* Viktor Dukhovni: > It would be nice if unbound were able to enforce "delegation-only" > zones that contain only delegations and glue. This would be useful > for the root zone and various TLDs. Otherwise, such zones can > return apparently valid signed responses that should have been > delegated to a child zone, but for some reason were not. There are very few strictly-delegation-only zones, and zones change there status over time, so this feature seems fairly risky. The ISC recommendations for BIND make recursors subject to denial-of-service attacks that prevent name resolution for entire TLDs.