Sanitized unbound config for CAA SERVFAIL repro. Note: this has `access-control` configs *removed* and may be unsafe to run as-is.

unbound-common.conf

server:
    log-replies: yes
    log-queries: yes
    outgoing-num-tcp: 6000
    num-queries-per-thread: 6000
    outgoing-range: 48000
    jostle-timeout: 1000
    num-threads: 6
    incoming-num-tcp: 2000
    so-rcvbuf: 4m
    so-sndbuf: 4m
    so-reuseport: yes
    verbosity: 2
    logfile: "/var/log/unbound.log"
    statistics-interval: 60
    extended-statistics: yes
    use-syslog: no
    log-time-ascii: yes
    chroot: ""
    username: "unbound"
    directory: "/etc/unbound"
    interface: 0.0.0.0
    interface: ::0
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes
    private-address: 192.168.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    root-hints: "/var/lib/unbound/root.hints"
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: yes
    cache-min-ttl: 0
    cache-max-ttl: 60
    cache-max-negative-ttl: 0
    neg-cache-size: 0
    prefetch: no
    msg-cache-slabs: 32
    rrset-cache-slabs: 32
    infra-cache-slabs: 32
    key-cache-slabs: 32
    rrset-cache-size: 256m
    msg-cache-size: 128m
    unwanted-reply-threshold: 10000
    do-not-query-localhost: yes
    trusted-keys-file: /etc/unbound/keys.d/*.key
    auto-trust-anchor-file: "/usr/share/dns/root.key"
    val-clean-additional: yes
remote-control:
    control-enable: yes

unbound-udp.conf

server:
    tcp-upstream: no
    port: 1053
include: "/etc/unbound/unbound-common.conf"