diff --git a/mkroot.sh b/mkroot.sh
deleted file mode 100755
index eb6d5b3..0000000
--- a/mkroot.sh
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/sh
-
-SOURCE="/usr/share/dns-root-data/root.key"
-DEST="${1:-root.key}"
-
-mk_key() {
-echo "# Generated from $SOURCE"
-echo "# Use /var/lib/unbound/root.key instead."
-echo "trusted-keys {"
-while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
-echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
-done < "$SOURCE"
-echo "};"
-}
-
-mk_key > "$DEST"
-touch -r "$SOURCE" "$DEST"
diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc
deleted file mode 100644
index a8f7de7..0000000
--- a/nlnetlabs2026-g2.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
-50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
-0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
-+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
-Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
-SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
-gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
-LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
-S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
-eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
-9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
-EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
-l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
-HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
-rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
-OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
-vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
-eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
-NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
-K6vVKMmB0qru6ERJ3g==
-=4R8U
------END PGP PUBLIC KEY BLOCK-----
diff --git a/plans/all.fmf b/plans/all.fmf
index 538bd41..cd001bd 100644
--- a/plans/all.fmf
+++ b/plans/all.fmf
@@ -1,7 +1,7 @@
 summary: Test plan with all Fedora tests
 discover:
        how: fmf
-       url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+       url: https://src.fedoraproject.org/tests/unbound.git
 execute:
        how: tmt
 
diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf
index 6ffbfd1..10f167c 100644
--- a/plans/tier1-public.fmf
+++ b/plans/tier1-public.fmf
@@ -1,7 +1,7 @@
 summary: Public (Fedora) Tier1 beakerlib tests
 discover:
     how: fmf
-    url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+    url: https://src.fedoraproject.org/tests/unbound.git
     filter: 'tier: 1'
 execute:
     how: tmt
diff --git a/root.anchor b/root.anchor
index 1559542..c78ee03 100644
--- a/root.anchor
+++ b/root.anchor
@@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
diff --git a/root.key b/root.key
new file mode 100644
index 0000000..6c5622c
--- /dev/null
+++ b/root.key
@@ -0,0 +1,6 @@
+; // The root key in bind format. This can be read by most tools, including
+; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+trusted-keys {
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
+
+};
diff --git a/sources b/sources
index 7d4806d..d2b95bf 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
-SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
+SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5
+SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30
diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf
deleted file mode 100644
index d71ea46..0000000
--- a/tmpfiles-unbound-libs.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-d /var/lib/unbound          0755  unbound unbound -
-L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key
diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch
deleted file mode 100644
index e074ab0..0000000
--- a/unbound-1.24-quic-on-demand-only.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Mon, 24 Nov 2025 13:44:14 +0100
-Subject: [PATCH] Do not initialize quic_table unless it is enabled
-
-Fedora in FIPS mode might fail to initialize ngtcp2 library, because
-some ciphers desired are not available.
-
-Make it possible to skip initialization by setting explicitly quic_port
-to 0. Unless we have some listeners for port 853 configured, skip its
-initialization as well.
-
-Related: https://pagure.io/freeipa/issue/9877
----
- daemon/daemon.c           | 14 +++++++++-----
- services/listen_dnsport.c | 14 +++++++++++---
- util/configparser.y       | 15 +++++++++------
- util/netevent.c           |  3 +++
- 4 files changed, 32 insertions(+), 14 deletions(-)
-
-diff --git a/daemon/daemon.c b/daemon/daemon.c
-index f882bb9ad..a9cc25c67 100644
---- a/daemon/daemon.c
-+++ b/daemon/daemon.c
-@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
- 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
- 
- #ifdef HAVE_NGTCP2
--	daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
--	if(!daemon->doq_table)
--		fatal_exit("could not create doq_table: out of memory");
-+	if (cfg_has_quic(daemon->cfg)) {
-+		daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
-+		if(!daemon->doq_table)
-+			fatal_exit("could not create doq_table: out of memory");
-+	}
- #endif
- 	
- 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
-@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
- 	daemon->dnscenv = NULL;
- #endif
- #ifdef HAVE_NGTCP2
--	doq_table_delete(daemon->doq_table);
--	daemon->doq_table = NULL;
-+	if (daemon->doq_table) {
-+		doq_table_delete(daemon->doq_table);
-+		daemon->doq_table = NULL;
-+	}
- #endif
- 	daemon->cfg = NULL;
- }
-diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
-index f7fcca194..ab8f1ba72 100644
---- a/services/listen_dnsport.c
-+++ b/services/listen_dnsport.c
-@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
- 			cp = comm_point_create_udp(base, ports->fd,
- 				front->udp_buff, ports->pp2_enabled, cb,
- 				cb_arg, ports->socket);
--		} else if(ports->ftype == listen_type_doq) {
-+		} else if(ports->ftype == listen_type_doq && doq_table) {
- #ifndef HAVE_NGTCP2
- 			log_warn("Unbound is not compiled with "
- 				"ngtcp2. This is required to use DNS "
-@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
- struct doq_table*
- doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
- {
--	struct doq_table* table = calloc(1, sizeof(*table));
-+	struct doq_table* table;
-+
-+	if (!cfg->quic_port)
-+		return NULL;
-+	table = calloc(1, sizeof(*table));
- 	if(!table)
- 		return NULL;
- #ifdef USE_NGTCP2_CRYPTO_OSSL
-@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
- {
- 	struct doq_table* table = (struct doq_table*)arg;
- 	struct doq_conn* conn;
--	if(!node)
-+	if(!node || !table)
- 		return;
- 	conn = (struct doq_conn*)node->key;
- 	if(conn->timer.timer_in_list) {
-@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
- {
- 	struct doq_timer key;
- 	struct rbnode_type* node;
-+	log_assert(table != NULL);
- 	memset(&key, 0, sizeof(key));
- 	key.time.tv_sec = tv->tv_sec;
- 	key.time.tv_usec = tv->tv_usec;
-@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
- 	key.node.key = &key;
- 	key.cid = (void*)data;
- 	key.cidlen = datalen;
-+	log_assert(table != NULL);
- 	node = rbtree_search(table->conid_tree, &key);
- 	if(node)
- 		return (struct doq_conid*)node->key;
-@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
- 	struct config_file* cfg, size_t mem)
- {
- 	size_t cur;
-+	if (!table)
-+		return 0;
- 	lock_basic_lock(&table->size_lock);
- 	cur = table->current_size;
- 	lock_basic_unlock(&table->size_lock);
-diff --git a/util/configparser.y b/util/configparser.y
