Viktor Dukhovni <ietf-dane at dukhovni.org> wrote: > > I think this is another good reason to stop using DLV. This is not just a DLV problem: it can occur for any validator which has trust anchors for parts of the namespace for which its upstream recursive server does not. > If unbound is updated to drop unsigned authority RRsets, care should > be taken to not drop unsigned SOA RRs. From some nameservers I've > seen replies with signed NSEC/NSEC3 records, and an unsigned SOA. > > Unbound correctly designates these as bogus. Bogosity should be per-RRset not per-answer. (Though in the case of nonexistent RRsets you may need multiple NSEC/NSEC3 RRsets to prove nonexistence; in that case bogosity applies to the each RRset individually and to the proof as a whole. If there is other gubbins in the answer that does not affect your ability to demonstrate you got a good answer to the question you asked.) Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/ Humber, Thames: Northwesterly 4 or 5, occasionally 6 in east. Moderate, occasionally rough in east. Mainly fair. Moderate or good.