On Mon, May 30, 2016 at 09:18:59AM +0200, W.C.A. Wijngaards wrote: > If secure and bogus are both not set, the message is 'insecure', i.e. it > was not dnssec signed. Also SERVFAIL, FORMERR, NOTIMP, ... are neither secure not insecure. DNSSEC Security status only applies to a response RRset or denial of existence of that RRset. The only response codes for which the secure/insecure distinction applies are: NOERROR NXDOMAIN NODATA (NOERROR + ANCOUNT = 0) All other error codes don't distinguish between signed and unsigned zones, all we know is that the lookup failed (misconfiguration, DoS, MiTM, ...). This is important in opportunistic DANE TLS, see: https://tools.ietf.org/html/rfc7672#section-2.1 There I make the case that non-bogus NOERROR, NODATA and NXDOMAIN are not errors, while bogus responses and all other response codes are lookup errors. -- Viktor.