On Thu, Mar 02, 2017 at 01:35:41PM +0100, W.C.A. Wijngaards wrote: > What is happening is that the domain has both a signed parent and > unsigned child-zones co-hosted. Correct, and also missing glue records for the delegation from one to other, and the child zones happen to be the nameservers for both. > This confuses unbound's > dnssec-missing-response failover that starts to look for alternatives. > This takes a long time because of the timeouts because of the > non-responding servers. After a while it gets that no better > alternative exists, uses the unsigned response and this is correctly > insecure for DNSSEC. But these timeout could cause issues, I guess. What I see (from time to time) seems more than just transient timeouts. Anyway the domain has multiple configuration issues that its owners should resolve. If this brings to light something worth improving in unbound that'd be cool too, but so far so I've not identified any specific unbound problem. -- Viktor.