On 30.03.2011 14:54, Andreas Schulze wrote: >> I have a case here where RRSIGs expired, yet Unbound still sets the "AD" >> flag in responses. > not here: (unbound-1.4.9) > > # unbound-host -C /etc/unbound/unbound.conf -v mixmaster.mixmin.net. > mixmaster.mixmin.net. mail is handled by 10 snorky.mixmin.net. (insecure) You're right. mixmin.net isn't chained from .net anymore (it used to be). It's still listed in dlv.isc.org, that's where my resolver got the trust chain from. I notified the domain owner. He'll fix it soon. I was just curious why mail to that domain still got delivered, even though the BIND resolver logged lots of validation failures. Hauke. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110330/b6eb4b09/attachment.pgp>