I am trying to make a small tutorial for different resolvers on how to check that the Root KSK is updated.

How can I check that for Knot resolver?

I wonder.  We have an automatic check which should detect it and log a warning during startup by default:

    log_warn(ffi.C.LOG_GRP_TAUPDATE, 'you need to update package with trust anchors in "%s" before it breaks', file_name)

So maybe that's the best way.  Knot Resolver is normally packaged to either (1) use root trust anchors shipped with it - in which case users should be fine unless using a rather old version (which will have security issues anyway).  As for the currently new KSK, we were adding that in the 2024 Summer.

Or (2) it uses root trust anchors which have a separate package in that distro (e.g. Debian and derivatives), in which case I really hope that the distro packagers won't forget, especially when speaking of long-term-supported distros (say Ubuntu 24.04).

--Vladimir