Hi Pieter, So if I read your question correctly you have - An authority server which has no delegation towards it. - your zone's NS records point to your unbound instance > However, I cannot find a way to expose *just* my stub-zone to the world, > without allowing global recursion at the same time. I just tried the following: server: ... local-zone: . refuse local-zone: unbound.net transparent ... forward-zone: name: "unbound.net" forward-addr: 22.214.171.124 forward-addr: 126.96.36.199 This would refuse any query not in the unbound.net zone. Does this work for you? Regards, Yuri Schaeffer -- Composed on an actual keyboard: all typos genuine.