一个是做 DNSSEC 的
auto-trust-anchor-file: "/opt/etc/unbound/root.key"
一个是
use-caps-for-id: yes
开启这两个参数任意一个，如果转发的 DNS (若干)上游服务器稍有“不遵循规范”的就会返回空值：

wrong 0x20-ID in reply qname
......
Capsforid fallback: getting different replies, failed
......

具体没做细研究了！

Use 0x20-encoded random bits in the query to foil spoof
attempts. This perturbs the lowercase and uppercase of query
names sent to authority servers and checks if the reply still
has the correct casing. Disabled by default. This feature is
an experimental implementation of draft dns-0x20.