Hello, Geoff --<br />
<br />
This is Michael McNally from ISC -- we met at DNS-OARC and briefly<br />
discussed a behavior you reported observing in BIND that was not acting<br />
as expected. &nbsp;I told you when I returned from travel after the conference<br />
that I would look into it and make sure the matter gets referred to the<br />
developers for action, so I am beginning by creating this ticket in our<br />
bug-tracking system to follow the issue.<br />
<br />
Excuse me while I first restate the issue to make sure I understand your report:<br />
<br />
As I understand it, while experimenting with BIND validation, you tested a<br />
case where BIND was asked to validate DNSSEC records signed with an<br />
unimplemented (actually bogus) cryptographic algorithm.<br />
<br />
In violation of expectation,&nbsp;you received an&nbsp;error response, whereas what<br />
BIND should be returning&nbsp;(by design) is an answer without validation flags set.<br />
Is that a fair summary?<br />
<br />
Michael McNally<br />
ISC Support