Jan Včelák <jan.vcelak at nic.cz> wrote: > > After inspecting responses from BIND and Unbound, I belive this is > caused by BIND adding a NS RRs without a RRSIG added into the authority > section of the answer. > I don't know why BIND is adding the NS into the answer. But I think this > is really a problem of BIND, as per > http://tools.ietf.org/html/rfc4035#section-3.1.1: > > > o When placing a signed RRset in the Authority section, the name > > server MUST also place its RRSIG RRs in the Authority section. > > The RRSIG RRs have a higher priority for inclusion than any other > > RRsets that may have to be included. If space does not permit > > inclusion of these RRSIG RRs, the name server MUST set the TC bit. I think you are right it is a bug in BIND. I also think Unbound should discard the incomplete RRset rather than failing to return a response. It looks like the bug in BIND is due to a combination of an unsigned NS RRset that came from a referral, and validation turned off. I can't reproduce the bug with my validating resolvers with a normal query but it does occur if I set the CD bit. Are you going to send this in to bind9-bugs at isc.org or would you like me to do it? Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/ Viking, North Utsire: Northerly 5 or 6, decreasing 4, backing southwesterly 4 or 5 later. Rough, becoming moderate. Wintry showers, rain later. Mainly good.