From reading the documentation, the difference between trust-anchor-file and auto-trust-anchor-file is that the former is manually managed, the latter open to Automated Updates (RFC 5011) management - is that correct?
Is the use of trust-anchor-file for the public root zone KSK popular? Do folks use it much at all (regardless of zone)? The same for trust-anchor statements, which appear to be in-line of the configuration file.
I'm writing a howto to use an upcoming ICANN-provided testbed for Automated Updates testing. I'm not sure if I need to cover cases where someone currently uses unbound in a manually-managed trust anchor set manner. I'm prompted to ask because I haven't seen many training materials for unbound that feature the manual trust anchor database management options.
Hi, Ed:
We ship the Debian package of unbound with an auto-trust-anchor-file
config for the root zone in the default configuration:
http://sources.debian.net/src/unbound/1.6.0-3/debian/unbound.conf.d/root-auto-trust-anchor-file.conf/
I think we've been shipping the root anchor with an
"auto-trust-anchor-file" directive in the default config for around five
years or so.
Debian is the upstream for Ubuntu, which together are pretty popular. If
you also look at the package defaults for Fedora (which is also used as
the upstream for RHEL) you'd probably be covering 80-90% or so of the
Linux distributions by usage.
...
the upstream for RHEL) you'd probably be covering 80-90% or so of the
Linux distributions by usage.
...
Thanks...I was waiting to see if any of the other 20-10% spoke up. 
Hi Ed -
I currently maintain the Unbound package for LEDE / OpenWrt. On LEDE
17.01 we have Unbound configured to not only use RFC5011, but we have
some scripting to keep it from cooking through flash. Unbound is rather
busy maintaining the key, so we let it spin its wheels on tmpfs (mounted
/var/). We then copy back to flash on longer intervals. The user
feedback I get is that DNSSEC and home-owned recursion is an important
feature for them. From the tone of some feed back, I could imply some
take issue with their ISP practices in DNS.
- Eric