>> The "right" thing is to have RRSIGs for all elements of the >> answer and authority sections. This is mandated by >> RFC4034,4035. All the RRsets in the answer and authority >> section MUST validate to mark the response as valid. > > FYI, I've submitted a tentative bug report to the BIND maintainers > based on my message and the one I'm replying to here, RT#41844.
And... They're not having it: This is not a bug. Section 3.1.1 applies to authoritative nameservers not intermediate caching nameservers. In this case you are seeing the referral which is unsigned being returned from the cache. Regards, - HÃ¥vard