I have some dummy domains (not existing in the real public DNS) in my unbound.conf, using "forward-zone". It seems to me that it was necessary to add also "domain-insecure" for these domains when their parent is signed.
But I just added a second-level domain of a signed TLD as "forward-zone" and it worked fine without "domain-insecure". Did anything change in the semantics of forward-zone? Version 1.5.8 linked libs: libevent 2.0.22-stable (it uses epoll), OpenSSL 1.0.2h 3 May 2016 linked modules: dns64 validator iterator
