message is bogus, non secure rrset with Unbound as local caching resolver

Olav Morken olav.morken at
Thu Mar 3 08:34:58 UTC 2016

On Wed, Mar 02, 2016 at 21:14:56 +0100, W.C.A. Wijngaards via Unbound-users wrote:
> However, I think it is not unreasonable to extend the compatibility
> code in Unbound for this.  The error that Olav quotes is simply
> Unbound enforcing that 'all RRsets MUST validate' rule, telling you
> which one failed.  The NS set is gratuitous though, in the answer,
> hence perhaps compatibility is an option.  Not so, for, say, NSEC or
> SOA RRs.

If the compatibility code can be extended, that would be great! The 
alternative at the moment seems to be to use less diversity in the 
upstream resolvers, but that is unfortunate from a reliability point of 

Best regards,
Olav Morken

More information about the Unbound-users mailing list