Stephane Bortzmeyer wrote: >> % dig MX se. >> >> ; <<>> DiG 9.5.1-P3 <<>> MX se. >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28196 > > The log says: > [...] > Oct 12 23:22:56 batilda unbound: [16214:0] debug: verify: signature > mismatch > Oct 12 23:22:56 batilda unbound: [16214:0] info: validator: response > has failed AUTHORITY rrset: <se. SOA IN> > Oct 12 23:22:56 batilda unbound: [16214:0] info: Validate: message > contains bad rrsets BIND says about the same: | Oct 13 00:04:29 pope named[2843]: validating @0xb50c0030: se SOA: no valid signature found Yet it still returns an answer without AD flag: ~$ dig +dnssec -t mx se ; <<>> DiG 9.7.0a3 <<>> +dnssec -t mx se ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19619 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;se. IN MX ;; AUTHORITY SECTION: se. 3600 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2009101211 1800 1800 2419200 7200 se. 3600 IN RRSIG SOA 5 1 172800 20091019014636 20091012162314 12075 se. nZovZAGx5M4r1o7RXrzJJ+IEfax27GlPnaza0psSvJAY4q5xbF9SrfaB PplG+t2FjjQv3IXT5+C6I7RmQ1R2wrApWGcj/CmQyTig/+sqlC4sBzTl os73ZbLWWcXWctk5lB9Yg/+qaK/BYYPYrHkH/kDu5g20REcA9QUUexwx 3aE= [...] dnssec-validation is enabled and se.dlv.isc.org holds DLV records for current se DNSKEYs. It should return SERVFAIL, I think. Hauke. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20091013/cdcf2a9a/attachment.pgp>