By default, +trace works when querying Bind server as it returns root hints as NS-list for “.”. However, +trace disables RD flag and the first query (dig +norecurse NS .) is REFUSED by unbound. The fix:
In unbound.conf, change
access-control: 10.0.0.0/8 allow
access-control: 10.0.0.0/8 allow_snoop
Change allow to allow_snoop for all subnets served by your Unbound server. This allows non-recusive query for root NS entries.