Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Hauke Lampe
Wed Mar 30 15:04:15 CEST 2011

On 30.03.2011 14:54, Andreas Schulze wrote:

>> I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
>> flag in responses.
> not here: (unbound-1.4.9)
> # unbound-host -C /etc/unbound/unbound.conf -v
> mail is handled by 10 (insecure)

You're right. isn't chained from .net anymore (it used to
be). It's still listed in, that's where my resolver got the
trust chain from. I notified the domain owner. He'll fix it soon.

I was just curious why mail to that domain still got delivered, even
though the BIND resolver logged lots of validation failures.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <>