Hello, I have an issue with unbound 1.9.1.
I am trying to get tlsa records from domain _25._tcp.do.havedane.net but this fails with unbound. DNNSEC validation tools report no issues with that domain though. query: $ dig -t tlsa _25._tcp.do.havedane.net @::1 +dnssec which yields NXDOMAIN and no tlsa records, but with Google Public DNS $ dig -t tlsa _25._tcp.do.havedane.net @8.8.4.4 +dnssec I do get tlsa records with ad flag Excerpt from unbound log: Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info: validator operate: query _25._tcp.do.havedane.net. TLSA IN Apr 28 12:56:13 desktop unbound[17175]: [17175:0] debug: NameError response failed nsec, nsec3 proof was sec_status_insecure Apr 28 12:56:13 desktop unbound[17175]: [17175:0] info: validate(nxdomain): sec_status_insecure But Google Public DNS and DNSSEC validation tools[1] have/report no issues though. [1] https://dnssec-analyzer.verisignlabs.com/do.havedane.net and http://dnsviz.net/d/do.havedane.net/dnssec/ I have this issue with unbound 1.9.1 from Arch repo. With unbound 1.9.0 from Debian testing repo it works just fine (sec_status_secure). So is this a bug with unbound 1.9.1 or do the others not validate properly? Regards Stefan