Is dnssec working?

pi@pi-hole:~ $ sudo unbound -d -vvvvv
[1570194362] unbound[28022:0] notice: Start of unbound 1.6.0.
[1570194362] unbound[28022:0] debug: increased limit(open files) from 1024 to 4140
[1570194362] unbound[28022:0] debug: creating udp4 socket 127.0.0.1 5353
[1570194362] unbound[28022:0] debug: creating tcp4 socket 127.0.0.1 5353
[1570194362] unbound[28022:0] debug: creating tcp4 socket 127.0.0.1 8953
[1570194362] unbound[28022:0] debug: setup SSL certificates
[1570194362] unbound[28022:0] debug: chdir to /etc/unbound
[1570194362] unbound[28022:0] debug: drop user privileges, run as unbound
[1570194362] unbound[28022:0] debug: switching log to /var/log/unbound.log

I think this may be linked with qname minimisation.
I noted I had a file qname-minimisation.conf in /etc/unbound/unbound.conf.d
This file contains:

qname-minimisation: yes

If I remove this file and add the qname option to the main /unbound.conf.d/pihole.conf file I see similar behaviour.
If I change the option to qname-minimisation: no I see similar behaviour.
If I remove qname-minimisation completely from the config, I dont appear to have any problems

im running stretch lite.
apt-cache policy tells me 1.6.0 is the latest available version for this distro
Im not sure i know how to compile etc to bump up the unbound version?

This should have no bearing on the problem. The older version of unbound still works properly.

This would be my understanding also, but at this point ill try anything to have it working as i want.
Ive added deb http://ftp.uk.debian.org/debian sid main to my /etc/apt/sources.list
guess i cross my fingers now?
edit: no key for Index of /debian/
Is there any know issues with qname minimisation? Ive not found anything via Google?

I can live without it, but the point is i shouldnt have to. As others have the same version of unbound running, and working, there must be something up on my install? And im a tinkerer, and would like to know what and how to fix!

Currently I have pi-hole, unbound and OpenVPN running on this particular rasperry pi.
Ive looked at doing an in place upgrade to Buster, just nervous about losing data and current setup etc. and not had time to make a backup of the sd card

I'm still seeing SERVFAIL error in my logs, for every query now.
Any tips on where to start?

SERVFAIL typically indicates that the DNSSEC process could not be completed. If the time/date on the Pi are correct, that may indicate a problem with your certificate.

If it were me, I would do a complete unbound removal, then reinstall.

I've checked the time and it's correct.
How would you best advise to completely remove unbound from the system?

I would do the opposite of how you installed it. Stop the program, uninstall it, then eliminate all the configuration files.

Ok, so apt purge? Then manually check for config files etc?

Yes, that would be the process I would follow.

Thanks, appreciate your help.
I'll try that now, brace yourself for more questions to follow

Quick question....
When I create the pi-hole unbound conf file in /etc/unbound/unbound.conf.d what user should the file be created as?
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
Or
nano /etc/unbound/unbound.conf.d/pi-hole.conf

You will need to use sudo nano, since the permission on that folder are root.

Of course

So, I've fully uninstalled unbound.
Manually deleted any remaining config files
Reinstalled unbound following the guide to the letter.

And yeah, you guessed...still have SERVFAIL errors.
https://dnssec.vs.uni-due.de/ reports that dnssec is not working
(This is the case on multiple browsers)
Yet if I use the dig commands noted in the guide the results are as expected.
Head and brick wall

Still Looking for help on this, I've had to revert to using 'normal' upstream servers.

I think you will have to find the solution on the unbound forums.

Could you point me in the right direction? I can't seem to find any forums for unbound at all

I would ask here.