There is another difference between /var/lib/unbound/root.key and
/usr/share/dns/root.key: their respective source of update.
The former normally starts its life as a copy of the later but is then
managed using RFC 5011 to cope with root KSK rollovers.
The later being changed only via package updates.
I think Debian needs to settle on a way to deal with the root KSK
updates. The current state of having unbound maintain it's own copy
feels awkward, IMHO.
A possible simplification would be to have all the packages simply
consult the read-only copy provided by dns-root-data. This would imply
changing `/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf`
from unbound's package and turn it into:
trust-anchor-file: "/usr/share/dns/root.key"
To tell it not to do RFC 5011 maintenance. That way, root KSK refresh
would only come from dns-root-data updates.
My 2 cents,
Simon
