Hello. On 4.2.2015 01:51, Jan Včelák wrote: > I don't know why BIND is adding the NS into the answer. But I think this > is really a problem of BIND, as per > http://tools.ietf.org/html/rfc4035#section-3.1.1: > >> o When placing a signed RRset in the Authority section, the name >> server MUST also place its RRSIG RRs in the Authority section. >> The RRSIG RRs have a higher priority for inclusion than any other >> RRsets that may have to be included. If space does not permit >> inclusion of these RRSIG RRs, the name server MUST set the TC bit. The BIND developers claim, that the behavior of BIND is correct. The upstream resolver (BIND) has DLV disabled and therefore uses a subset of trust anchors my local resolver (Unbound) uses. And the zone is insecure from the BIND's point of view. Ignoring the fact, that BIND adds NS records into authority from no reason, omitting the NS RRSIGs is probably justifiable. Anyway, it would be great, if Unbound could strip non-essential records from the response before performing the validation. Best regards, Jan.