This question might be due to a lack of knowledge on my part, but I wanted to discuss this here to find out of there is a solution.
I'm using an rpi3 with pi-hole and unbound as a local recursive resolver. Last night (at about 3am), my sideways-hanging rpi soc finally lost its grip on the heatsink and it slid off, resulting in an overheating situation locking up my rpi.
After a reboot this morning, DNS didn't work. I tried to trace the issue and saw that unbound worked fine for the test domains, but looking up google.com via nslookup on the pi-hole gave a SERVFAIL reply. Checking the pi-hole logs I found BOGUS replies for google.com. I read somewhere that this might be due to a mismatch in time. And sure enough, my rpi's local time was set to about an hour after the lock-up.
I tried to reset the time by doing a raspi-config but that did not result in a different time setting. That got me thinking: the rpi probably leans on DNS to access the NTP servers, but DNSSEC relies on a properly set time to validate DNS records.
How does one prepare for a scenario such as the one I experienced? Configure the NTP client to also include a static IP in case DNS fails? I can't think of a solution yet. Does anyone have suggestions?
Edit:
I'm not sure if unbound is a part of the problem here. After all, it is pi-hole that is configured to enable DNSSEC. But I'll leave its involvement in the description for completeness.