This change is in conflict with the change, made by DL6ER, see here.
from the unbound docs ( unbound.conf(5) — Unbound 1.17.0 documentation (nlnetlabs.nl)
edns-buffer-size: <number>
Number of bytes size to advertise as the EDNS reassembly buffer size. This is the value put into datagrams over UDP towards peers. The actual buffer size is determined by msg-buffer-size: (both for TCP and UDP). Do not set higher than that value. Setting to 512 bypasses even the most stringent path MTU problems, but is seen as extreme, since the amount of TCP fallback generated is excessive (probably also for this resolver, consider tuning outgoing-num-tcp:).
Default: 1232 (DNS Flag Day 2020 recommendation)
msg-buffer-size: <number>
Number of bytes size of the message buffers. Default is 65552 bytes, enough for 64 Kb packets, the maximum DNS message size. No message larger than this can be sent or received. Can be reduced to use less memory, but some requests for DNS data, such as for huge resource records, will result in a SERVFAIL reply to the client.
Default: 65552
@DL6ER, would really like to know your opinion, and if this needs to be changed in the docs / configuration.
edit
as indicated here, I'm using good-A.test.dnssec-tools.org and good-AAAA.test.dnssec-tools.org
I also have the problem (not yet investigated, until now) that the test for good-A.test.dnssec-tools.org produces ;; connection timed out; no servers could be reached.
I only changed the setting edns-buffer-size: 512, leaving the setting msg-buffer-size default (65552), restarted unbound, the test now succeeds.
there may be a valid reason to change the unbound setting into edns-buffer-size: 512; note however, I didn't change the dnsmasq setting edns-packet-max=1232.
Would it be recommended to also change this?
/edit
edit2
note that the response for the test domains is different:
fail01.dnssec.works: info: query response was DNSSEC LAME
good-A.test.dnssec-tools.org: info: query response was THROWAWAY
/edit2