diff --git a/mkroot.sh b/mkroot.sh
new file mode 100755
index 0000000..eb6d5b3
--- /dev/null
+++ b/mkroot.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+SOURCE="/usr/share/dns-root-data/root.key"
+DEST="${1:-root.key}"
+
+mk_key() {
+echo "# Generated from $SOURCE"
+echo "# Use /var/lib/unbound/root.key instead."
+echo "trusted-keys {"
+while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
+echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
+done < "$SOURCE"
+echo "};"
+}
+
+mk_key > "$DEST"
+touch -r "$SOURCE" "$DEST"
diff --git a/nlnetlabs2026-g2.asc b/nlnetlabs2026-g2.asc
new file mode 100644
index 0000000..a8f7de7
--- /dev/null
+++ b/nlnetlabs2026-g2.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
+50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
+0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
+Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
+SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
+gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
+LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
+S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
+eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
+9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
+EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
+l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
+HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
+rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
+OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
+vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
+eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
+NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
+K6vVKMmB0qru6ERJ3g==
+=4R8U
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/plans/all.fmf b/plans/all.fmf
index cd001bd..538bd41 100644
--- a/plans/all.fmf
+++ b/plans/all.fmf
@@ -1,7 +1,7 @@
 summary: Test plan with all Fedora tests
 discover:
        how: fmf
-       url: https://src.fedoraproject.org/tests/unbound.git
+       url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
 execute:
        how: tmt
 
