The domain souissi.net is in the ISC DLV registry. >From Unbound 1.2.0, I can get the MX or the SOA: % dig +dnssec MX souissi.net ... ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 9 ... But not the RRSIG: % dig +dnssec RRSIG souissi.net ... ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45731 ... BIND 9.5.1 has no problem getting the RRSIG