Hi, Agreed. This has already been updated upstream in Unbound: https://github.com/NLnetLabs/unbound/blob/master/smallapp/unbound-anchor.c Thanks, -- Andres Pavez Cryptographic Key Manager
On 6/10/26, 15:20, "Stuart Henderson" <[email protected] <mailto:[email protected]>> wrote: It's highly likely that there will be a new unbound release to update to before this is required, so I'd prefer to avoid complicating that update by adding a local patch that will need to be merged. On 2026/06/10 20:22, Andres Pavez wrote: > Greetings, > > IANA has published a new Certificate Authority (CA) certificate used to > validate the authenticity of the DNS root zone trust anchors file > (`root-anchors.xml`). > > The updated certificate bundle is available at: > > https://data.iana.org/root-anchors/icannbundle.pem > <https://data.iana.org/root-anchors/icannbundle.pem> > > This bundle currently contains both the existing certificate and its > replacement certificate. Signatures chaining to the new certificate are > expected to be published in 2028, at which point relying parties will need to > validate using the new certificate. > > Affected file(s): > > * > [usr.sbin/unbound/smallapp/unbound-anchor.c](https://urldefense.com/v3/__https://github.com/openbsd/src/blob/293caf0d3fbcaa7970dcbd7d26dff73771762c60/usr.sbin/unbound/smallapp/unbound-anchor.c__;!!PtGJab4!8moAWnAzP86bVOziAGfGuMGnSK5pvWTFvXmRya8iwF1hTbQ1JsKTKtaX-JSvg88qZURZ2KZC0cQpyFlhJR4TzqF1$ > > <https://urldefense.com/v3/__https://github.com/openbsd/src/blob/293caf0d3fbcaa7970dcbd7d26dff73771762c60/usr.sbin/unbound/smallapp/unbound-anchor.c__;!!PtGJab4!8moAWnAzP86bVOziAGfGuMGnSK5pvWTFvXmRya8iwF1hTbQ1JsKTKtaX-JSvg88qZURZ2KZC0cQpyFlhJR4TzqF1$> > [github[.]com]) > > Please review whether the trust anchor validation material in this repository > should be updated to include the current contents of `icannbundle.pem`. > > Considerations for updating the trust anchor are described in*DNSSEC Trust > Anchor Publication for the Root Zone* (RFC 9718). > > Thank you. > -- > Andres Pavez > Cryptographic Key Manager > > > >
smime.p7s
Description: S/MIME cryptographic signature
