ルートゾーンKSK/日本では/dns-oarc.net/unbound/confについて、ここに記述してください。

{{{
max-udp-size: 512
edns-buffer-size: 1220
}}}
が気になる。
{{{
   harden-referral-path: yes
   minimal-responses: yes
   qname-minimisation-strict: yes
}}}
は設定したかも

このconfが使われているのかどうか、はっきりしないが。-- ToshinoriMaeno <<DateTime(2017-07-25T23:54:48+0900)>>

$ more local.conf 
{{{
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
## include: "/etc/unbound/unbound.conf.d/*.conf"

server:
	directory: "/etc/unbound"
        username: unbound
#	chroot: "/etc/unbound"
        logfile: "/etc/unbound/unbound.log"
        verbosity: 2
	interface: 127.0.0.2
	module-config: "iterator"
	max-udp-size: 512
	edns-buffer-size: 1220
	do-not-query-localhost: no
	do-not-query-address: 0.0.0.0/8
	harden-referral-path: yes
	minimal-responses: yes
	qname-minimisation-strict: yes
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        cache-min-ttl: 300
        cache-max-ttl: 7200
	qname-minimisation: yes
	use-caps-for-id: yes
	target-fetch-policy: "0 0 0 0 0 0"
	#tcp-upstream: yes
        logfile: "/etc/unbound/unbound.log"
remote-control:
        # Enable remote control with unbound-control(8) here.
        # set up the keys and certificates with unbound-control-setup.
        control-enable: yes

        # Set to no and use an absolute path as control-interface to use
        # a unix local named pipe for unbound-control.
        control-use-cert: no

        # what interfaces are listened to for remote control.
        # give 0.0.0.0 and ::0 to listen to all interfaces.
        control-interface: 127.0.0.1

}}}