Package: unbound Version: 1.7.1-1 TL;DR: applications using libunbound2 should have access to a fresh root.key
If one installs unbound-anchor or unbound-host or any other application using libunbound2, they will be missing a fresh copy of the root.key for DNSSEC validation. This is because /var/lib/unbound/root.key is managed by a helper script provided by the unbound package only. Ideally, installing libunbound2 should provide a root.key that is kept up to date for root KSK rollovers. A possible solution would be to have libunbound2 depend on unbound-anchor and have the unbound-anchor package ship a cron job (or systemd.timer unit) to periodically refresh the root.key file. If the proposed solution makes sense to you, I'd be happy to work on the implementation. Regards, Simon P.S: This problem was initially reported to Ubuntu https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1771545
signature.asc
Description: OpenPGP digital signature