diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml
index a2f7f32ab..38743160d 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dnsbl.xml
@@ -36,4 +36,12 @@
trueList of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses.
+
+ unbound.miscellaneous.insecuredomain
+
+ select_multiple
+
+ true
+ List of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name.
+
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index 7d9630219..dd622852f 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -76,6 +76,9 @@
N
+
+ N
+
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/miscellaneous.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/miscellaneous.conf
index faa85e04e..2417cff58 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/miscellaneous.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/miscellaneous.conf
@@ -1,6 +1,11 @@
-{% if not helpers.empty('OPNsense.unboundplus.miscellaneous.privatedomain') %}
server:
+{% if not helpers.empty('OPNsense.unboundplus.miscellaneous.privatedomain') %}
{% for privatedomain in OPNsense.unboundplus.miscellaneous.privatedomain.split(',') %}
private-domain: {{ privatedomain }}
{% endfor %}
{% endif %}
+{% if not helpers.empty('OPNsense.unboundplus.miscellaneous.insecuredomain') %}
+{% for insecuredomain in OPNsense.unboundplus.miscellaneous.insecuredomain.split(',') %}
+domain-insecure: {{ insecuredomain }}
+{% endfor %}
+{% endif %}