Admittedly miss configured but unbound validates www.secure64.com when a revoked DNSKEY is used as a trust anchor, see attached unbound.conf.
Isn’t that a violation of 5011 section 2.1?
“Once the resolver sees the REVOKE bit, it MUST NOT use this key as a trust anchor or for any other purpose”
/Stephan
unbound.conf (335 Bytes)
I am not entirely sure how the unbound logic works. But it seems like this might be happening
because the trust anchor that is revoked (key tag 41992) comes in via DLV. But yes, technically,
this should be a ServFail.
I trust you will add logic to look up the DLV record before allowing one to finish a KSK rollover 
Paul
DLV is was not used so it couldn't really be the problem.
Even if it would, the key in DLV (41992) is still active and correct.
The revoked key is 35655 (was 35524 before it got revoked if I do the
math correctly).
I say that the parser is wrong to accept a key with flag 385 at all.
/S
Hi Stephan,
This is because of the discussion on dnsext, where I am asking if this
is the spec?
Your configuration sets a fixed trust anchor (with revoke flag) without
enabling 5011 for that domain name. Thus unbound treats that flag just
like any other unknown flag (or like the SEP flag, that is, a hint for
operators.
If you had enabled 5011 for the domain it would have followed 5011 for
that revoke flag.
You think that 5011 applies to *all* domains? Also non-trustanchors?
This discussion could better be on namedroppers.
Best regards,
Wouter