On Thu, Dec 14, 2017 at 02:21:15PM +1000, Sebastian Schmidt wrote: > I�ve unbound setup on FreeBSD 11.1 and I can�t figure out why "drill > www.wilda.nsec.0skar.cz" gives SERVFAIL. The domain is from this > (http://0skar.cz/dns/en) test site where it reports three failures (2a, > 2b and 4). Any help would be appreciated. The zone's signatures are weird: $ unbound-host -f /usr/local/etc/unbound/root.key -v www.wilda.nsec.0skar.cz ... validation failure <www.wilda.nsec.0skar.cz. A IN>: signature inception after expiration from 2001:1528:132:70::1 for key nsec.0skar.cz. while building chain of trust ... $ dig +noall +ans +nocl +nottl +nosplit +cd +dnssec -t a www.wilda.nsec.0skar.cz www.wilda.nsec.0skar.cz. CNAME flexi.oskarcz.net. www.wilda.nsec.0skar.cz. RRSIG CNAME 10 5 300 20800101000000 20140130121330 28887 nsec.0skar.cz. ... flexi.oskarcz.net. A 220.127.116.11 flexi.oskarcz.net. RRSIG A 10 3 3600 20180108024403 20171209024403 31880 oskarcz.net. ... Note the RRSIG dates for the CNAME: Inception: 20140130121330 Expiration: 20800101000000 Perhaps unbound is comparing these as 32-bit timestamps. Just under 66 years is an impressive validity range, if intentional. -- Viktor.