Unbound/BIND config for DNS over TLS to 1.1.1.1

named.conf

options {
	directory "/tmp";

  listen-on-v6 { none; };

	forwarders {
                127.0.0.1 port 2053;
	};

	auth-nxdomain no;    # conform to RFC1035
        notify yes;          # notify slave server(s)
};

unbound_ext.conf

forward-zone:
        name: "."
        forward-addr: 1.1.1.1@853         # Cloudflare primary
        forward-addr: 1.0.0.1@853         # Cloudflare secondary
        forward-addr: 9.9.9.9@853         # quad9.net primary
        forward-addr: 149.112.112.112@853 # quad9.net secondary
        forward-ssl-upstream: yes

unbound_srv.conf

do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip6: no
do-not-query-localhost: no #leftover from using Unbound in front of BIND
port: 2053

You're not verifying the certificates of the forwarders with this setup.

server: do-tcp: yes prefetch: yes qname-minimisation: yes rrset-roundrobin: yes use-caps-for-id: yes do-ip6: no do-not-query-localhost: no #leftover from using Unbound in front of BIND port: 2053