Is dnssec working?

At this level of verbosity, why do you want a separate log? It is easy enough to add the few entries (maybe a few dozen a day max) that will be generated to the system log, and that log will automatically rotate daily. You can find the unbound entries in there with a grep.

Yeah, point taken, not sure why it's at level 1 tbh, I've switched back to 0 and restarted unbound.
But still I get the fail on the test site yet see ad flag on a dig command
The docs state to use /var/log/unbound.log if desired and verbosity of 0

What is the output of dig sigfail.verteiltesysteme.net , with no manual port assignment.

pi@pi-hole:~ $ dig sigfail.verteiltesysteme.net

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14986
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 02 19:50:25 BST 2019
;; MSG SIZE  rcvd: 57

And for comparison...

pi@pi-hole:~ $ dig sigfail.verteiltesysteme.net @127.0.0.1

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35205
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 143 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 02 19:50:59 BST 2019
;; MSG SIZE  rcvd: 57

pi@pi-hole:~ $ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26942
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigfail.verteiltesysteme.net.  IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 02 19:51:13 BST 2019
;; MSG SIZE  rcvd: 57

They all failed as expected. What is the output of this command:

dig sigok.verteiltesysteme.net

Yeah. My issue is the passing of the test....
Meaning the dig passes with flag ad, but the dnssec test site reports no validation.

pi@pi-hole:~ $ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39464
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sigok.verteiltesysteme.net.    IN      A

;; ANSWER SECTION:
sigok.verteiltesysteme.net. 2919 IN     A       134.91.78.139

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 02 19:58:12 BST 2019
;; MSG SIZE  rcvd: 71

The two tests you ran established that unbound is properly employing DNSSEC.

Perhaps the browser you are using has another DNS setting in use by the browser?

Currently testing on Chrome on Android.
Async DNS resolver flag set to disabled
I'll try Firefox

Not sure what I'm looking at there tbh

Tested on Firefox and still get a failed result in test site
Also noticed my dl speed has dropped a lot.
5 minutes to download a 50mb app :thinking:

I don't think this is related to Pi-Hole. Only the DNS traffic goes to Pi-Hole, the data is drectly between the client and the router.

I agree.
Just thought id note it.
Still confused by the test result inconsistencies though

New problems this morning...
Lost all web connectivity.
Logs are showing every query resulting in SERVFAIL

Check that the time on the Pi is correct for your location and matches your local time.

Time and date are correct to local time here (UK)

any more ideas or help?

pi@pi-hole:~ $ sudo unbound -d -vvvvv
[1570194362] unbound[28022:0] notice: Start of unbound 1.6.0.
[1570194362] unbound[28022:0] debug: increased limit(open files) from 1024 to 4140
[1570194362] unbound[28022:0] debug: creating udp4 socket 127.0.0.1 5353
[1570194362] unbound[28022:0] debug: creating tcp4 socket 127.0.0.1 5353
[1570194362] unbound[28022:0] debug: creating tcp4 socket 127.0.0.1 8953
[1570194362] unbound[28022:0] debug: setup SSL certificates
[1570194362] unbound[28022:0] debug: chdir to /etc/unbound
[1570194362] unbound[28022:0] debug: drop user privileges, run as unbound
[1570194362] unbound[28022:0] debug: switching log to /var/log/unbound.log

I think this may be linked with qname minimisation.
I noted I had a file qname-minimisation.conf in /etc/unbound/unbound.conf.d
This file contains:

qname-minimisation: yes

If I remove this file and add the qname option to the main /unbound.conf.d/pihole.conf file I see similar behaviour.
If I change the option to qname-minimisation: no I see similar behaviour.
If I remove qname-minimisation completely from the config, I dont appear to have any problems

im running stretch lite.
apt-cache policy tells me 1.6.0 is the latest available version for this distro
Im not sure i know how to compile etc to bump up the unbound version?

This should have no bearing on the problem. The older version of unbound still works properly.

This would be my understanding also, but at this point ill try anything to have it working as i want.
Ive added deb http://ftp.uk.debian.org/debian sid main to my /etc/apt/sources.list
guess i cross my fingers now? :man_shrugging:
edit: no key for Index of /debian/
Is there any know issues with qname minimisation? Ive not found anything via Google?

I can live without it, but the point is i shouldnt have to. As others have the same version of unbound running, and working, there must be something up on my install? And im a tinkerer, and would like to know what and how to fix!

Currently I have pi-hole, unbound and OpenVPN running on this particular rasperry pi.
Ive looked at doing an in place upgrade to Buster, just nervous about losing data and current setup etc. and not had time to make a backup of the sd card