On Sat, Feb 07, 2015 at 04:24:33PM +0100, Jan V?el?k wrote: > The BIND developers claim, that the behavior of BIND is correct. > > The upstream resolver (BIND) has DLV disabled and therefore uses > a subset of trust anchors my local resolver (Unbound) uses. And the zone > is insecure from the BIND's point of view. > > Ignoring the fact, that BIND adds NS records into authority from no > reason, omitting the NS RRSIGs is probably justifiable. I think this is another good reason to stop using DLV. If unbound is updated to drop unsigned authority RRsets, care should be taken to not drop unsigned SOA RRs. From some nameservers I've seen replies with signed NSEC/NSEC3 records, and an unsigned SOA. Unbound correctly designates these as bogus. -- Viktor.