Maintained by: NLnet Labs

message is bogus, non secure rrset with Unbound as local caching resolver

Havard Eidnes
Thu Mar 3 00:29:10 CET 2016


>> The "right" thing is to have RRSIGs for all elements of the
>> answer and authority sections.  This is mandated by
>> RFC4034,4035.  All the RRsets in the answer and authority
>> section MUST validate to mark the response as valid.
> 
> FYI, I've submitted a tentative bug report to the BIND maintainers
> based on my message and the one I'm replying to here, RT#41844.

And... They're not having it:

  This is not a bug.  Section 3.1.1 applies to authoritative nameservers
  not intermediate caching nameservers.  In this case you are seeing the
  referral which is unsigned being returned from the cache.

Regards,

- Håvard