unbound (package) and trust-anchor


When unbound (1.6.0 on 11-amd64) tries to fetch its trust-anchor, it contacts the root-servers.

In my setup, I need it to go through my upstream-caches (no other IPs permitted).

I've configured forwarders in an include-file - but these seem to be ignored for the trust-anchor initialization. They work for normal queries.

How is this supposed to be done?
Yes, this is what I have:

include: /usr/local/etc/unbound/forward.conf

   name: .
   forward-addr: a.a.a.a
   forward-addr: b.b.b.b

The forward-first thing is a default, according to the documentation.
Yes, only queries to the upstream-caches are allowed (firewall).
I can see in the ktrace output that it contacts the root-servers.
No, that's not an option.
I am the admin. These central upstream caches are going to be our choke-points for DNS-traffic. It's currently way too easy to create hidden data channels via DNS (used by APT-style trojans).
This is what is needed:
unbound_anchorflags="-C /usr/local/etc/unbound/unbound.conf"

Then it uses my forwarders.