How to force resolution failure of an unsigned domain

[Sen Dion]

> Unfortunately that document is about an old version of DNSSEC, with KEY> and SIG types.  The new version of DNSSEC has DNSKEY and RRSIG rrs. 


I went step-by-step through [4].  Is it good enough to describe the new
version DNSSEC?  If not, please point me to the relevant document.


Unfortunately, this document doesn't reveal the result of resolving
an unsigned name. 

> It works differently.  But can also find verifiable insecure points, by
> disproving the existance of DS records.  This is done with NSEC (or
> NSEC3) records signed by the parent domain.

Please, help me to understand how things will play out in case 
insecure point is verifiable found.  Will 'unbound' resolve name 

below this point?  Will an application get the resolved name and
attempt to connect to it?



> Unbound does not have a way to prevent access to insecure names.  Or
> make resolution failure.  Because I think it is not needed.


Correct me if I am wrong.  In case the answer returned to unbound 

is retrieved from records located below insecure point (in the hierarchy),
the unbound will pass it to an application.  In turn, the application 

will be able to connect to the IP without suspecting that the IP is
bogus.


I am trying to present to our administrator the benefits of running 

'unbound'.  I am confident that the above revelation will not fly by

him.  Will you help me to make a convincing argument?



References
----------

[4] "How DNSSEC Works"
    https://www.cloudflare.com/dns/dnssec/how-dnssec-works



    Thanks,
    - Sen Dion