On Mon, 28 Jun 2010, Papp Tamás wrote: >> stub-zone: >> name:"ca." >> stub-prime:"no" >> stub-addr:192.228.22.190 >> stub-addr:192.228.22.189 >> >> Now instead of using the NS records in the root zone that point to ca. >> unbound >> will use these two addresses instead. > > Yes, I understand this. I don't unserstand the difference between > stub-prime:"no" and stub-prime:"yes". It's to override the DNSSEC signed NS servers for the domain. With a shadow tree, when signing a production zone and serving it on non-production name servers, the NS records for the zone are wrong, and your dnssec signed NS set would point to production instead of the shadow servers. This is the override. Paul