Olav Morken via Unbound-users <unbound-users at unbound.net> wrote: > > info: validate(cname): sec_status_secure > info: validate(positive): sec_status_secure > info: message is bogus, non secure rrset uninett.no. NS IN > > As far as I can tell, the problem here is caused by extra NS-records in > the authority-section that do not include the RRSIG element for the > NS-records, but I can't really say that for certain. This sounds a lot like a problem we discussed last year. See https://unbound.net/pipermail/unbound-users/2015-February/003757.html As I said back then, I think it's wrong to discard the entire response if parts of it are bogus. Unbound should keep the valid parts because it knows there is nothing wrong with them. Does Unbound use CD=1 when forwarding? If so, it should expect to receive partially bogus answers and should handle them gracefully. Tony. -- f.anthony.n.finch <dot at dotat.at> http://dotat.at/ Trafalgar: North 4 or 5. Slight or moderate, occasionally rough later in north. Occasional rain. Good, occasionally moderate.