Hi The unbound.conf setting "harden-unverified-glue: yes" made me happy. The Additional Section of the delegation response from .net to tkix.net contains junk records intentionally included for experimental purposes. This occurs because .net does not clean up host information previously registered as glue. Accepting this Additional Section would be dangerous. With the recent new feature "harden-unverified-glue: yes," we can now eliminate this issue.
Note: Some domain names may become unresolvable. However, we should stop the harmful over-interpretation of Postel's Law. -- T.Suzuki
