message is bogus, non secure rrset with Unbound as local caching resolver

Tony Finch dot at
Wed Mar 2 16:58:38 UTC 2016

Olav Morken via Unbound-users <unbound-users at> wrote:
>   info: validate(cname): sec_status_secure
>   info: validate(positive): sec_status_secure
>   info: message is bogus, non secure rrset NS IN
> As far as I can tell, the problem here is caused by extra NS-records in
> the authority-section that do not include the RRSIG element for the
> NS-records, but I can't really say that for certain.

This sounds a lot like a problem we discussed last year. See

As I said back then, I think it's wrong to discard the entire response if
parts of it are bogus. Unbound should keep the valid parts because it
knows there is nothing wrong with them.

Does Unbound use CD=1 when forwarding? If so, it should expect to receive
partially bogus answers and should handle them gracefully.

f.anthony.n.finch  <dot at>
Trafalgar: North 4 or 5. Slight or moderate, occasionally rough later in
north. Occasional rain. Good, occasionally moderate.

More information about the Unbound-users mailing list