What were you trying to do that didn't work?

When unbound is installed, "/var/lib/unbound/root.key" is created as a symlink owned by root:

lrwxrwxrwx. 1 root root 36 Aug 29 02:00 /var/lib/unbound/root.key -> ../../../etc/unbound/dnssec-root.key 

Once the unbound service is started, it also starts the oneshot unbound-anchor.service, which removes the symlink and creates a new file with different mode, user and group:

root@localhost:~# systemctl start unbound-anchor.service 
root@localhost:~# ll /var/lib/unbound/root.key
-rw-r--r--. 1 unbound unbound 1250 Jan 28 12:29 /var/lib/unbound/root.key 

Due to this, when rpm --Verify runs against unbound-libs, it reports a differing mode (M):

root@localhost:~# rpm -V unbound-libs 
SM5....T.  c /var/lib/unbound/root.key 

What is the impact of this issue to you?

Customers have security concerns when they notice the mode of the file has been modified, and it can also affect their automated checks.

Please provide the package NVR for which the bug is seen:

unbound-1.20.0-15.el10_1.x86_64

How reproducible is this bug?:

Always

Steps to reproduce

1. Install unbound
2. Run the unbound-anchor service:  "systemctl start unbound-anchor.service"
3. Check the output of "rpm -V unbound-lib".