On 28/06/13 15:20, Phil Mayers wrote: > On 28/06/13 14:47, Ehren Hawks wrote: > >> Their Unbound server fails just as mine do, but their BIND server >> returns the A record. I’m reluctant to disable DNSSEC validation over >> this one domain, considering there appears to be an actual problem. >> Considering BIND as well as Google’s public DNS are validating this site >> OK I figured it was worth bringing up. >> >> Any feedback is appreciated! > > It's working for me from here (bind 9.9, DNSSEC-validating). They might > have fixed it - try flushing your cache or restarting unbound. > Just to add, it looks like they may have moved to NSEC3 recently. I've seen big problems when sites do this - lots of people seem to forget that changing key algorithms is a KSK rollover and comes with very tight TTL constraints; I note the TTLs on the DNSKEY in-zone are 86400. I bet they got over-keen and resigned too quickly.