diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
index 456af5040..99634be82 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
@@ -33,6 +33,16 @@
If this is disabled and no DNSSEC data is received, then the zone is made insecure.
+
+ unbound.advanced.aggressivensec
+
+ checkbox
+
+ Enable RFC8198-based aggressive use of the DNSSEC-Validated cache.
+ Helps to reduce the query rate towards targets but may lead to false negative responses
+ if there are errors in the zone config.
+
+ unbound.advanced.qnameminstrict
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index 0b962e878..fdc6922a3 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -1,7 +1,7 @@
//OPNsense/unboundplusUnbound configuration
- 1.0.8
+ 1.0.9
@@ -61,6 +61,10 @@
+
+ Y
+ 1
+
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
index 360351c88..bb2bb66e6 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
@@ -11,6 +11,7 @@ hide-version: {{ set_boolean(OPNsense.unboundplus.advanced.hideversion) }}
prefetch: {{ set_boolean(OPNsense.unboundplus.advanced.prefetch) }}
prefetch-key: {{ set_boolean(OPNsense.unboundplus.advanced.prefetchkey) }}
harden-dnssec-stripped: {{ set_boolean(OPNsense.unboundplus.advanced.dnssecstripped) }}
+aggressive-nsec: {{ set_boolean(OPNsense.unboundplus.advanced.aggressivensec) }}
serve-expired: {{ set_boolean(OPNsense.unboundplus.advanced.serveexpired) }}
{{ set_numeric_value('serve-expired-reply-ttl', OPNsense.unboundplus.advanced.serveexpiredreplyttl) }}
{{ set_numeric_value('serve-expired-ttl', OPNsense.unboundplus.advanced.serveexpiredttl) }}