Unbound does DNSSEC validation OOTB if setup according to the official guide:
Verify DNSSEC signatures, discarding BOGUS domains
https://docs.pi-hole.net/guides/dns/unbound/
Why do you need a log file?
Pi-hole is already logging client queries and has a way nicer interface to look them up.
Depending if you're running a systemd distro:
$ readlink -f /sbin/init
/usr/lib/systemd/systemd
You can check the systemd journal for the current --boot:
sudo journalctl --all --boot --unit unbound.service
Or two boots back (-2):
sudo journalctl --all --boot -2 --unit unbound.service
Or follow/tail live:
sudo journalctl --all --follow --unit unbound.service
If you want to see queries in the journal for diagnostic purposes, you can up verbosity to three in below config file:
$ cat /etc/unbound/unbound.conf.d/pi-hole.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
[..]
Or higher if necessary:
$ man unbound.conf
[..]
verbosity: <number>
The verbosity number, level 0 means no verbosity, only errors.
Level 1 gives operational information. Level 2 gives detailed
operational information including short information per query.
Level 3 gives query level information, output per query. Level
4 gives algorithm level information. Level 5 logs client iden-
tification for cache misses. Default is level 1. The verbosity
can also be increased from the commandline, see unbound(8).
And reload to apply:
sudo systemctl reload unbound.service
EDIT: If want to list all units and their enabled status:
systemctl list-unit-files
EDIT2: Dont forget to set verbosity back to zero after diagnosing as this uses up extra disk space and you have more writes to the FS if not!