Upgrade to 9.6.2-P2, which addresses the following;

Named could return SERVFAIL for negative responses
   from unsigned zones.

contrib/bind9/CHANGES

@@ -1,3 +1,8 @@
+	--- 9.6.2-P2 released ---
+
+2876.	[bug]		Named could return SERVFAIL for negative responses
+			from unsigned zones. [RT #21131]
+
 	--- 9.6.2-P1 released ---
 
 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]

contrib/bind9/lib/dns/api

@@ -1,3 +1,3 @@
 LIBINTERFACE = 56
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 1

contrib/bind9/lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.164.12.11.8.2 2010/02/25 10:57:12 tbox Exp $ */
+/* $Id: validator.c,v 1.164.12.11.8.3 2010/04/21 04:29:01 marka Exp $ */
 
 #include <config.h>
 
@@ -2961,7 +2961,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	}
 		findnsec3proofs(val);
 
-	if (val->authcount == val->authfail)
+	if (val->authfail != 0 && val->authcount == val->authfail)
 		return (DNS_R_BROKENCHAIN);
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");

contrib/bind9/version

@@ -1,4 +1,4 @@
-# $Id: version,v 1.43.12.8.2.3 2010/03/04 00:08:28 marka Exp $
+# $Id: version,v 1.43.12.8.2.4 2010/05/10 02:07:03 marka Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=6
 PATCHVER=2
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2