Unbound never listens to TCP/853 despite being explicitely told to do so

[Daniel Ryšlink via Unbound-users]

Hello,

I have run into immense trouble getting DNS-over-TLS working, basically 
although I have everything set up, the process never listens on 853/TCP, 
never logs any failures or problems, just ignores the whole TLS portion 
of the configuration. Below is my unbound.conf file. All the key and 
cert files mentioned are directly in /usr/local/etc/unbound folder, 
owned and readable by the 'undbound' user the server uses to run.

Any ideas are welcome, thanks in advance.


--
Daniel Ryšlink
System Administrator


-----------------------------------------------

server:
        tls-port: 853
        tls-cert-bundle: "ca-root-nss.crt"
        tls-service-key: "privkey.pem"
        tls-service-pem: "fullchain.pem"
        verbosity: 3
        statistics-interval: 600
        statistics-cumulative: no
        extended-statistics: yes
        num-threads: 4
        interface: 0.0.0.0@53
        interface: ::00@53
        interface: 0.0.0.0@853
        interface: ::00@853
        interface-automatic: yes
        port: 53
        outgoing-range: 8192
        outgoing-num-tcp: 20
        incoming-num-tcp: 20
        so-reuseport: yes
        edns-buffer-size: 1480
        max-udp-size: 4096
        msg-buffer-size: 65552
        msg-cache-size: 1000m
        msg-cache-slabs: 8
        num-queries-per-thread: 4096
        jostle-timeout: 200
        delay-close: 10
        rrset-cache-size: 16G
        rrset-cache-slabs: 8
        cache-min-ttl: 600
        cache-max-ttl: 86400
        cache-max-negative-ttl: 3600
        infra-host-ttl: 900
        infra-cache-min-rtt: 50
        infra-cache-slabs: 8
        do-ip4: yes
        do-ip6: yes
        do-udp: yes
        do-tcp: yes
        do-daemonize: yes
        include: "/usr/local/etc/unbound/acl_our_networks"
        include: "/usr/local/etc/unbound/acl_exceptions"
        chroot: "/usr/local/etc/unbound"
        username: "unbound"
        directory: "/usr/local/etc/unbound"
        logfile: "/var/log/unbound.log"
        use-syslog: yes
        log-time-ascii: yes
        log-queries: no
        log-replies: no
        log-local-actions: yes
        log-servfail: yes
        pidfile: "/var/run/unbound/unbound.pid"
        root-hints: "root.hints"
        hide-identity: no
        hide-version: no
        identity: ""
        version: "Unbound"
        harden-short-bufsize: yes
        harden-large-queries: yes
        harden-glue: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: no
        prefetch: yes
        auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
        domain-insecure: "cesta."
        key-cache-size: 40m
        key-cache-slabs: 8
        neg-cache-size: 10m
        ratelimit: 4000
        ratelimit-below-domain: ultra.brightmail.com. 100
python:
remote-control:
        control-enable: yes
        control-interface: 127.0.0.1
        control-interface: ::1