This was deliberately not enabled because the documentation contains a
warning about various incompatibilities with various other DNS servers.

Is there some sort of study saying that this can be safely enabled?

-Michael

On Sun, 2018-08-19 at 20:11 +0200, Peter Müller wrote:
> Attempt to detect DNS spoofing attacks by inserting 0x20-encoded
> random bits into upstream queries. Upstream documentation claims
> it to be an experimental implementation, it did not cause any trouble
> on productive systems here.
> 
> See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for
> further details.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  config/unbound/unbound.conf | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
> index fa2ca3fd4..8b5d34ee3 100644
> --- a/config/unbound/unbound.conf
> +++ b/config/unbound/unbound.conf
> @@ -59,7 +59,7 @@ server:
>  	harden-below-nxdomain: yes
>  	harden-referral-path: yes
>  	harden-algo-downgrade: no
> -	use-caps-for-id: no
> +	use-caps-for-id: yes
>  
>  	# Harden against DNS cache poisoning
>  	unwanted-reply-threshold: 5000000