diff --git a/dlv.isc.org.key b/dlv.isc.org.key
index ddac948..ab8ca9c 100644
--- a/dlv.isc.org.key
+++ b/dlv.isc.org.key
@@ -1,2 +1,3 @@
-; https://secure.isc.org/ops/dlv/dlv.isc.org.key
+; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
+; or call:   dig dlv.isc.org. dnskey|grep "257 "
 dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
diff --git a/libunbound-devel-mini.spec b/libunbound-devel-mini.spec
index d7265d9..664741d 100644
--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libunbound-devel-mini
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
diff --git a/root.anchor b/root.anchor
index 98ca2ff..9b9cea2 100644
--- a/root.anchor
+++ b/root.anchor
@@ -1 +1,2 @@
+.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
 .	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
diff --git a/root.key b/root.key
index bcc56a8..0a54815 100644
--- a/root.key
+++ b/root.key
@@ -1,6 +1,8 @@
+; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
 ; // The root key in bind format. This can be read by most tools, including
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+; // first key 19036 (2010), second key 20326 (key-rollover 2017/2018)
 trusted-keys {
 "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
-
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
 };
diff --git a/unbound.changes b/unbound.changes
index 0a6c48b..24014a8 100644
--- a/unbound.changes
+++ b/unbound.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon May 28 16:44:10 UTC 2018 - opensuse@dstoecker.de
+
+- add upcomming key rollover trust anchor
+- make trust anchor files world readable - these files are open
+  knowledge and will be used by other software packages
+
 -------------------------------------------------------------------
 Thu May  3 16:38:07 UTC 2018 - michael@stroeder.com
 
diff --git a/unbound.spec b/unbound.spec
index e8f505d..39d2355 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package unbound
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -420,10 +420,10 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %config %{_sysconfdir}/%{name}/icannbundle.pem
 %config %{_sysconfdir}/cron.d/unbound-anchor
 %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
-%attr(0640,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
-%attr(0640,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
+%attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0640,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %{_mandir}/man8/unbound-anchor.8*
 %doc doc/README doc/LICENSE