Hi Andreas, On 08-03-18 21:29, A. Schulze via Unbound-users wrote: > - Aggressive use of NSEC is not so transparent to me. > unsure, what I really may expect here. Under which conditions is this active? When this option is enabled Unbound will try to use cached NSEC records to generate an NXDOMAIN, NODATA or wildcard answer. See RFC8198. -- Ralph