Is dnssec working?

I’m trying to establish if dnssec is working ok on my install…
Latest pihole running unbound as described in the docs

If I run a dig command I see the AD flag, so it appears to work, yet if I run unbound-control reload I get an error:

pi@pi-hole:~ $ unbound-control reload
error: Error setting up SSL_CTX client key and cert
3069136896:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:293:fopen('/etc/unbound/unbound_control.pem','r')
3069136896:error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:295:
3069136896:error:140DC002:SSL routines:use_certificate_chain_file:system lib:../ssl/ssl_rsa.c:609:

And when I test on various dnssec test site, for example at https://dnssec.vs.uni-due.de/ it tells me dnssec is not validating signatures?
ubound-checkconf returns no errors.
Any guidance please?

Edit:
Status of unbound sudo service unbound status

unbound.service - Unbound DNS server
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-10-02 18:20:42 BST; 57min ago
     Docs: man:unbound(8)
  Process: 26602 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
  Process: 26597 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
 Main PID: 26609 (unbound)
   CGroup: /system.slice/unbound.service
           └─26609 /usr/sbin/unbound -d

Oct 02 18:20:40 pi-hole systemd[1]: Stopped Unbound DNS server.
Oct 02 18:20:40 pi-hole systemd[1]: Starting Unbound DNS server...
Oct 02 18:20:42 pi-hole package-helper[26602]: /var/lib/unbound/root.key has content
Oct 02 18:20:42 pi-hole package-helper[26602]: success: the anchor is ok
Oct 02 18:20:42 pi-hole systemd[1]: Started Unbound DNS server.
Oct 02 18:20:42 pi-hole unbound[26609]: [1570036842] unbound[26609:0] error: Could not open logfile /var/log/unbound.log: Permission denied
Oct 02 18:20:43 pi-hole unbound[26609]: [1570036843] unbound[26609:0] notice: init module 0: validator
Oct 02 18:20:43 pi-hole unbound[26609]: [1570036843] unbound[26609:0] notice: init module 1: iterator
Oct 02 18:20:43 pi-hole unbound[26609]: [1570036843] unbound[26609:0] info: start of service (unbound 1.6.0).

You should start and stop unbound through the service command:

sudo service unbound restart

You should also look at the permissions on your unbound log file and ensure unbound has access:

Oct 02 18:20:42 pi-hole unbound[26609]: [1570036842] unbound[26609:0] error: Could not open logfile /var/log/unbound.log: Permission denied

I’ve tried this and still doesn’t seem to all add up.
Looking in /var/log/ there actually isn’t a log file at all!?
sudo -u unbound touch /var/log/unbound.log results is a permission denied error

Let’s take a look at your unbound configuration file:

sudo grep -v '#\|^$' /etc/unbound/unbound.conf.d/pi-hole.conf

pi@pi-hole:~ $ sudo grep -v '#\|^$' /etc/unbound/unbound.conf.d/pi-hole.conf
server:
    logfile: "/var/log/unbound.log"
    verbosity: 1
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no

    root-hints: "/var/lib/unbound/root.hints"
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 512
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    prefetch: yes
    num-threads: 1
    so-rcvbuf: 1m
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
    qname-minimisation: yes

I’ve created a log file and sudo chown unbound:unbound /var/log/unbound.log

pi@pi-hole:~ $ ls /var/log/unbound.log
-rw-r--r-- 1 unbound unbound 0 Oct  2 19:24 /var/log/unbound.log

At this level of verbosity, why do you want a separate log? It is easy enough to add the few entries (maybe a few dozen a day max) that will be generated to the system log, and that log will automatically rotate daily. You can find the unbound entries in there with a grep.

Yeah, point taken, not sure why it’s at level 1 tbh, I’ve switched back to 0 and restarted unbound.
But still I get the fail on the test site yet see ad flag on a dig command
The docs state to use /var/log/unbound.log if desired and verbosity of 0

What is the output of dig sigfail.verteiltesysteme.net , with no manual port assignment.

pi@pi-hole:~ $ dig sigfail.verteiltesysteme.net

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14986
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 02 19:50:25 BST 2019
;; MSG SIZE  rcvd: 57

And for comparison…

pi@pi-hole:~ $ dig sigfail.verteiltesysteme.net @127.0.0.1

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35205
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 143 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 02 19:50:59 BST 2019
;; MSG SIZE  rcvd: 57

pi@pi-hole:~ $ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26942
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 02 19:51:13 BST 2019
;; MSG SIZE  rcvd: 57

They all failed as expected. What is the output of this command:

dig sigok.verteiltesysteme.net

Have a look at this on the log.

https://discourse.pi-hole.net/t/private-dns-hostname/18734/73

Yeah. My issue is the passing of the test…
Meaning the dig passes with flag ad, but the dnssec test site reports no validation.

pi@pi-hole:~ $ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39464
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 2919 IN     A       134.91.78.139

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 02 19:58:12 BST 2019
;; MSG SIZE  rcvd: 71

The two tests you ran established that unbound is properly employing DNSSEC.

Perhaps the browser you are using has another DNS setting in use by the browser?

Currently testing on Chrome on Android.
Async DNS resolver flag set to disabled
I’ll try Firefox

Not sure what I’m looking at there tbh

Tested on Firefox and still get a failed result in test site
Also noticed my dl speed has dropped a lot.
5 minutes to download a 50mb app :thinking:

I don’t think this is related to Pi-Hole. Only the DNS traffic goes to Pi-Hole, the data is drectly between the client and the router.

I agree.
Just thought id note it.
Still confused by the test result inconsistencies though

New problems this morning…
Lost all web connectivity.
Logs are showing every query resulting in SERVFAIL

Check that the time on the Pi is correct for your location and matches your local time.

Time and date are correct to local time here (UK)