In RFC4470 section 4 for minimally covering NSEC records. To get the immediate lexicographic successor of a name, add a leading label with a single null (zero-value) octet.

For example, the immediate successor for nlnetlabs.nl is \000.nlnetlabs.nl so we can create the following proof (which works)

nlnetlabs.nl  300 IN NSEC \000.nlnetlabs.nl A TXT SOA AAAA NSEC RRSIG
nlnetlabs.nl  300 IN RRSIG NSEC 8 2 300 ....

I have a root zone with top level names. Some of these do not have a DS record, so I have an insecure delegation proof:

example.  300 IN NSEC \000.example. NS RRSIG NSEC
example.  300 IN RRSIG NSEC 8 1 300 .... 

Unbound is configured as a recursive resolver for the root server (with my own root KSK). It marks the response as bogus "no DS for ...." but the following works (a larger range)

example.  300 IN NSEC example\000. NS RRSIG NSEC
example.  300 IN RRSIG NSEC 8 1 300 .... 

Is there an issue here with unbound or I'm I missing something?