-index bf9c196fc..f159b8cec 100644
---- a/util/configparser.y
-+++ b/util/configparser.y
-@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
- server_quic_port: VAR_QUIC_PORT STRING_ARG
- 	{
- 		OUTYY(("P(server_quic_port:%s)\n", $2));
-+		if(atoi($2) == 0 && strcmp($2,"0")!=0)
-+			yyerror("port number expected");
-+		else {
-+			cfg_parser->cfg->quic_port = atoi($2);
- #ifndef HAVE_NGTCP2
--		log_warn("%s:%d: Unbound is not compiled with "
--			"ngtcp2. This is required to use DNS "
--			"over QUIC.", cfg_parser->filename, cfg_parser->line);
-+			if (cfg_parser->cfg->quic_port != 0)
-+				log_warn("%s:%d: Unbound is not compiled with "
-+					"ngtcp2. This is required to use DNS "
-+					"over QUIC.", cfg_parser->filename, cfg_parser->line);
- #endif
--		if(atoi($2) == 0)
--			yyerror("port number expected");
--		else cfg_parser->cfg->quic_port = atoi($2);
-+		}
- 		free($2);
- 	};
- server_quic_size: VAR_QUIC_SIZE STRING_ARG
-diff --git a/util/netevent.c b/util/netevent.c
-index aedcb5e07..93db16675 100644
---- a/util/netevent.c
-+++ b/util/netevent.c
-@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
- {
- 	size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
- 	struct doq_server_socket* doq_socket;
-+	log_assert(doq_table != NULL);
- 	doq_socket = calloc(1, sizeof(*doq_socket));
- 	if(!doq_socket) {
- 		return NULL;
-@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
- {
- 	struct doq_conn* conn;
- 	struct doq_conn_key key;
-+	log_assert(table != NULL);
- 	doq_conn_key_from_repinfo(&key, repinfo);
- 	lock_rw_rdlock(&table->lock);
- 	conn = doq_conn_find(table, &key.paddr.addr,
-@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
- 	struct config_file* cfg)
- {
- #ifdef HAVE_NGTCP2
-+	log_assert(table != NULL);
- 	struct comm_point* c = (struct comm_point*)calloc(1,
- 		sizeof(struct comm_point));
- 	short evbits;
--- 
-2.52.0
-
diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch
deleted file mode 100644
index 3257766..0000000
--- a/unbound-1.24-swig-function.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 24 Oct 2025 20:20:50 +0200
-Subject: [PATCH] Use $action instead of $function in python SWIG interface
-
-$function is not supported since SWIG 4.4.0.
----
- libunbound/python/libunbound.i | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
-index dc12514..4576844 100644
---- a/libunbound/python/libunbound.i
-+++ b/libunbound/python/libunbound.i
-@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
- %{ 
-   //printf("resolve_start(%lX)\n",(long unsigned int)arg1);
-   Py_BEGIN_ALLOW_THREADS 
--  $function 
-+  $action 
-   Py_END_ALLOW_THREADS 
-   //printf("resolve_stop()\n");
- %} 
--- 
-2.51.0
-
diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch
index da88960..be28920 100644
--- a/unbound-fedora-config.patch
+++ b/unbound-fedora-config.patch
@@ -14,16 +14,6 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in
 index 59090c6..3a86809 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
-@@ -8,6 +8,9 @@
- # Use this anywhere in the file to include other text into this file.
- #include: "otherfile.conf"
-
-+# Default Fedora settings
-+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
-+
- # Use this anywhere in the file to include other text, that explicitly starts a
- # clause, into this file. Text after this directive needs to start a clause.
- #include-toplevel: "otherfile.conf"
 @@ -51,11 +51,19 @@ server:
  	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
  	# specify every interface[@port] on a new 'interface:' labelled line.
@@ -83,10 +73,13 @@ index 59090c6..3a86809 100644
  	# tls-port: 853
  	# https-port: 443
  	# quic-port: 853
-@@ -1166,6 +1181,9 @@ remote-control:
+@@ -1166,6 +1181,12 @@ remote-control:
  	# unbound-control certificate file.
  	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-
+ 
++# Default Fedora settings
++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
++
 +# Stub and Forward zones
 +include: "@sysconfdir@/unbound/conf.d/*.conf"
 +
diff --git a/unbound.spec b/unbound.spec
index d173141..cff426f 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -4,10 +4,6 @@
 %bcond_without dnstap
 %bcond_without systemd
 %bcond_without doh
-%if 0%{?fedora} >= 43 && !0%{?rhel}
-# Do not build with QUIC support in RHEL, until we have also client support.
-%bcond_without ngtcp2
-%endif
 %if 0%{?rhel} && ! 0%{?epel}
 %bcond_with redis
 %else
@@ -40,7 +36,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.24.2
+Version: 1.24.1
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -49,7 +45,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source3: unbound.munin
 Source4: unbound_munin_
-Source5: mkroot.sh
+Source5: root.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
@@ -62,8 +58,8 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-# https://nlnetlabs.nl/signing-keys/
-Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc
+# source: https://nlnetlabs.nl/people/
+Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source20: unbound.sysusers
 Source21: remote-control.conf
 Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
@@ -74,14 +70,9 @@ Source26: remote-control-include.conf
 Source27: fedora-defaults.conf
 Source28: module-setup.sh
 Source29: unbound-initrd.conf
-Source30: tmpfiles-unbound-libs.conf
 
