It's highly likely that there will be a new unbound release to update to before this is required, so I'd prefer to avoid complicating that update by adding a local patch that will need to be merged.
On 2026/06/10 20:22, Andres Pavez wrote: > Greetings, > > IANA has published a new Certificate Authority (CA) certificate used to > validate the authenticity of the DNS root zone trust anchors file > (`root-anchors.xml`). > > The updated certificate bundle is available at: > > https://data.iana.org/root-anchors/icannbundle.pem > > This bundle currently contains both the existing certificate and its > replacement certificate. Signatures chaining to the new certificate are > expected to be published in 2028, at which point relying parties will need to > validate using the new certificate. > > Affected file(s): > > * > [usr.sbin/unbound/smallapp/unbound-anchor.c](https://github.com/openbsd/src/blob/293caf0d3fbcaa7970dcbd7d26dff73771762c60/usr.sbin/unbound/smallapp/unbound-anchor.c) > > Please review whether the trust anchor validation material in this repository > should be updated to include the current contents of `icannbundle.pem`. > > Considerations for updating the trust anchor are described in*DNSSEC Trust > Anchor Publication for the Root Zone* (RFC 9718). > > Thank you. > -- > Andres Pavez > Cryptographic Key Manager > > > >
