On Mon, Feb 28, 2011 at 05:07:05PM +0100, W.C.A. Wijngaards <wouter at NLnetLabs.nl> wrote a message of 64 lines which said: > Well, since below the optout stuff is not signed, it is true that > the NXDOMAIN is not fully secure, so I support the notion that > unbound should not give an AD flag. Do you plan to change the behaviour of Unbound? I ask it because we are developing monitoring tools and they rely on the presence/absence of the AD bit, that's why we were disturbed by the discrepancy between BIND and Unbound. > Example B.1 in RFC5155 is wrong, and it should be changed I let you report it at <http://www.rfc-editor.org/errata.php>, I'm not confident enough to do it.