Re: where is the DNSSEC root key?
When unbound is installed, the root key is at /var/lib/unbound/root.key.
The init script updates it, if requsted, by way of unbound-anchor(8).
Ideally there would be a separate package each dnssec-aware package
could depend on which would maintain the root.key file.
For comparison, gentoo has a net-dns/dnssec-root package which
installs /etc/dnssec/root-anchors.txt and .xml. That would be
a good precedent to follow.
James Cloos <email@example.com> OpenPGP: 1024D/ED7DAEA6