In the moment unbound-anchor(8) creates root,key file that contains
new KSK trust anchor as ADDPEND state. Does it take 30 days to update
new key’s state to VALID ?
(If so, new Unbound installation after 11 Sep (30days to the KSK roll)
fail to update trusted sets until KSK roll?)
Yes that is a bug, it should not be in ADDPEND but in VALID. This was
caused by unbound checking the signature as well as the DS hash for the
installed keys. I have patched this and a new version is released
(1.6.5) for this fix.