> But unbound is trying to set the AD flag in its reply. And thus it > needs all the RRsets to be secure. Thus, the reply from the forwarder > with CD flag becomes bogus.
Yes, I know unbound is trying to validate the answer. However, insisting that a recursor return all pertinent data required for validation of the response, especially with cd=1 set in the query, is unreasonable. > I fixed it so that Unbound uses CD=0 to send queries to a forwarder. > Unless a dnssec trust anchor exists above the qname, in which case CD=0 > is only attempted on the first query. Not sure I understand what it means to have a "trust anchor exist above the qname", but otherwise I suspect and hope this will cure the problem. > CD flag is still used on all queries to authorities. Of course. Regards, - HÃ¥vard