diff --git a/plans/tier1-public.fmf b/plans/tier1-public.fmf
index 10f167c..6ffbfd1 100644
--- a/plans/tier1-public.fmf
+++ b/plans/tier1-public.fmf
@@ -1,7 +1,7 @@
 summary: Public (Fedora) Tier1 beakerlib tests
 discover:
     how: fmf
-    url: https://src.fedoraproject.org/tests/unbound.git
+    url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
     filter: 'tier: 1'
 execute:
     how: tmt
diff --git a/root.anchor b/root.anchor
index c78ee03..1559542 100644
--- a/root.anchor
+++ b/root.anchor
@@ -1 +1,2 @@
+.	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
diff --git a/root.key b/root.key
deleted file mode 100644
index 6c5622c..0000000
--- a/root.key
+++ /dev/null
@@ -1,6 +0,0 @@
-; // The root key in bind format. This can be read by most tools, including
-; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
-trusted-keys {
-"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
-
-};
diff --git a/sources b/sources
index d2b95bf..7d4806d 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (unbound-1.24.1.tar.gz) = 0332053ff6b2a2b6743fe33460950780a26e2cad236d21a9219e7b1a04576a9887342d59bc244c02c405e93812168175bc3dbe5481a201296899e77cbd201ea5
-SHA512 (unbound-1.24.1.tar.gz.asc) = 64f7baa0af069093f2d2a52d00fa41c26dd3a4a8eb39fbf90ae7355725121583f7dcd79257c064fa13d05f7bb0c602fe30104859a41164a81664cd4c1e275f30
+SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
+SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
diff --git a/tmpfiles-unbound-libs.conf b/tmpfiles-unbound-libs.conf
new file mode 100644
index 0000000..d71ea46
--- /dev/null
+++ b/tmpfiles-unbound-libs.conf
@@ -0,0 +1,2 @@
+d /var/lib/unbound          0755  unbound unbound -
+L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key
diff --git a/unbound-1.24-quic-on-demand-only.patch b/unbound-1.24-quic-on-demand-only.patch
new file mode 100644
index 0000000..e074ab0
--- /dev/null
+++ b/unbound-1.24-quic-on-demand-only.patch
@@ -0,0 +1,171 @@
+From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 24 Nov 2025 13:44:14 +0100
+Subject: [PATCH] Do not initialize quic_table unless it is enabled
+
+Fedora in FIPS mode might fail to initialize ngtcp2 library, because
+some ciphers desired are not available.
+
+Make it possible to skip initialization by setting explicitly quic_port
+to 0. Unless we have some listeners for port 853 configured, skip its
+initialization as well.
+
+Related: https://pagure.io/freeipa/issue/9877
+---
+ daemon/daemon.c           | 14 +++++++++-----
+ services/listen_dnsport.c | 14 +++++++++++---
+ util/configparser.y       | 15 +++++++++------
+ util/netevent.c           |  3 +++
+ 4 files changed, 32 insertions(+), 14 deletions(-)
+
+diff --git a/daemon/daemon.c b/daemon/daemon.c
+index f882bb9ad..a9cc25c67 100644
+--- a/daemon/daemon.c
++++ b/daemon/daemon.c
+@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
+ 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
+ 
+ #ifdef HAVE_NGTCP2
+-	daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
+-	if(!daemon->doq_table)
+-		fatal_exit("could not create doq_table: out of memory");
++	if (cfg_has_quic(daemon->cfg)) {
++		daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
++		if(!daemon->doq_table)
++			fatal_exit("could not create doq_table: out of memory");
++	}
+ #endif
+ 	
+ 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
+@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
+ 	daemon->dnscenv = NULL;
+ #endif
+ #ifdef HAVE_NGTCP2
+-	doq_table_delete(daemon->doq_table);
+-	daemon->doq_table = NULL;
++	if (daemon->doq_table) {
++		doq_table_delete(daemon->doq_table);
++		daemon->doq_table = NULL;
++	}
+ #endif
+ 	daemon->cfg = NULL;
+ }
+diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
+index f7fcca194..ab8f1ba72 100644
+--- a/services/listen_dnsport.c
++++ b/services/listen_dnsport.c
+@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
+ 			cp = comm_point_create_udp(base, ports->fd,
+ 				front->udp_buff, ports->pp2_enabled, cb,
+ 				cb_arg, ports->socket);
+-		} else if(ports->ftype == listen_type_doq) {
++		} else if(ports->ftype == listen_type_doq && doq_table) {
+ #ifndef HAVE_NGTCP2
+ 			log_warn("Unbound is not compiled with "
+ 				"ngtcp2. This is required to use DNS "
+@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
+ struct doq_table*
+ doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
+ {
+-	struct doq_table* table = calloc(1, sizeof(*table));
++	struct doq_table* table;
++
++	if (!cfg->quic_port)
++		return NULL;
++	table = calloc(1, sizeof(*table));
+ 	if(!table)
+ 		return NULL;
+ #ifdef USE_NGTCP2_CRYPTO_OSSL
+@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
+ {
+ 	struct doq_table* table = (struct doq_table*)arg;
+ 	struct doq_conn* conn;
+-	if(!node)
++	if(!node || !table)
+ 		return;
+ 	conn = (struct doq_conn*)node->key;
+ 	if(conn->timer.timer_in_list) {
+@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
+ {
+ 	struct doq_timer key;
+ 	struct rbnode_type* node;
++	log_assert(table != NULL);
+ 	memset(&key, 0, sizeof(key));
+ 	key.time.tv_sec = tv->tv_sec;
+ 	key.time.tv_usec = tv->tv_usec;
+@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
+ 	key.node.key = &key;
+ 	key.cid = (void*)data;
+ 	key.cidlen = datalen;
++	log_assert(table != NULL);
+ 	node = rbtree_search(table->conid_tree, &key);
+ 	if(node)
+ 		return (struct doq_conid*)node->key;
+@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
+ 	struct config_file* cfg, size_t mem)
+ {
+ 	size_t cur;
++	if (!table)
