pfSense

During config update, pfSense writes its own FQDN in /etc/hosts, such as:

10.64.0.1             pf-a73.example.com pf-a73
2001:db8:e27f:a40::1  pf-a73.example.com pf-a73

Then, the Unbound ("DNS Resolver") configurator reads every line of /etc/hosts and creates 'local-data' configuration items inside /var/unbound/host_entries.conf, such as:

local-data-ptr: "10.64.0.1 pf-a73.example.com" 
local-data: "pf-a73.example.com A 10.64.0.1" 
local-data: "pf-a73 A 10.64.0.1" 
local-data-ptr: "2001:db8:e27f:a40::1 pf-a73.example.com" 
local-data: "pf-a73.example.com AAAA 2001:db8:e27f:a40::1" 
local-data: "pf-a73 AAAA 2001:db8:e27f:a40::1" 

This, unfortunately, breaks DNSSEC signatures on the real pf-a73.example.com in DNS (which has the WAN IP address, while pfSense/Unbound are putting the LAN addresses in the local-data overrides). Since the signatures no longer match the data, computers on the LAN are unable to resolve my pfSense's domain name.

To avoid breaking DNSSEC, the Unbound host_entries.conf generator should be changed to be smarter about which /etc/hosts lines to include. IMHO, it should ignore all "local host" entries (matching localhost or system hostname or system FQDN).