message is bogus, non secure rrset with Unbound as local caching resolver

Olav Morken olav.morken at
Thu Mar 3 07:58:02 UTC 2016

On Wed, Mar 02, 2016 at 16:58:38 +0000, Tony Finch wrote:
> Olav Morken via Unbound-users <unbound-users at> wrote:
> >
> >   info: validate(cname): sec_status_secure
> >   info: validate(positive): sec_status_secure
> >   info: message is bogus, non secure rrset NS IN
> >
> > As far as I can tell, the problem here is caused by extra NS-records in
> > the authority-section that do not include the RRSIG element for the
> > NS-records, but I can't really say that for certain.
> This sounds a lot like a problem we discussed last year. See

It look similar, in that it is caused by extra records, but as far as I 
know there shouldn't be any DLV involved here. The is 
properly delegated from the parent zone.

I also tested with the most recent version from subversion trunk, which 
includes the fix mentioned in that thread, but got the same result.

> Does Unbound use CD=1 when forwarding? If so, it should expect to receive
> partially bogus answers and should handle them gracefully.

I checked, and it does set the CD-flag. The full dig command line to 
simulate the queries that Unbound sends appear to be:

  dig -4 +qr +noadflag +recurse +cdflag +bufsize=4096 +dnssec

I.e. the packets have the RD, CD and DO flags set.

I grabbed the output from dig yesterday evening. If anyone is curious, I 
uploaded it here:

Best regards,
Olav Morken

More information about the Unbound-users mailing list