Revisiting this thread, I wanted to update the above statement, which I discovered is inaccurate. Unbound never falls back to TCP due to timeouts, only when it receives a truncated ANSWER. See this reply I got on the Unbound mailing list: Trust rules and DNSSEC signatures