This is interesting from a few other points of view. unbound-host should probably not use /var/lib/unbound/root.key which is an untrusted-owned file in an untrusted-owned directory. So probably the default value for this root.key file should not point to this location.
We probably can change both unbound-host and unbound-anchor to use /usr/share/dns/root.key - the same location as shipped by dns-root-data. And keep unbound-owned file as it is now (which is configured in /etc/unbound/unbound.conf*). On the other hand, if we have a more recent file in the unbound libdir than the one shipped by dns-root-data, or if we do not have dns-root-data installed in the first place, we can use that unbound-owned file too. But see the first point above. I think I'll just move it to /usr/share/dns/root.key, that sounds like the best course of action here. Thanks, /mjt
