I've c&p the trust anchor out of the unbound pre-release and verified it
against https://www.iana.org/reports/2024/root-ksk-2024.pdf

While here switch the 2017 trust-anchor to the DS version for symmetry
reasons. It's functionally equivalent. It can be verified against
https://www.iana.org/reports/2017/root-ksk-2017.pdf

Alternatively, since the 2017 KSK is in use one can delete
/var/db/unwind.key, restart unwind(8) and observe that it fetches and
validates a new trust anchor and stores it in /var/db/unwind.key, but
this only works for the 2017 KSK.

OK?

diff --git frontend.c frontend.c
index ccbc977eb73..91a9ff1f008 100644
--- frontend.c
+++ frontend.c
@@ -260,6 +260,7 @@ frontend(int debug, int verbose)
 	TAILQ_INIT(&new_trust_anchors);
 
 	add_new_ta(&trust_anchors, KSK2017);
+	add_new_ta(&trust_anchors, KSK2024);
 
 	event_dispatch();
 
diff --git unwind.h unwind.h
index f21baf72970..43e4dbb8ea4 100644
--- unwind.h
+++ unwind.h
@@ -40,7 +40,8 @@
 #define OPT_NOACTION	0x00000008
 
 #define	ROOT_DNSKEY_TTL	172800	/* TTL from authority */
-#define	KSK2017		".	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="
+#define	KSK2017		".	IN	DS	20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"
+#define	KSK2024		". 	IN	DS	38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16"
 
 #define	IMSG_DATA_SIZE(imsg)	((imsg).hdr.len - IMSG_HEADER_SIZE)
 


-- 
In my defence, I have been left unsupervised.