I tried the following:
service unbound restart sudo unbound-control set_option val-permissive-mode: yes dig www.dnssec-failed.org But that still gives a servfail. Sprinking various flush_* options also did not seem to help. Is this a bug or a feature? :) Setting val-permissive-mode: yes in unbound.conf and restarting does work as expected. Paul ps. don't test this using dnssec-tools.org as test.dnssec-tools.org seems to have lost its DS record so all test domains are insecure and no longer bogus :P
