When Unbound gets a response from an authoritative server without answer section
(NODATA), but with additional section filled (but no referral NS records), it
returns the additional section records to the client.

This can be misused to tunnel data through unsuspicious queries (like A/AAAA) and
can be a potential security risk.

Other DNS resolvers (BIND 9, PowerDNS-Recursor, Knot-Resolver) do not forward
the additional section to the client.