Date: Wed, 17 Mar 2010 20:08:50 +0100 From: "W.C.A. Wijngaards" <wouter at nlnetlabs.nl> The issue is simply that dnssec-tools.org does not have a secure delegation from .org, the DS is not returned by the .org servers: dig @d0.org.afilias-nst.org. dnssec-tools.org +dnssec Thanks. I see that this is spelled out precisely in RFC 4033 in the definitions of `insecure' and `bogus'. If I put dnssec-tools.org's DNSKEY among Unbound's trust anchors, I get SERVFAIL as expected. I would advise you to install a cron job to pull the anchors.mf and update it. A script that does so and checks the PGP signature is in the unbound source tarball contrib/update-itar.sh :-) Yep, I planned to do that once I got Unbound behaving as I expect. This makes sure that you have the latest trust anchors, otherwise they go stale and things stop working next year. Next year? Isn't the root zone supposed to be signed in July, at which point the IANA ITAR will turn into a pumpkin?