hmm ok, thanks
any more tips / things to try?
for now I have resorted back to using 'standard' upstream servers.
not sure if this is of any use or significance, but ill post the contents of my /etc/pihole/pihole-FTL.conf
BLOCKINGMODE=NULL
AAAA_QUERY_ANALYSIS=no
REGEX_DEBUGMODE=true
PRIVACYLEVEL=0
Those are typical settings and have no impact on how unbound is working.
I thought so, kinda clutching at straws now.
It just makes absolutely no sense that it worked one second, then the next it did not...with no changes to any configs, either pi-hole or unbound.
Any thoughts on what else to look for?
I cant seen to find an unbound dedicated forum?
Take a look at all the configuration and support files for unbound, particularly the key for authentication.
I suspected youd say that 
Unfortunately, a lot of it is beyond my knowledge and a little over my head 
In terms of other DNS settings within pi-hole GUI, if I enable unbound, what are the best settings? Currently I have:
'Listen on all interfaces' ticked
'Never forward non-FQDNs' ticked
'Never forward reverse lookups for private IP ranges' checked
'Use DNSSEC' is not ticked
No conditional forwarding set
All default settings I believe
So. I did a bit harder googling and found this GitHub thread
I created the file /etc/dnsmasq.d/02-mytld.conf and added:
server=/.mytld/127.0.0.1#5353
Followed by
pihole restartdns
sudo service unbound restart
So far it all seems to work when using unbound.
I'm not seeing any SERVFAIL results and all the replies showing in pihole query log are ok, and not N/A
Hopefully this is a fix and this thread might help some others.
Could this be a Pi-Hole thing or dnsmasq?
Possible (if at all required) to 'fix' in a future update?
Edit, after a short time I'm still seeing the error in log for some domains:
May 1 17:58:04 dnsmasq[28408]: query[A] m.stripe.network from 192.168.0.100
May 1 17:58:04 dnsmasq[28408]: forwarded m.stripe.network to 127.0.0.1
May 1 17:58:04 dnsmasq[28408]: forwarded m.stripe.network to 127.0.0.1 May 1 17:58:04 dnsmasq[28408]: reply error is SERVFAIL
Edit again:
Yeah, all the above can be disregarded.
I now see the SERVFAIL error again.
So had to switch back to none unbound upstream
Date and time are still correct and the anchor command returns nothing.
pi@pi-hole:~ $ date
Wed 1 May 19:01:56 BST 2019
pi@pi-hole:~ $ unbound-anchor -a -vvvvv
pi@pi-hole:~ $
pi@pi-hole:~ $ unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
It's not that I'm drifting in and out, it's more a restart of unbound and it works for a short time and then stops, and by short time I mean minutes.
pi@pi-hole:~ $ unbound-anchor -vvvvv
/var/lib/unbound/root.key has content
[1556736248] libunbound[2833:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.2833-0: Permission denied
Really appreciate your time and help @anon55913113
I've managed to get some syslog entries into a text file, but currently don't have access to a computer so can't get them into a pastebin (clipboard restrictions on Android)
Edit for some more info
pi@pi-hole:~ $ ls /var/lib/unbound/
total 16K
drwxr-xr-x 2 unbound unbound 4.0K May 1 19:22 .
drwxr-xr-x 39 root root 4.0K Apr 27 10:28 ..
-rw-r--r-- 1 pi pi 3.3K Mar 13 15:01 root.hints
-rw-r--r-- 1 unbound unbound 1.3K May 1 19:22 root.key
Ah ok,
So sudo chown root:unbound root.hints
pi@pi-hole:/var/lib/unbound $ sudo chown root:unbound root.hints
pi@pi-hole:/var/lib/unbound $ sudo chmod 664 root.hints
pi@pi-hole:/var/lib/unbound $ ls
total 16K
drwxr-xr-x 2 unbound unbound 4.0K May 1 19:22 .
drwxr-xr-x 39 root root 4.0K Apr 27 10:28 ..
-rw-rw-r-- 1 root unbound 3.3K Mar 13 15:01 root.hints
-rw-r--r-- 1 unbound unbound 1.3K May 1 19:22 root.key
pi@pi-hole:/var/lib/unbound $ unbound-anchor -vvvvv /var/lib/unbound/root.key has content
[1556736928] libunbound[3155:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.3155-0: Permission denied
pi@pi-hole:/var/lib/unbound $ sudo chown root:unbound root.key
pi@pi-hole:/var/lib/unbound $ unbound-anchor -vvvvv
/var/lib/unbound/root.key has content
[1556737139] libunbound[3226:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.3226-0: Permission denied
pi@pi-hole:/var/lib/unbound $ sudo chown unbound:unbound root.key
pi@pi-hole:/var/lib/unbound $ sudo chmod 664 root.key
pi@pi-hole:/var/lib/unbound $ unbound-anchor -vvvvv /var/lib/unbound/root.key has content
[1556737382] libunbound[3407:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.3407-0: Permission denied
How do I chmod a directory only, and not recursively?
