Consider not having custom trust-anchors in unbound

Currently we run unbound with custom trust anchors for torproject.org and 30.172.in-addr.arpa. This makes emergency manual key rollovers rather painful because the RFC5011 style updates unbound uses take 30 days before a new key is trusted. Running on untrusted key effectively breaks all lookups on these zones (this happened in #42308 (closed) ), making it a very effective weapon to shoot yourself in the foot.

I'm not sure why we use custom trust anchors, the only reason i can think of is mitigating against attacks that abuse access to TLD level DNSSEC keys. That said, to actually gain anything from such an attack you'd need to also MitM between our nodes and our nameservers and be able to forge SSL certificates or do really crazy things like DRBD hijacking (but then they get LUKS encrypted data) and even then it's not immediately clear how that could lead to serious compromise of our infra. If someone has those kinds of resources, there are easier ways to own us, so I don't think these custom trust anchors are worth the potential foot shooting.