++		return 0;
+ 	lock_basic_lock(&table->size_lock);
+ 	cur = table->current_size;
+ 	lock_basic_unlock(&table->size_lock);
+diff --git a/util/configparser.y b/util/configparser.y
+index bf9c196fc..f159b8cec 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
+ server_quic_port: VAR_QUIC_PORT STRING_ARG
+ 	{
+ 		OUTYY(("P(server_quic_port:%s)\n", $2));
++		if(atoi($2) == 0 && strcmp($2,"0")!=0)
++			yyerror("port number expected");
++		else {
++			cfg_parser->cfg->quic_port = atoi($2);
+ #ifndef HAVE_NGTCP2
+-		log_warn("%s:%d: Unbound is not compiled with "
+-			"ngtcp2. This is required to use DNS "
+-			"over QUIC.", cfg_parser->filename, cfg_parser->line);
++			if (cfg_parser->cfg->quic_port != 0)
++				log_warn("%s:%d: Unbound is not compiled with "
++					"ngtcp2. This is required to use DNS "
++					"over QUIC.", cfg_parser->filename, cfg_parser->line);
+ #endif
+-		if(atoi($2) == 0)
+-			yyerror("port number expected");
+-		else cfg_parser->cfg->quic_port = atoi($2);
++		}
+ 		free($2);
+ 	};
+ server_quic_size: VAR_QUIC_SIZE STRING_ARG
+diff --git a/util/netevent.c b/util/netevent.c
+index aedcb5e07..93db16675 100644
+--- a/util/netevent.c
++++ b/util/netevent.c
+@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
+ {
+ 	size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
+ 	struct doq_server_socket* doq_socket;
++	log_assert(doq_table != NULL);
+ 	doq_socket = calloc(1, sizeof(*doq_socket));
+ 	if(!doq_socket) {
+ 		return NULL;
+@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
+ {
+ 	struct doq_conn* conn;
+ 	struct doq_conn_key key;
++	log_assert(table != NULL);
+ 	doq_conn_key_from_repinfo(&key, repinfo);
+ 	lock_rw_rdlock(&table->lock);
+ 	conn = doq_conn_find(table, &key.paddr.addr,
+@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
+ 	struct config_file* cfg)
+ {
+ #ifdef HAVE_NGTCP2
++	log_assert(table != NULL);
+ 	struct comm_point* c = (struct comm_point*)calloc(1,
+ 		sizeof(struct comm_point));
+ 	short evbits;
+-- 
+2.52.0
+
diff --git a/unbound-1.24-swig-function.patch b/unbound-1.24-swig-function.patch
new file mode 100644
index 0000000..3257766
--- /dev/null
+++ b/unbound-1.24-swig-function.patch
@@ -0,0 +1,26 @@
+From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 24 Oct 2025 20:20:50 +0200
+Subject: [PATCH] Use $action instead of $function in python SWIG interface
+
+$function is not supported since SWIG 4.4.0.
+---
+ libunbound/python/libunbound.i | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
+index dc12514..4576844 100644
+--- a/libunbound/python/libunbound.i
++++ b/libunbound/python/libunbound.i
+@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
+ %{ 
+   //printf("resolve_start(%lX)\n",(long unsigned int)arg1);
+   Py_BEGIN_ALLOW_THREADS 
+-  $function 
++  $action 
+   Py_END_ALLOW_THREADS 
+   //printf("resolve_stop()\n");
+ %} 
+-- 
+2.51.0
+
diff --git a/unbound-fedora-config.patch b/unbound-fedora-config.patch
index be28920..da88960 100644
--- a/unbound-fedora-config.patch
+++ b/unbound-fedora-config.patch
@@ -14,6 +14,16 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in
 index 59090c6..3a86809 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
+@@ -8,6 +8,9 @@
+ # Use this anywhere in the file to include other text into this file.
+ #include: "otherfile.conf"
+
++# Default Fedora settings
++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
++
+ # Use this anywhere in the file to include other text, that explicitly starts a
+ # clause, into this file. Text after this directive needs to start a clause.
+ #include-toplevel: "otherfile.conf"
 @@ -51,11 +51,19 @@ server:
  	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
  	# specify every interface[@port] on a new 'interface:' labelled line.
@@ -73,13 +83,10 @@ index 59090c6..3a86809 100644
  	# tls-port: 853
  	# https-port: 443
  	# quic-port: 853
-@@ -1166,6 +1181,12 @@ remote-control:
+@@ -1166,6 +1181,9 @@ remote-control:
  	# unbound-control certificate file.
  	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
- 
-+# Default Fedora settings
-+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
-+
+
 +# Stub and Forward zones
 +include: "@sysconfdir@/unbound/conf.d/*.conf"
 +
diff --git a/unbound.spec b/unbound.spec
index cff426f..d173141 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -4,6 +4,10 @@
 %bcond_without dnstap
 %bcond_without systemd
 %bcond_without doh
+%if 0%{?fedora} >= 43 && !0%{?rhel}
+# Do not build with QUIC support in RHEL, until we have also client support.
+%bcond_without ngtcp2
+%endif
 %if 0%{?rhel} && ! 0%{?epel}
 %bcond_with redis
 %else
@@ -36,7 +40,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.24.1
+Version: 1.24.2
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -45,7 +49,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source3: unbound.munin
 Source4: unbound_munin_
-Source5: root.key
+Source5: mkroot.sh
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
@@ -58,8 +62,8 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-# source: https://nlnetlabs.nl/people/
-Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
+# https://nlnetlabs.nl/signing-keys/
+Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc
 Source20: unbound.sysusers
 Source21: remote-control.conf
 Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
@@ -70,9 +74,14 @@ Source26: remote-control-include.conf
 Source27: fedora-defaults.conf
 Source28: module-setup.sh
 Source29: unbound-initrd.conf
+Source30: tmpfiles-unbound-libs.conf
 
