unbound not listening on 853?

[Phil Pennock]

Folks, I've probably made a stupid mistake somewhere, but I can't find
it.  Cluehammer me please.  I setup DNS-over-TLS ages ago at home but
rarely touch it, and I just went to take a look and it doesn't appear to
be available.  (I should probably sort out some monitoring).  I last
touched it last year to replace an expiring cert.

As far as I can tell, Unbound is built with support, it's configured
with `interface:` and `tls-port:` and the key/cert, but
`lsof -nPc unbound` shows it's not listening on 853.

It looks like unbound-checkconf doesn't like the `tls-` names, but does
take `ssl-` variants; an oversight?

OS is Ubuntu 20.04 (amd64); unbound is self-compiled 1.14.0.
I restarted with `verbosity: 5` and can see no mention of this port.
It appears to just be silently ignored and I'm not figuring out what I
messed up.

# unbound -V
Version 1.14.0

Configure line: --prefix=/opt/unbound --with-ssl --enable-pie --enable-relro-now --enable-subnet --with-libevent --enable-systemd --enable-tfo-client --enable-tfo-server --enable-dnstap
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f  31 Mar 2020
Linked modules: dns64 subnetcache respip validator iterator
TCP Fastopen feature available


# unbound-checkconf -o interface
0.0.0.0
::0
0.0.0.0 at 853
::0 at 853
# unbound-checkconf -o tls-port
[1643422803] unbound-checkconf[1654730:0] fatal error: cannot print option 'tls-port'
# unbound-checkconf -o ssl-port
853
# unbound-checkconf -o ssl-service-key
/etc/unbound/tls/unbound-dns-home-2021.key
# unbound-checkconf -o ssl-service-pem
/etc/unbound/tls/unbound-dns-home-2021.chain.pem

The cert is a P-256/prime256v1 one from a home CA, EKU allows for
web-server, I don't recall any docs saying anything special is needed in
a cert for DNS.  The SANs in the cert include my home LAN IPs, home LAN
hostnames, etc.

What did I do wrong, please?  (Besides only monitor port 53)
-Phil