proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

[dchilton+bind at bestmail.us]

Hi.

My bind v980-p1 svr is DNSSEC-enabled, and signed zones are publishing
as DNSSEC-valid.

I've both internal and external views:

-- internal is authoritative and provides recursion for LAN clients
-- external serves only as an authoritative hidden-primary feeding
slaves via AXFR.

all good.

if i enable DNSSEC validation in the internal view, having imported the
trusted key for the root, for known-good domains, a 'dig domain.com'
returns DATA as expected, e.g.,

dig pir.org | egrep "IN.*A|;; flags"
	;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4,
	ADDITIONAL: 0
	;pir.org.                       IN      A
	pir.org.                75      IN      A       173.201.238.128

dig pir.org +dnssec | egrep "IN.*A|;; flags"
	;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5,
	ADDITIONAL: 1
	;pir.org.                       IN      A
	pir.org.                95      IN      A       173.201.238.128
	pir.org.                95      IN      RRSIG   A 5 2 300
	20110523085011 20110509085011 38939 pir.org.
	LLK3y1HXm3/F3Tvq/b/cW4jnQC6gxtYlalPhM28w3tUzo2wS482vaWQr
	RF1DBvGTUD4uADNidjaftjkch7b2H1b+e5V4o0xQml/WpqCW/VqgLgxI
	g/yIg9WhP1Ec8uvWG2Ojy0ZIM0JKBBfFFlIxZVYqCyrY8WittyUOFlwo O48=
	pir.org.                95      IN      RRSIG   NS 5 2 300
	20110523085011 20110509085011 38939 pir.org.
	yUKJARGNwBWKFTi1V1nU5x38vcQrYPSn86G5MzjyMBjUWwZ3zZ4E+OMz
	P8svjTEdwKd6ibQGAp7aVEcqE3ruCnioqaXCZJsjT6YCaTpIjUMmRvpj
	tZUByl11+aqfcJuvfTNOo2PFtzRDv46vAlbZFf74fAK4AwNQa42OZlZC WVc=

for known-bad domains 'dig domain.com' hesitates for a bit, then returns
SERVFAIL -- no DATA.

dig www.adobe.com

	; <<>> DiG 9.8.0-P1 <<>> www.adobe.com
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26024
	;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
	ADDITIONAL: 0

	;; QUESTION SECTION:
	;www.adobe.com.                 IN      A

	;; Query time: 2948 msec
	;; SERVER: 10.10.10.100#53(10.10.10.100)
	;; WHEN: Mon May  9 12:21:28 2011
	;; MSG SIZE  rcvd: 31

my understanding was that a 'dig domain.com +dnssec' on a known-bad
domain would return DATA without the SERVFAIL, but it returns the same. 
e.g.,

dig www.adobe.com +dnssec

	; <<>> DiG 9.8.0-P1 <<>> www.adobe.com +dnssec
	;; global options: +cmd
	;; Got answer:
	;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4667
	;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
	ADDITIONAL: 1

	;; OPT PSEUDOSECTION:
	; EDNS: version: 0, flags: do; udp: 4096
	;; QUESTION SECTION:
	;www.adobe.com.                 IN      A

	;; Query time: 69 msec
	;; SERVER: 10.10.10.100#53(10.10.10.100)
	;; WHEN: Mon May  9 12:21:32 2011
	;; MSG SIZE  rcvd: 42

Shouldn't the "+dnssec" case for known-bad be returning DATA?

Also, I'm unlcear about the proper use for validation.  I *want* to
validate, but have the DATA nonetheless returned, with appropriate FLAGS
so that, e.g., Firefox + DNSSEC-extension can (1) resolve the domain,
and (2) 'report' the DNSSEC state in-browser.

The way things are working now, with validation enabled and NO DATA
returned, domains simply don't resolve at all -- and, of course, the
browser displays a failure.

Is my expected usage _not_ appropriate?

THanks,

DCh