What would be the equivalent to deny-answer-aliases for unbound

[SvenVD-be]

We have private-addresses to protect against dns rebinding.

But how to protect against cname rebinding to a local configured auth-zone in unbound as described in https://github.com/nccgroup/singularity/wiki/Protection-Bypasses

bind has an deny-answer-aliases config option for this, what would be the equivalent for unbound