MoinQ:

DNS/実装/unbound/1.6.1について、ここに記述してください。

https://www.unbound.net/documentation/unbound.conf.html

   harden-below-nxdomain: <yes or no>
              From RFC 8020 (with title "NXDOMAIN:  There  Really  Is  Nothing
              Underneath"),  returns  nxdomain  to  queries  for  a name below
              another name that is already known to be nxdomain.  DNSSEC  man-
              dates  noerror  for  empty nonterminals, hence this is possible.
              Very old software might return nxdomain for  empty  nonterminals
              (that  usually  happen for reverse IP address lookups), and thus
              may be incompatible with  this.   To  try  to  avoid  this  only
              DNSSEC-secure  nxdomains are used, because the old software does
              not have DNSSEC.  Default is off.  The nxdomain must be  secure,
              this means nsec3 with optout is insufficient.

harden-referral-path: <yes or no>