Edit:
pi@pi-hole:/var/lib $ sudo find /var/lib/unbound -type d -exec chmod 775 {} +
pi@pi-hole:/var/lib $ cd unbound/
pi@pi-hole:/var/lib/unbound $ ls
total 16K
drwxrwxr-x 2 root unbound 4.0K May 1 19:22 .
drwxr-xr-x 39 root root 4.0K Apr 27 10:28 ..
-rw-rw-r-- 1 root unbound 3.3K Mar 13 15:01 root.hints
-rw-rw-r-- 1 unbound unbound 1.3K May 1 19:22 root.key
pi@pi-hole:/var/lib/unbound $ unbound-anchor -vvvvv /var/lib/unbound/root.key has content
[1556739369] libunbound[4404:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.4404-0: Permission denied
Yeah I spotted that....still the same error
pi@pi-hole:/var/lib/unbound $ sudo chmod 644 root.key
pi@pi-hole:/var/lib/unbound $ ls
total 16K
drwxrwxr-x 2 root unbound 4.0K May 1 19:22 .
drwxr-xr-x 39 root root 4.0K Apr 27 10:28 ..
-rw-rw-r-- 1 root unbound 3.3K Mar 13 15:01 root.hints
-rw-r--r-- 1 unbound unbound 1.3K May 1 19:22 root.key
pi@pi-hole:/var/lib/unbound $ unbound-anchor -vvvvv
/var/lib/unbound/root.key has content
[1556739574] libunbound[4572:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.4572-0: Permission denied
pi@pi-hole:/var/lib/unbound $ sudo find / -name root.key
find: β/proc/5508/task/5508/netβ: Invalid argument
find: β/proc/5508/netβ: Invalid argument
/usr/share/dns/root.key
/var/lib/unbound/root.key
pi@pi-hole:/var/lib/unbound $ sudo -u unbound unbound-anchor -v -a /var/lib/unbound/root.key
/var/lib/unbound/root.key has content
success: the anchor is ok
Doesn't seem to be fixed
pi@pi-hole:/var/lib/unbound $ unbound-anchor -vvvv
/var/lib/unbound/root.key has content
[1556742275] libunbound[5846:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.5846-0: Permission denied
Ok thanks.
How would I implement symlinks?
And I guess I should ask...is it worth it?
OK, so I think I have done what you suggested...
I renamed the unbound folder: sudo mv /var/lib/unbound /var/lib/unbound.backup
I then ran sudo ln -s /usr/share/dns /var/lib/unbound
Then copied files to the new folder /var/lib/unbound -> /usr/share/dns
pi@pi-hole:/var/lib $ ls unbound
lrwxrwxrwx 1 root root 14 May 2 10:13 unbound -> /usr/share/dns
pi@pi-hole:/var/lib $ ls /usr/share/dns
total 20K
drwxr-xr-x 2 root unbound 4.0K Sep 2 2018 .
drwxr-xr-x 119 root root 4.0K Apr 27 10:28 ..
-rw-r--r-- 1 root root 166 Aug 23 2017 root.ds
-rw-rw-r-- 1 root unbound 3.3K May 2 10:14 root.hints
-rw-r--r-- 1 unbound unbound 1.3K May 2 10:14 root.key
Changed the permissions on /usr/share/dns with sudo find /usr/share/dns -type d -exec chmod 775 {} +
pi@pi-hole:/var/lib $ unbound-anchor -vvvv /var/lib/unbound/root.key has content
[1556794319] libunbound[31417:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.31417-0: Permission denied
Im sure im missing something, but not sure what?
Do you mean chmod the /use/share/dns folder?
drwxrwxr-x 2 root unbound 4.0K Sep 2 2018 .
drwxr-xr-x 119 root root 4.0K Apr 27 10:28 ..
-rw-r--r-- 1 root root 166 Aug 23 2017 root.ds
-rw-rw-r-- 1 root unbound 3.3K May 2 10:14 root.hints
-rw-r--r-- 1 unbound unbound 1.3K May 2 10:14 root.key
Edit:
Added chroot: "" to unbound config
pi@pi-hole:/var/lib $ unbound-anchor -vvvv
/var/lib/unbound/root.key has content
[1556818998] libunbound[10928:0] fatal error: could not open autotrust file for writing, /var/lib/unbound/root.key.10928-0: Permission denied