It would be nice if unbound were able to enforce "delegation-only" zones that contain only delegations and glue. This would be useful for the root zone and various TLDs. Otherwise, such zones can return apparently valid signed responses that should have been delegated to a child zone, but for some reason were not. This feature is of course not urgent, it would be more useful if for various TLDs (and not just the root) it were feasible to "pin" the DNSKEY RRs via RFC 5011, and/or "transparency" of some kind were implemented for DNSSEC. Still I think it would be useful to consider whether and when to include such a feature. I may of course not have thought this through properly, ... Also, how would one configure unbound to use an auto-trust-anchor-file via RFC 5011 for a given gTLD or ccTLD? -- Viktor.