying signature [1224510842] unbound[30691:0] debug: verify: wrong key for rrsig [1224510842] unbound[30691:0] debug: rrset failed to verify: all signatures are bogus [1224510842] unbound[30691:0] debug: Failed to match any usable DS to a DNSKEY. [1224510842] unbound[30691:0] info: Did not match a DS to a DNSKEY, thus bogus. [1224510842] unbound[30691:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass [1224510842] unbound[30691:0] info: validator operate: query <mx.smtp.cz. A IN> [1224510842] unbound[30691:0] debug: val handle processing q with state VAL_VALIDATE_STATE [1224510842] unbound[30691:0] info: Could not establish a chain of trust to keys for <smtp.cz. DNSKEY IN> [1224510842] unbound[30691:0] debug: val handle processing q with state VAL_FINISHED_STATE [1224510842] unbound[30691:0] debug: mesh_run: validator module exit state is module_finished and [1224661793] unbound[11166:0] debug: attempt DS match algo 5 keytag 28371 [1224661793] unbound[11166:0] debug: DS match digest ok, trying signature [1224661793] unbound[11166:0] debug: verify: wrong key for rrsig They tried last SVN and still without success. Wouter, could you take a look at this? I manually checked if everything is OK and it looks ok for my plain sight. Ondrej -- Ondřej Surý <ondrej at sury.org>