The forward-zone entries point to two PowerDNS servers that are authoritative for those domains listed in the configuration. Both PowerDNS servers are using a typical MySQL backend, and they are in a Master-Slave configuration.
I notice that when I add new records to the authoritative servers, Unbound does not successfully resolve these records UNTIL I restart the Unbound daemon. In other words:
dig @[10.0.32.6](http://10.0.32.6) [somenewrecord.infra.company.com](http://somenewrecord.infra.company.com) <<-- Works since I’m querying the authoritative server directly dig [somenewrecord.infra.company.com](http://somenewrecord.infra.company.com) <<-- Returns a SERVFAIL until I restart the Unbound daemon
The neg-cache-size does not do what you want, it caches DNSSEC
information, for DS lookups. So changing it won't fix your problem.
Did you try to dig +cdflag ? Does the servfail disappear? If so, you
have a DNSSEC problem. Set val-log-level: 2 in your unbound.conf and
it'll printout a validator error.
You have forward statements, but really, to contact authority servers
you should use stub statements. An improvement, unlikely the bug.
Do you need domain-insecure for the internal zones? You have it for the
reverse zone but not your own?
If not, such servfails are only cached very briefly. Wait a couple
seconds, set verbosity to 4 on unbound, and dig at it. Those logs then
tell you what unbound is seeing, including wire 'dig like' output of
what it gets from your authority servers.