unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org.
I am trying to test RFC 5011 capabilities by following these websites:
http://keyroll.systems
and
http://icksk.dnssek.info/fauxroot.html
Goal is to run unbound-anchor as a first step before trying to tune
unbound to either of those experiments.
Have you tried using /etc/hosts entries for data.iana.org pointing to
the others? 
More seriously, from the man page:
-u name
The server name, it connects to https://name. Specify without
https:// prefix. The default is "data.iana.org". It connects
to the port specified with -P. You can pass an IPv4 addres or
IPv6 address (no brackets) if you want.
-x path
The pathname to the root-anchors.xml file on the server. (forms
URL with -u). The default is /root-anchors/root-anchors.xml.
-s path
The pathname to the root-anchors.p7s file on the server. (forms
URL with -u). The default is /root-anchors/root-anchors.p7s.
This file has to be a PKCS7 signature over the xml file, using
the pem file (-c) as trust anchor.
Paul
Hi, Ed:
IIRC, the HTTPS fetch from data.iana.org in unbound-anchor is a
fallback, if the RFC 5011 stuff fails. You still ought to be able to
test the RFC 5011 stuff alone, if that's what you're trying to do.
I copied the root.db file at the bottom of
http://keyroll.systems/current into /tmp/root.db (would be nice if this
were downloadable as a separate file), and then tried unbound-anchor
with that root zone against the three most recent key files (at the
time) from the bottom of http://keyroll.systems/historic:
# Most recent key.
edmonds@chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+55039.key
edmonds@chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key
/tmp/root.key has content
[1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:16 skipping type SOA
[1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:26 skipping type TXT
success: the anchor is ok
# Second most recent key.
edmonds@chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+27079.key
edmonds@chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key
/tmp/root.key has content
[1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:16 skipping type SOA
[1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:26 skipping type TXT
success: the anchor is ok
# Third most recent key.
edmonds@chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+42496.key
edmonds@chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key
/tmp/root.key has content
[1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:16 skipping type SOA
[1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:26 skipping type TXT
last successful probe: Tue Jul 28 15:09:16 2015
the last successful probe is recent
fail: the anchor is NOT ok and could not be fixed
edmonds@chase{0}:~$ cat /tmp/root.key
; autotrust trust anchor file
;;REVOKED
; The zone has all keys revoked, and is
; considered as if it has no trust anchors.
; the remainder of the file is the last probe.
; to restart the trust anchor, overwrite this file.
; with one containing valid DNSKEYs or DSes.
;;id: . 1
;;last_queried: 1438110556 ;;Tue Jul 28 15:09:16 2015
;;last_success: 1438110556 ;;Tue Jul 28 15:09:16 2015
;;next_probe_time: 0 ;;Wed Dec 31 19:00:00 1969
;;query_failed: 0
;;query_interval: 0
;;retry_time: 0
. 3600 IN DNSKEY 385 3 8 AwEAAct/IgeZiHmphBTGCJUxJNd1hy9uuqUJFtIsdJgyMr+LLnTjbqXkAF47BskHvSIrlQlIc/SDTDLtUktpM/IVWAjolSsP1+oNYwTi56WwW9nyc+vuJkPG8sxza1p7c7PoTegb2JPPEsmkLGMEDz0kliWHSZkinr9yB1/LxI3SBAYq17Od3CuIAWyU0F0pVxqJwJn/jWI4z1FdSwU9cGhx+/g8FvrnrOkOMyj08g4LlYf5PBpopB+Cz2JNOFa6DRr2WyUuVvbTa9ZnBCOTHcUsaoqVdvs3fihvcdpfWonHm7aJvyUnB3CiUQz/iIzvYTtx3+OF8+mOjy0qFX+Zk4KUg6U= ;{id = 42624 (ksk), size = 2048b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=1438110556 ;;Tue Jul 28 15:09:16 2015
edmonds@chase{0}:~$
Hope this helps!