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
-# https://github.com/NLnetLabs/unbound/pull/1331
-Patch2:   unbound-1.24-swig-function.patch
-# https://github.com/NLnetLabs/unbound/pull/1381
-Patch3:   unbound-1.24-quic-on-demand-only.patch
 
 BuildRequires: gcc, make
 BuildRequires: openssl-devel
@@ -93,9 +84,8 @@ BuildRequires: automake autoconf libtool
 BuildRequires: autoconf-archive
 # Regenerate config parser too
 BuildRequires: bison flex byacc
-BuildRequires: dns-root-data
 
-%if 0%{?fedora} || 0%{?rhel} >= 9
+%if 0%{?fedora}
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
@@ -121,9 +111,6 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
 %endif
-%if %{with ngtcp2}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif
 
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -165,7 +152,7 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
 Recommends: %{name}-anchor
-Requires: dns-root-data
+%{?sysusers_requires_compat}
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@@ -225,8 +212,7 @@ Unbound dracut module allowing use of Unbound for name resolution
 in initramfs.
 
 %prep
-%if 0%{?fedora} || 0%{?rhel} >= 9
-# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key
+%if 0%{?fedora}
 %{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \
 %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
@@ -297,9 +283,6 @@ autoreconf -fiv
 %if %{with redis}
             --with-libhiredis \
             --enable-cachedb \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -315,9 +298,6 @@ pushd %{dir_secondary}
 %endif
 %if %{with systemd}
             --enable-systemd \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -360,20 +340,22 @@ done
 %endif
 
 # install streamtcp man page
-install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
 
 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
-install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf
+install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 
 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
-sh %{SOURCE5} root.key
-install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/
-ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key"
-ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key"
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
+# make initial key static
+pushd %{buildroot}%{_sharedstatedir}/unbound
+  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
+  ln -s "$KEYPATH" root.key
+popd
 
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@@ -413,6 +395,8 @@ mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 
+%pre libs
+%sysusers_create_compat %{SOURCE20}
 
 %post
 %systemd_post unbound.service
@@ -440,13 +424,6 @@ fi
 %postun anchor
 %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
-%triggerun -- unbound < 1.23.1-4
-if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then
-   # change permissions of existing key just once, where it were generated with wrong perms
-   %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || :
-fi
-
-
 %check
 export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf"
 make check
@@ -522,11 +499,10 @@ popd
 %{_sysusersdir}/%{name}.conf
 %{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key
+%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key
-%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
 
 %files anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key
new file mode 100644
index 0000000..603e620
--- /dev/null
+++ b/wouter.nlnetlabs.nl.key
@@ -0,0 +1,123 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
+SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
+1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
+TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
+l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
+qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
+Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
+x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
+WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
+/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
+hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
+zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
+ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
+HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
+XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
+8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
+Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
+UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
+MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
+/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
+Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
+SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
+oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
+Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
+AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
+bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
+4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
+ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
+L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
+DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
+e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
+T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
+/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
+bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
+OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
+ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
+AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
+bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
+2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
+Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
+Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
+4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
+zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
+5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
+46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
+GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
+JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
+lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
+iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
+AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
+bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
+4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
+bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
+GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
+vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
+/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
+aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
+7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
+sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
+vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
+r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
+lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
+q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
+Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
+jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
+Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
+7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
+Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
+i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
+ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
+H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
+AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
+V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
+gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
+DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
+PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
+ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
+xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
+UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
+2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
+oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
+2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
+Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
+bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
+RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
+XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
+rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
+eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
+Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
+g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
+kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
+YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
+c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
+k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
+AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
+HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
+VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
+Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
+0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
+yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
+ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
+G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
+RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
+1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
+7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
+CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
+LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
+bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
+EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
+8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
+ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
+ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
+s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
+HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
+9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
+p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
+5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
+=Oqje
+-----END PGP PUBLIC KEY BLOCK-----