unbound don't promote DNSSEC under El Capitan

[macuserguru]

I had run unbound under Yosemite and DNSSEC works well.

Now after upgrade to El Capitan I delete all ports and reinstalled all new.

Now unbound don't promote DNSSEC but it runs well.

update root key works well to /opt/local/var/run/unbound/root.key

a part of unbound.conf

        chroot: "/opt/local/etc/unbound"
	username: "unbound"
	directory: "/opt/local/etc/unbound"	
	logfile: "/logs/unbound.log"
	use-syslog: no 	
	log-time-ascii: yes
	log-queries: yes
        root-hints: "/named.cache"
        harden-glue: yes
        harden-dnssec-stripped: yes

What could I do to resolve this?

[macuserguru]

Cc Me!

[danielluke (Daniel J. Luke)]

I can replicate this. If I uncomment auto-trust-anchor-file: "/opt/local/var/run/unbound/root.key" in the unbound.conf, and start with verbose/debug, I get the following in syslog:

Oct 13 15:55:00 xeon unbound[13437] <Notice>: [13437:0] notice: init module 0: validator
Oct 13 15:55:00 xeon unbound[13437] <Error>: [13437:0] error: unable to open /opt/local/var/run/unbound/root.key for reading: No such file or directory
Oct 13 15:55:00 xeon unbound[13437] <Error>: [13437:0] error: error reading auto-trust-anchor-file: /opt/local/var/run/unbound/root.key
Oct 13 15:55:00 xeon unbound[13437] <Error>: [13437:0] error: validator: error in trustanchors config
Oct 13 15:55:00 xeon unbound[13437] <Error>: [13437:0] error: validator: could not apply configuration settings.
Oct 13 15:55:00 xeon unbound[13437] <Error>: [13437:0] error: module init for module validator failed
Oct 13 15:55:00 xeon unbound[13437] <Critical>: [13437:0] fatal error: failed to setup modules

which is odd, because the file is there and readable by the 'unbound' user.