While you can get it to act as authoritative, its not really the primary design purpose of unbound.  Not from anything I have read.. Now I have it setup to return SOA for my local domain, etc.

C:\>dig local.lan SOA

; <<>> DiG 9.10.4-P1 <<>> local.lan SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22076
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;local.lan.                     IN      SOA

;; ANSWER SECTION:
local.lan.              10800   IN      SOA     pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800

;; Query time: 115 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Sep 06 10:26:35 Central Daylight Time 2016
;; MSG SIZE  rcvd: 87

C:\>dig flssljf.local.lan

; <<>> DiG 9.10.4-P1 <<>> flssljf.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36032
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;flssljf.local.lan.             IN      A

;; AUTHORITY SECTION:
local.lan.              10800   IN      SOA     pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800

;; Query time: 112 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Sep 06 10:26:44 Central Daylight Time 2016
;; MSG SIZE  rcvd: 95

The integration of unbound package in pfsense does is not really setup to do that, any sort of authoritative info you would like to place would have to be in custom box on your own.. Not part of the gui, and doesn't handle cnames like an authoritative ns would do..

If you look at wiki for comparison of different dns software you will see that unbound authoritative is listed as partial
https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

While you might be able to do what you need to do to pass the cert ipv6 tests from HE with unbound.  Unbound would not be my go to software for setting up authoritative zones.  I do not believe it you could do any sort of zone xfer with it, doesn't support slave mode for sure and tsig is not an option either AFAIK, etc.

Unbound is not meant to be an authoritative nameserver, your really going to want to use bind.  You could use the bind package..

As to the HE test you can do everything with just HE, you can setup the PTR, glue etc.. Your going to need to make sure glue is there for the sage level test.

Sage Test; Score: 1 / 1
This test validates that you have IPv6 Glue at your registrar

Trying to get your sage t-shirt huh ;)  Got mine quite some time ago.. One of my fav free things gotten for learning and playing for sure..

Have fun with your tests.. If have any questions on it.. Be happy to help.

So you have a static assignment of ipv6 space from your ISP and they delegated this control to you?  If so then sure you could run your own ns to respond to the PTRs for the netblocks you get.

This is one nice thing with just getting a /48 from HE, they allow you to set your PTRs for anything in this address space.

Indeed I do have a /48 from my UK based ISP, they haven't delegated control yet, but they can.

I sent my ISP an email as I was trying to do the Hurricane Electric IPv6 Certification and for part of the cert you need a FQDN that points to one of your servers.

I've split my /48 into /64 and have a LAN & DMZ on my router.

It's just figuring out what to do as I'm a bit new to pfSense and have only used it for a few months and a lot of the documentation use the old GUI, but I'm getting a 19/20 from http://ipv6-test.com it's just the reverse lookups that are failing.

I'm guessing ISPs are reluctant to add reverse entires due to the wide subnet ranges they're handing out.

This is one nice thing with just getting a /48 from HE, they allow you to set your PTRs for anything in this address space.