DNSSEC: BOGUS/SERVFAIL response for private domain (Unbound)

[cami09]

Hi together,

I am currently using a private, LAN-only domain "home.arpa" with Unbound recursive resolver and DNSSEC for validation of public domains.
First off, this setup works well most of the time: Public domains supporting DNSSEC are answered with SECURE, others with INSECURE. Besides, DNSSEC responses for home.arpa addresses are labeled as INSECURE and just work.

Issues arise, when upstream internet router is powered off periodically for some hours: In this time (after cache invalidation), not only public names like NTP domains are not resolved: responses to *internal* hostnames like mail.home.arpa are also discarded as BOGUS (refused upstream) with SERVFAIL. For example this leads to batch jobs not sending mails.

My assumption so far is (no expert, please correct me): DS record from arpa. cannot be fetched, which leads chain to invalidate sub-domain home.arpa.
But settings "Private Domains" and "Insecure Domains" under Unbound tab are already set to home.arpa.
Hence I am asking: Isn't the purpose of these settings to ignore any missing/invalid DNSSEC report for home.arpa, or am I missing some setting?

Current setup:
- System - Settings - General
    - Domain: home.arpa
- Services - Unbound DNS
    - General
        - Enable DNSSEC Support: checked
        - Local Zone Type: static
    - Advanced
        - Private Domains: home.arpa
        - Insecure Domains: home.arpa
        - Harden DNSSEC Data: checked
        - Aggressive NSEC: checked

OPNsense 24.7.10_2

Thanks for any hints.

[cami09]

Hm still no solution. Might this be a OPNsense (and/or Unbound) bug?
Imagine your internet being disrupted for a couple hours or so, and you are not able to resolve local host names, despite having a local resolver responsible for this private domain.
I can't believe, DNSSEC would not support such cases - just want to ignore for private domain.