"domain-insecure" no longer necessary?

I have some dummy domains (not existing in the real public DNS) in my
unbound.conf, using "forward-zone". It seems to me that it was
necessary to add also "domain-insecure" for these domains when their
parent is signed.

But I just added a second-level domain of a signed TLD as
"forward-zone" and it worked fine without "domain-insecure".

Did anything change in the semantics of forward-zone?

Version 1.5.8
linked libs: libevent 2.0.22-stable (it uses epoll), OpenSSL 1.0.2h 3
May 2016
linked modules: dns64 validator iterator

Hi, Stephane

Isn't that TLD signed with NSEC3 Opt-Out ?

a message of 20 lines which said:

Isn't that TLD signed with NSEC3 Opt-Out ?

It's .io and, yes, it uses Opt-Out:

0dcnrnddcil4ucmvpbaekvtkjh1hud3v.io. 3600 IN NSEC3 1 1 5 E35770A11A (
                         0EC3N02EKQT2RUTJOS87A6A86AIILG4C
                    NS
                    DS
                    RRSIG
                    )

Hi,

  Opt-Out NSEC3 don't proof existence or non-existence of _unsigned_
domain name (RFC5155 12.2); So you don't need to set 'domian-insecure'
to dummy names below NSEC3 Opt-Out zone.

# .io and .com are signed with NSEC3 Opt-Out.
  forward-zone:
       name: "nonexistentname.io"
       forward-addr: 192.0.2.1
  forward-zone:
       name: "nonexistentname.com"
       forward-addr: 192.0.2.1

   You need to set 'domian-insecure' to dummy names below
non-OptOut-NSEC3 or NSEC-signed zone:

# biz and root zone are signed with NSEC.
  domain-insecure: "nonexistentname.biz"
  domain-insecure: "nonexistenttld"

  forward-zone:
       name: "nonexistentname.biz"
       forward-addr: 192.0.2.1

  forward-zone:
       name: "nonexistenttld"
       forward-addr: 192.0.2.1

a message of 48 lines which said:

  Opt-Out NSEC3 don't proof existence or non-existence of _unsigned_
domain name (RFC5155 12.2);

Makes sense, thanks. (Note that BIND disagrees and cannot forward to a
zone if the parent is signed, even with opt-out.)