I also tested with "qname-minimisation-strict: no" (unbound 1.9.1) and I still get sec_status_insecure. With "qname-minimisation: no" I get the tlsa records.
Regards, Stefan > Am So., 28. Apr. 2019 um 15:38 Uhr schrieb A. Schulze via > Unbound-users <unbound-users@nlnetlabs.nl>: > > Google DNS don't use qname minimization. > > Only if you disable qname minimisation unbound will ask havedane.net's > > nameserver for "_25._tcp.do" (dotted hostname) and get an answer. > > That would imply that unbounds (1.9.0) implementation of qname > minimisation is broken since debians unbound default config has qname > minimisation activated. > > Regards Stefan