Quoting Joachim Fahrner (jf@???):

> Am 2017-07-05 09:43, schrieb Joachim Fahrner:
>
> >Jul 5 09:37:46 server unbound: [22751:0] info: NSEC3s for the
> >referral proved no DS.
>
> Could it be that my problem has to do with DNSSEC?

Obviously, you could test this hypothesis by disabling DNSSEC support
for testing purposes. I tend to think 'no', however.

I hesitate to suggest this, because the resemblance to flailing around
changing things without a credible theory is uncomfortably close, _but_,
it's possible you might need to tweak timeout settings in unbound.conf.
E.g.:

   edns-buffer-size: <number>
              Number of bytes size to advertise as the EDNS reassembly buffer
              size.   This  is  the  value put into datagrams over UDP towards
              peers.  The actual buffer size is determined by msg-buffer-size
              (both  for  TCP  and  UDP).   Do not set higher than that value.
              Default is 4096 which is RFC recommended.  If you have fragmen-
              tation  reassembly  problems,  usually  seen as timeouts, then a
              value of 1480 can fix it.

https://www.unbound.net/documentation/unbound.conf.html

You'll want to look broadly at option documentation, and look at this
page carefully.
https://www.unbound.net/documentation/info_timeout.html

Part of what makes me uneasy is: Why just on one domain, and (AFAIK)
just on your Unbound instance?