Comment 7 for bug 988513

> that impossible, because the /etc/default/unbound file is part of the package.

That's actually not true - you can create /etc/default/unbound before installing the package and the package will not overwrite the configfile by default:

root@lettie:/# touch /etc/default/unbound

root@lettie:/# ls -l /etc/default/unbound
-rw-r--r-- 1 root root 0 Dec 5 09:43 /etc/default/unbound

root@lettie:/# apt-get install unbound
[...]
Setting up unbound (1.4.16-1) ...

Configuration file `/etc/default/unbound'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ? Your options are:
    Y or I : install the package maintainer's version
    N or O : keep your currently-installed version
      D : show the differences between the versions
      Z : start a shell to examine the situation
 The default action is to keep your current version.
*** unbound (Y/I/N/O/D/Z) [default=N] ?
invoke-rc.d: policy-rc.d denied execution of start.
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place

root@lettie:/# ls -l /etc/default/unbound
-rw-r--r-- 1 root root 0 Dec 5 09:43 /etc/default/unbound

I don't think that the default configuration is "unsafe". You are installing it in ***broken*** network, and thus you should modify your script to accommodate for the fact that the upstream resolver is broken.

Or just fix the upstream resolver, you should do that anyway.