> It looks to me like your example, freebsd.org, is insecure. Yes, I agree freebsd.org is insecure, but I still want to be able to resolve it :-)
.org is signed with NSEC3 and (I think, but could be misremembering) is using opt-out. org is registered in DLV, so BIND still has to do some work to verify that nothing is amiss with the (insecure) delegation. If it can't verify that it is correct for freebsd.org to be insecure then it would be correct for it to fail resolution. As I say the failures are intermittent - sometimes freebsd.org resolves fine - sometimes it fails. I don't think this is specific to freebsd.org, and problably not even to .org - .org is just one of the higher-profile DNSSEC-signed TLDs. -roy _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users