-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Shahab, So, you can resolve, but no DNSSEC. > [1222713721] libunbound[27451:0] info: validate keys with > anchor(DNSKEY): sec_status_bogus > [1222713721] libunbound[27451:0] info: failed to prime trust anchor -- > could not fetch secure DNSKEY rrset <com. DNSKEY IN> > [1222713721] libunbound[27451:0] info: Could not establish validation > of INSECURE status of unsigned response. > com has address 192.168.1.2 (BOGUS (security failure)) So your server does not serve a signed zone. If you dig @192.168.1.2 com. DNSKEY +dnssec It should return DNSKEY and RRSIG records. The logs above tell me that RRSIGs are missing. Perhaps also the DNSKEY RRset is missing. If you use NSD - did you put the zone file 'com.signed' in the config? (not just "com"). If you use BIND - did you enable the dnssec options and load a signed zone? Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjh2F8ACgkQkDLqNwOhpPhW6QCgrP5tftnogIE7Q3jrpBQ28inN rUYAoKU+hxHhAgZ4p6Kp63J4wCXqLd0O =NFbE -----END PGP SIGNATURE-----