Paul, you mentioned, you have some binary to test this fix, could you share it? I can clearly see that libreswan is compiled with DNSSEC2017 but I would like to do more.
Created attachment 1330610[details]
stand-alone test code for KSK behaviour
Test file to check secure resolving when either first or second (or both) added trust anchors are bad. This shows that resolving works securely before and after the KSK root key roll.
The code is basically pulled from lib/libswan/unbound.c as a standaline program testing the unbound_resolve() call used in libreswan