Unbound before 1.3.4 does not properly verify signatures for NSEC3 records,
which allows remote attackers to cause secure delegations to be downgraded
via DNS spoofing or other DNS-related attacks in conjunction with crafted
delegation responses.