On Wed, 1 Jul 2009, Harish Chandra wrote: > Without DNSSec, forwarding is working fine. With DNSSec enabled (I am > using DLV), forwarding fails when I forward my querries to a server that > isn't dnssec enabled. > The output from the log looks like this: > [1246456813] unbound[7919:0] info: verify rrset <dlv.isc.org.. DNSKEY IN> > [1246456813] unbound[7919:0] debug: rrset failed to verify due to a lack > of signatures Are you running trunk? There is a bug upto 1.3.0 that caused DLV to fail. > The failure appears because of a signature mismatch. But why is > validation taking place when the actual resolver can't talk dnssec? My > config file looks like this: It should fall back to non-secure. If your forwarder changes again to one that does relay dnssec information, unbound drops the cache and uses the validator again (If I understood Wouter correctly, I have not verified this myself) Paul