nsec3 issue (sec_status_insecure) unbound 1.9.1

A. Schulze sca at
Sun Apr 28 13:37:30 UTC 2019

Am 28.04.19 um 14:07 schrieb Stefan Kublinski via Unbound-users:
> Hello,
> I have an issue with unbound 1.9.1.
> I am trying to get tlsa records from domain
> but this fails with unbound. DNNSEC validation tools report no issues
> with that domain though.
> query: $ dig -t tlsa @::1 +dnssec
> which yields NXDOMAIN and no tlsa records, but with Google Public DNS
> $ dig -t tlsa @ +dnssec
> I do get tlsa records with ad flag

Google DNS don't use qname minimization.

the nameserver for return NXDOMAIN when I ask for
Then there can't be a

Only if you disable qname minimisation unbound will ask's nameserver
for "" (dotted hostname) and get an answer.

the nameserver for should get fixed:


More information about the Unbound-users mailing list