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
+# https://github.com/NLnetLabs/unbound/pull/1331
+Patch2:   unbound-1.24-swig-function.patch
+# https://github.com/NLnetLabs/unbound/pull/1381
+Patch3:   unbound-1.24-quic-on-demand-only.patch
 
 BuildRequires: gcc, make
 BuildRequires: openssl-devel
@@ -84,8 +93,9 @@ BuildRequires: automake autoconf libtool
 BuildRequires: autoconf-archive
 # Regenerate config parser too
 BuildRequires: bison flex byacc
+BuildRequires: dns-root-data
 
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} >= 9
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
@@ -111,6 +121,9 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
 %endif
+%if %{with ngtcp2}
+BuildRequires: ngtcp2-crypto-ossl-devel
+%endif
 
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -152,7 +165,7 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
 Recommends: %{name}-anchor
-%{?sysusers_requires_compat}
+Requires: dns-root-data
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@@ -212,7 +225,8 @@ Unbound dracut module allowing use of Unbound for name resolution
 in initramfs.
 
 %prep
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} >= 9
+# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key
 %{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \
 %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
@@ -283,6 +297,9 @@ autoreconf -fiv
 %if %{with redis}
             --with-libhiredis \
             --enable-cachedb \
+%endif
+%if %{with ngtcp2}
+            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -298,6 +315,9 @@ pushd %{dir_secondary}
 %endif
 %if %{with systemd}
             --enable-systemd \
+%endif
+%if %{with ngtcp2}
+            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -340,22 +360,20 @@ done
 %endif
 
 # install streamtcp man page
-install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
 
 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
+install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
+install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf
 
 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
-install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
-install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
-# make initial key static
-pushd %{buildroot}%{_sharedstatedir}/unbound
-  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
-  ln -s "$KEYPATH" root.key
-popd
+sh %{SOURCE5} root.key
+install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/
+ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key"
+ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key"
 
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@@ -395,8 +413,6 @@ mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 
-%pre libs
-%sysusers_create_compat %{SOURCE20}
 
 %post
 %systemd_post unbound.service
@@ -424,6 +440,13 @@ fi
 %postun anchor
 %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
+%triggerun -- unbound < 1.23.1-4
+if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then
+   # change permissions of existing key just once, where it were generated with wrong perms
+   %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || :
+fi
+
+
 %check
 export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf"
 make check
@@ -499,10 +522,11 @@ popd
 %{_sysusersdir}/%{name}.conf
 %{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
+%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key
+%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
 
 %files anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
diff --git a/wouter.nlnetlabs.nl.key b/wouter.nlnetlabs.nl.key
deleted file mode 100644
index 603e620..0000000
--- a/wouter.nlnetlabs.nl.key
+++ /dev/null
@@ -1,123 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
-SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
-1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
-TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
-l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
-qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
-Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
-x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
-WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
-/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
-hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
-zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
-ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
-HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
-XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
-8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
-Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
-UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
-MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
-/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
-Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
-SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
-oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
-Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
-AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
-bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
-4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
-ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
-L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
-DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
-e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
-T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
-/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
-bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
-OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
-ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
-AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
-bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
-2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
-Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
-Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
-4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
-zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
-5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
-46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
-GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
-JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
-lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
-iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
-AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
-bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
-4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
-bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
-GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
-vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
-+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
-/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
-aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
-7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
-sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
-vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
-r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
-lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
-q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
-Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
-jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
-Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
-7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
-Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
-i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
-ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
-H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
-AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
-V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
-gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
-DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
-PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
-ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
-xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
-UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
-2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
-oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
-2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
-Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
-bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
-RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
-XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
-rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
-eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
-Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
-g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
-kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
-YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
-c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
-k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
-AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
-HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
-VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
-Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
-0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
-yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
-v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
-ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
-G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
-RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
-1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
-7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
-CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
-LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
-bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
-EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
-8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
-ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
-ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
-s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
-HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
-9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
-p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
-5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
-=Oqje
------END PGP PUBLIC KEY BLOCK-----