Anyway, with this guide I can set the DNS in unbound and it is actually used (according to DNS leak test), so it basically works.
In /etc/config/unbound I have
config zone
option enabled '1'
option zone_type 'forward_zone'
option fallback '0'
option tls_upstream '1'
option tls_index 'cloudflare-dns.com'
option tls_port '853'
list zone_name '.'
list server '1.1.1.1'
list server '1.0.0.1'
list server '8.8.8.8@853#dns.google'
list server '9.9.9.9@853#dns.quad9.net'
now for the questions:
this looks like cloudflare is 'main' and the others are 'secondary' DNS providers. Is there actually any difference? If I make one copy of the zone for each DNS provider, then only one is used. (I actually plan to use different and maybe less reliable DNS servers later, but any should be fine for testing)
what does the fallback option do? It is not set in other guides, and I don't understand the explanation from the readme: 'Permit normal recursion when the narrowly selected servers in this zone are unresponsive or return empty responses'
Do not edit /etc/config/unbound directly. Just change what you need within LuCI what LuCI can handle and use /etc/unbound/unbound_srv.conf and /etc/unbound/unbound_ext.conf for extra stuff.
Referencing point 1. /etc/unbound/unbound_ext.conf:
Remove # to your needs. Remove the additions you have made to /etc/config/unbound. A ntp server is required to be reached without DNSSEC.
Fallback is there if the Master-Server with the rootkey cannot be reached and you want to allow to use the old keys anyway. IMO nothing you want to have if using DNSSEC.
Nobody can say what is wrong with you configuration if you only post a part of it. And as I mentioned already: Do not edit /etc/config/unbound directly. Only edit the both files I have mentioned.
Those scripts within the Browser are not relayable for every configuration. For e. g. use commandline (install bind/dig-bind):
Do not edit /etc/config/unbound directly. Just change what you need within LuCI
When I want to install luci-app-unbound, I need unbound-heavy, which I wanted to avoid...
Why does the unbound readme I linked tell me to edit the config directly? This is a bit confusing.
Thank you! Exactly the NTP server was the problem. DNSSEC is working now
Thanks, so better no fallback
I only posted the part that was different from changing the default config according to the unbound readme... but I see that simply posting everything would make it easier for you, sorry.
Usually just editing the /etc/config/unbound file is good enough, if your setup is not too complicated. unbound has a round robin option, but not in uci yet last I looked, no idea as to efficacy
Summary
config zone
option enabled '1'
option zone_type 'forward_zone'
option fallback '1'
option resolv_conf '0'
option tls_upstream '1'
list server '1.1.1.1@853#cloudflare-dns.com'
list server '9.9.9.9@853#dns.quad9.net'
list server '2606:4700:4700::1111@853#cloudflare-dns.com'
list server '2620:fe::9@853#dns.quad9.net'
list server '8.8.8.8@853#dns.google'
list server '2001:4860:4860::8888@853#dns.google'
list zone_name '.'
the tls_port placement used to be important at one point, not sure if that is still the case.
/etc/config/unbound is the LuCI configuration for unbound. This file has nothing to do with /etc/unbound/unbound.conf (which is referenced by the unbound readme).
LuCI is integrating your /etc/config/unbound + ext, srv file (that changes you made by LuCI GUI) into /etc/unbound/unbound.conf. The endresult is placed in /tmp/lib/unbound/unbound.conf.
EDIT2:
The files are not merged with /etc/unbound/unbound.conf. This part is wrong! Sry for that.
But there is a button in Luci: "Skip UCI and use /etc/unbound/unbound.conf"
/etc/config/unbound is not fully supporting any setting you can make in /etc/unbound/unbound.conf. So just think about what happen if files getting merged. Thats why you have two options: make it with or without luci. I don't recommend to mix it. Sure you can do it like anomeome said. But then you have to be aware of same settings which are made in both files always.
EDIT:
What your tests belongs:
You have to test on the machine which is executing youre DNS requests in end. Not on Browser! On OpenWrt console. Either with tcpdump or the command I've mentioned above (if installed).