Is dnssec working?

Thanks, but thats just the Git page for reporting issues.
Im not yet sure if this qualifies as an 'issue'

Yeah I get that. That might be the closet thing you are going to find

Sorry to drag this up again....
Looking at dnssec only now, if I use cloudflare as upstream and tick 'Use DNSSEC' in pihole settings I still get the fail result at https://dnssec.vs.uni-due.de/

I've also opened an issue at the unbound git page

Edit: I'm also now unable to access my dashboard at pi.hole/admin.
I can access at ip_address/admin

Sorry. Don't follow you. So to utilise dnssec I do not tick this setting in pihole?
Previously, using either method (unbound or dnssec ticked in pihole settings) the dnssec test are passed and reports me as being 'protected'.
Currently, I cannot achieve this in any way

Edit: rebooting the Pi didn't solve the issue

For some reason the first thing that comes to my mind is port 53 hijacking.

How would I determine this?

pi@pi-hole:~ $ sudo netstat -tulpn | grep :53
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      8740/pihole-FTL
tcp6       0      0 :::53                   :::*                    LISTEN      8740/pihole-FTL
udp        0      0 0.0.0.0:53              0.0.0.0:*                           8740/pihole-FTL
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           240/avahi-daemon: r
udp6       0      0 :::53                   :::*                                8740/pihole-FTL
udp6       0      0 :::5353

Posted further up here

I'll run it again when I'm back home

I was thinking more along the lines of port hijacking on the wan not lan. Have you checked for dns leaks?

How would I do this?

Try here from a connected client
dnsleaktest.com

You aren't checking for a DNS leak here (that's a concept associated with a VPN service), but the output will show the IP of the DNS server that is answering your requests.

Well you are actually checking for it leaking from other than the selected provider

Leak test looks ok.
Shows 1 server found and names the correct ISP

pi@pi-hole:~ $ sudo unbound -vvvvv
[1572033564] unbound[18401:0] notice: Start of unbound 1.6.0.
[1572033564] unbound[18401:0] debug: increased limit(open files) from 1024 to 4140
[1572033564] unbound[18401:0] debug: creating udp4 socket 127.0.0.1 5353
[1572033564] unbound[18401:0] debug: creating tcp4 socket 127.0.0.1 5353
[1572033564] unbound[18401:0] debug: creating tcp4 socket 127.0.0.1 8953
[1572033564] unbound[18401:0] debug: setup SSL certificates

You can rule out dns hijacking

Wait if it shows your isp DNS you have a problem

I get the same result when using unbound and when using standard upstream providers

Yes. Using date
It's correct

I've set unbound to run on port 5354
Still seeing the occasional SERVFAIL and dnssec test are failing still