On Sun, Jun 10, 2012 at 04:04:18PM -0700, David Benfell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Leen, > > On 06/10/12 14:07, Leen Besselink wrote: > > dig +norec +dnssec @126.96.36.199 . NS > > It's not a Mac. It's a Linode running Arch Linux. Here is what I get > from the above: Sorry for confusing your discussion with the other. That output looks fine to me. Linode ? My Linode got 2 nameservers assigned which support validated DNSSEC just fine. So maybe you don't even need Unbound ? Unless you distrust the network of course. Anyway, I think Jan-Piet Mens is on the right track. Please remove the forward-zone for '.' as a test. My guess is, it would start working. It is always easier to test small parts first. What is on the other side of dnscrypt ? OpenDNS ? Well, OpenDNS does not support DNSSEC.