error (broken trust chain) resolving

Casey Deccio casey at
Mon Nov 15 20:47:42 UTC 2010

On Mon, Nov 15, 2010 at 6:31 AM, Casey Deccio <casey at> wrote:
> Well, I'm curious as to why you're not getting the AD bit set for the
> negative proof of existence for

After a review of NSEC3 showed that this particular behavior is
expected because org has been signed using NSEC3 with the opt-out bit
set.  RFC 5155, section 9.2:


More information about the bind-users mailing list