`unbound` fails to start on Debian 12.2

[link2xt]

root@c9:~# journalctl -u unbound.service reports:

Dec 19 15:24:56 c9 systemd[1]: Stopped unbound.service - Unbound DNS server.
Dec 19 15:24:56 c9 systemd[1]: Starting unbound.service - Unbound DNS server...
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] notice: init module 0: subnetcache
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] notice: init module 1: validator
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] error: unable to open /var/lib/unbound/root.key for reading: No such file or directory
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] error: error reading auto-trust-anchor-file: /var/lib/unbound/root.key
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] error: validator: error in trustanchors config
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] error: validator: could not apply configuration settings.
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] error: module init for module validator failed
Dec 19 15:24:56 c9 unbound[8592]: [8592:0] fatal error: failed to setup modules
Dec 19 15:24:56 c9 systemd[1]: unbound.service: Main process exited, code=exited, status=1/FAILURE
Dec 19 15:24:56 c9 systemd[1]: unbound.service: Failed with result 'exit-code'.
Dec 19 15:24:56 c9 systemd[1]: Failed to start unbound.service - Unbound DNS server.
Dec 19 15:24:56 c9 systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Dec 19 15:24:57 c9 systemd[1]: Stopped unbound.service - Unbound DNS server.
Dec 19 15:24:57 c9 systemd[1]: unbound.service: Start request repeated too quickly.
Dec 19 15:24:57 c9 systemd[1]: unbound.service: Failed with result 'exit-code'.
Dec 19 15:24:57 c9 systemd[1]: Failed to start unbound.service - Unbound DNS server.

There is a similar problem reported in unbound previously: NLnetLabs/unbound#814

This is on Hetzner standard Debian 12.2 setup. apt package is:

root@c9:~# apt show unbound
Package: unbound
Version: 1.17.1-2+deb12u1
Priority: optional
Section: net
Maintainer: unbound packagers <unbound@packages.debian.org>
Installed-Size: 4,910 kB
Pre-Depends: init-system-helpers (>= 1.54~)
Depends: adduser, lsb-base (>= 3.0-6), libc6 (>= 2.36), libevent-2.1-7 (>= 2.1.8-stable), libnghttp2-14 (>= 1.3.0), libprotobuf-c1 (>= 1.0.1), libpython3.11 (>= 3.11.0), libssl3 (>= 3.0.0), libsystemd0
Recommends: dns-root-data
Suggests: apparmor, openssl
Enhances: munin-node
Homepage: https://www.unbound.net/
Tag: implemented-in::c, interface::daemon, network::server, protocol::dns,
 role::program, security::authentication, security::cryptography,
 security::privacy, use::checking
Download-Size: 945 kB
APT-Manual-Installed: yes
APT-Sources: http://deb.debian.org/debian bookworm/main amd64 Packages
Description: validating, recursive, caching DNS resolver
 Unbound is a recursive-only caching DNS server which can perform DNSSEC
 validation of results. It implements only a minimal amount of authoritative
 service to prevent leakage to the root nameservers: forward lookups for
 localhost, reverse for 127.0.0.1 and ::1, and NXDOMAIN for zones served by
 AS112. Stub and forward zones are supported.
 .
 This package contains the unbound daemon.

On nine.testrun.org it works, the file /var/lib/unbound/root.key is there. Debian package installed is the same (maybe when we installed it, it was different):

root@nine:~# apt show unbound
Package: unbound
Version: 1.17.1-2+deb12u1
Priority: optional
Section: net
Maintainer: unbound packagers <unbound@packages.debian.org>
Installed-Size: 4,910 kB
Pre-Depends: init-system-helpers (>= 1.54~)
Depends: adduser, lsb-base (>= 3.0-6), libc6 (>= 2.36), libevent-2.1-7 (>= 2.1.8-stable), libnghttp2-14 (>= 1.3.0), libprotobuf-c1 (>= 1.0.1), libpython3.11 (>= 3.11.0), libssl3 (>= 3.0.0), libsystemd0
Recommends: dns-root-data
Suggests: apparmor, openssl
Enhances: munin-node
Homepage: https://www.unbound.net/
Tag: implemented-in::c, interface::daemon, network::server, protocol::dns,
 role::program, security::authentication, security::cryptography,
 security::privacy, use::checking
Download-Size: 945 kB
APT-Manual-Installed: yes
APT-Sources: http://mirror.hetzner.com/debian/packages bookworm/main amd64 Packages
Description: validating, recursive, caching DNS resolver
 Unbound is a recursive-only caching DNS server which can perform DNSSEC
 validation of results. It implements only a minimal amount of authoritative
 service to prevent leakage to the root nameservers: forward lookups for
 localhost, reverse for 127.0.0.1 and ::1, and NXDOMAIN for zones served by
 AS112. Stub and forward zones are supported.
 .
 This package contains the unbound daemon.

[link2xt]

On c7 (Ubuntu):

root@c7:~# apt show unbound                                                                            
Package: unbound
Version: 1.13.1-1ubuntu5.3
Priority: optional
Section: universe/net
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: unbound packagers <unbound@packages.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 3,021 kB
Depends: adduser, dns-root-data, lsb-base (>= 3.0-6), openssl, unbound-anchor, libc6 (>= 2.34), libevent-2.1-7 (>= 2.1.8-stable), libnghttp2-14 (>= 1.3.0), libprotobuf-c1 (>= 1.0.0), libpython3.10 (>= 3.10.0), libssl3 (>= 3.0.0~~alpha1), libsystemd0
Suggests: apparmor
Enhances: munin-node
Homepage: https://www.unbound.net/
Download-Size: 828 kB
APT-Manual-Installed: yes
APT-Sources: https://mirror.hetzner.com/ubuntu/packages jammy-updates/universe arm64 Packages
Description: validating, recursive, caching DNS resolver
 Unbound is a recursive-only caching DNS server which can perform DNSSEC
 validation of results. It implements only a minimal amount of authoritative
 service to prevent leakage to the root nameservers: forward lookups for
 localhost, reverse for 127.0.0.1 and ::1, and NXDOMAIN for zones served by
 AS112. Stub and forward zones are supported.
 .
 This package contains the unbound daemon.

N: There is 1 additional record. Please use the '-a' switch to see it

Note that it depends on unbound-anchor.

[link2xt]

On Ubuntu (c7) unbound packages has a file /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf (visible via dpkg -L unbound) with the following contents:

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

This is how the file is created and kept up to date.

Configuring it like this is also what official documentation recommends: https://nlnetlabs.nl/documentation/unbound/howto-anchor/

Running this once may be not sufficient if updates are needed.

Same file is also part of unbound package on nine.testrun.org, Debian 12.1. And it also exists on Debian 12.2 on c9.testrun.org.

So it seems to be sufficient to have unbound-anchor installed before unbound.