ahh regitrar are like mafia, most of them ask money to add ...

Not mafia. They are members of the free world. Any one can ask money for their services.
Maybe you a have registrar with real people that actuality answer the phone and think with you ^^ That's worth some €.

Most registrars have a web interface to 'admin' your domain yourself. Or an API, or a web interface that uses their own API to update the registrar manipulations. No need to call them for that (and if you tried, you would be waiting for them, they have to answer the guy that bought a domain name before yesterday, uploaded a site yesterday and wanted to know why his site isn't listed rank 1 Google today).

I do rotate my KSK's manually every xx months using my registrars web interface because it's somewhat time critical over a several weeks period. ZSK can be done on the DNS server itself - I'm not using my domain registrar facilities. "bind" has been made to that just fine.
Here you have an out-phasing ZSK on one of my domains : "39459"' : ZSK's are easy to handle.
KSK's, on the other hand, ask for some concentration. An error WILL blow you site of the Internet and a "restart service" will not bring it back.

Btw : sorry - went out of subject .... which was
"/var/unbound/root.key" using PPPoE (using SG1100 ?) (using non-public pfSEnse firmware ?) refuses to refresh.

And even if they did, pretty sure netgate could afford the $40 ;)

Hey Netgate, Listening ? DNSSEC isn't 'hard' anymore.

I concur, not sure why netgate.com isn't signed..

the anchor is ok

Make a copy of it ! Or know that you can download it yourself from : https://www.iana.org/dnssec/files and as you can see it's really signed :)
Know that that anchor - root key file can change !
See the root key (anchor) here in action : every DNSSEC protected domain has this root key (20326) as the starting trusted key. Those who govern that root key can decide to rotate it - but this one is there to stay for a while.

Btw : for your mental health : try do some DNNSEC yourself on your domain(s) (when just DNS is simply boring) : you'll love it. When you've done that, go for DANE support. Your domain and certs will stand against any possible imaginable Internet fail and hack, as they said ...

Also : domains that host critical system update files should be DNSSEC protected. If not, a DNS spoof would get our routers update/upgrade code from .... somewhere else. That would kill that brand instantly. Hey Netgate, Listening ? DNSSEC isn't 'hard' anymore.

I had an older router/modem lying around, and I swapped the current one with the one had had lying around. Set it to bridge, started the PPPoE session and now everything seems to be working fine. Ran the unbound-anchor command and immediately got the response success: the anchor is ok

Don't know what causes this this to fail on the newer modem, but now it works and that's all I care about ;)

Thanks for your help!

you can use truss to see what's happening if it does not work
truss unbound-anchor -4 -a "/var/unbound/root.key"

unbound-anchor -a "/var/unbound/root.key"

Thanks for the fast reply.
It's the latest version: 2.4.4-RELEASE-p3 (arm64)
Unfortunately, the repair didn't help much.
I did get it to work in forward mode without DNSSEC, so I'm saved for the moment.
I'll put in a ticket to request the factory image to reinstall pfsense.

unbound-anchor -a "/var/unbound/root.key"

if it does not work open a ticket at https://go.netgate.com and ask for instruction on how to reinstall pfsense