From 1fdb448fc43bab0f4244144930cee087fefaf75c Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sat, 24 May 2025 19:47:41 +0000
Subject: [PATCH] unbound: Download DNSSEC root key

---
 roles/unbound/tasks/main.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index a64720b..a9f4f6d 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -15,6 +15,15 @@
     creates: "{{ unbound_confdir }}/unbound_control.key"
   notify: Restart unbound
 
+- name: Update DNSSEC root key
+  ansible.builtin.command:
+    argv:
+      - unbound-anchor
+    creates: "{{ unbound_zonedir }}/root.key"
+  register: result
+  failed_when: result.rc not in [0, 1]
+  notify: Restart unbound
+
 - name: Copy zone files
   ansible.builtin.copy:
     dest: "{{ unbound_zonedir }}/{{ item }}"