Hello Robin, looks like we have an little issue using DNSSEC for bugs.gentoo.org, but not signing 339761.bugs.gentoo.org
`dig does-not-exist.bugs.gentoo.org @8.8.8.8` returns A record with AD flag. `dig 339761.bugs.gentoo.org @8.8.8.8` returns A record w/o AD flag Both work with local unbound resolver with forwarders removed. It looks like stale, unsigned entries. Did you change anything in the last n days? Or is the cache of 141.1.1.1 and 8.8.8.8 really compromised? How do you sign these wildcards anyway? Would be interested. Michael [1] http://domainincite.com/2361-dnssec-to-kill-the-isp-wildcard -- Michael Weber Gentoo Developer web: https://xmw.de/ mailto: Michael Weber <x...@gentoo.org>