however this talks to me as if I'm at the level of someone that's competent. can someone help me with this? maybe make one of those awesome pi-hole guides for dummies like me?
Highlights: - Listen only for queries from the local Pi-hole installation (on port 5353) - Listen for both UDP and TCP requests - Verify DNSSEC signatures, discarding BOGUS domains - Apply a few security and privacy tricks
Yes, followed that guide, it's how i got unbound installed. DNSSEC passes.however, from what I gather, unbound isn't verifying certification, so theoretically you can spoof the certificate and dnssec will be useless
https://rootcanary.org/test.html is a bit strange, sometimes I have to run the test a second time. But I guess the button "Re-run test" doesn't solve your issue?
You also can try to switch the setting "Use DNSSEC" in the Pi-hole web interface (tab "DNS").