message is bogus, non secure rrset with Unbound as local caching resolver
he at uninett.no
Wed Mar 2 23:29:10 UTC 2016
>> The "right" thing is to have RRSIGs for all elements of the
>> answer and authority sections. This is mandated by
>> RFC4034,4035. All the RRsets in the answer and authority
>> section MUST validate to mark the response as valid.
> FYI, I've submitted a tentative bug report to the BIND maintainers
> based on my message and the one I'm replying to here, RT#41844.
And... They're not having it:
This is not a bug. Section 3.1.1 applies to authoritative nameservers
not intermediate caching nameservers. In this case you are seeing the
referral which is unsigned being returned from the cache.
More information about the Unbound-users