Unbound validator module init fails: "unable to open var/root.key"

[jursed]

Description
Container fails to start up due to Unbound DNSSEC validator module failing. Unbound claims that it can't access var/root.key. I haven't been using DNSSEC on the clients anyway (yet), however, I have been using this exact same Unbound config with the exact same Unbound image on a different server, and had no such issues.

Moreover, the Docker volume is mounted as read-write and there is initially no var/ at all. The the unbound.sh script does the right thing in this situation:

root@065a251447a0:/opt/unbound/etc/unbound/var# ls -la .
total 12
drwx------ 2 _unbound _unbound 4096 Jul 10 20:08 .
drwxr-xr-x 1 root     root     4096 Jul 10 20:09 ..
-rw-r--r-- 1 root     root       83 Jul 10 20:08 root.key

A workaround is to turn off DNSSEC by deleting the auto-trust-anchor-file directive, after which Unbound loads without any problems. But I'd prefer to eventually get back to a DNSSEC-validated setup, at which point I expect that this will reappear.

Any ideas?

Error messages

unbound  | [1720637715] unbound[1:0] notice: init module 1: validator
unbound  | [1720637715] unbound[1:0] error: unable to open var/root.key for reading: Permission denied
unbound  | [1720637715] unbound[1:0] error: error reading auto-trust-anchor-file: var/root.key
unbound  | [1720637715] unbound[1:0] error: validator: error in trustanchors config
unbound  | [1720637715] unbound[1:0] error: validator: could not apply configuration settings.
unbound  | [1720637715] unbound[1:0] error: module init for module validator failed
unbound  | [1720637715] unbound[1:0] fatal error: failed to setup modules

To Reproduce

1. Environment:
   • Unbound image: 1.20.00 (9bd7e8b4e75d)
   • Docker 27.0.3 (build 7d4bcd8)
   • Docker Compose 2.28.1
   • Host OS: Ubuntu Server 24.04
2. Docker Compose file:

---
services:
  unbound:
    image: "mvance/unbound:1.20.0"
    container_name: unbound
    volumes:
      - /root/docker/unbound/config:/opt/unbound/etc/unbound/
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    ports:
      - "53:53/udp"
      - "53:53/tcp"
    restart: unless-stopped

4. Unbound config files:
   • The config file is redacted for brevity. Vast majority of settings are left as default.
   • The local-zone.conf and forward-records.conf files contain just forward-zone, forward-addr, local-zone, local-data and local-data-ptr.
   • The indentation is correct and the whole config file with all the includes passes the syntax check.

server:
    # ...
    directory: "/opt/unbound/etc/unbound"
    username: "_unbound"
    # ...
    auto-trust-anchor-file: "var/root.key"
    chroot: "/opt/unbound/etc/unbound"
    # ...
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    # ...
    include: /opt/unbound/etc/unbound/local-zone.conf
    include: /opt/unbound/etc/unbound/forward-records.conf
remote-control:
    control-enable: no

5. Directory structure:

├── config
│   ├── dev
│   │   ├── null
│   │   ├── random
│   │   └── urandom
│   ├── forward-records.conf
│   ├── local-zone.conf
│   ├── root.hints
│   ├── unbound.conf
│   └── unbound.pid
└── docker-compose.yml