Replace downloaded key with existing Paul's key

Keep only one instance of the key.
Replace Wouter's key with release-g2 key
2026-01-13 16:40:21 +01:00 · 2026-01-13 16:35:32 +01:00 · 2025-12-09 11:32:18 -05:00 · 2025-11-26 14:16:02 +01:00 · 2025-11-25 15:39:18 +01:00 · 2025-11-25 15:38:46 +01:00
30 changed files with 2069 additions and 2354 deletions
--- a/.gitignore
+++ b/.gitignore
@ -73,3 +73,31 @@ unbound-1.4.5.tar.gz
 /unbound-1.16.0.tar.gz.asc
 /unbound-1.16.2.tar.gz
 /unbound-1.16.2.tar.gz.asc
+/unbound-1.16.3.tar.gz
+/unbound-1.16.3.tar.gz.asc
+/unbound-1.17.0.tar.gz
+/unbound-1.17.0.tar.gz.asc
+/unbound-1.17.1.tar.gz
+/unbound-1.17.1.tar.gz.asc
+/unbound-1.18.0.tar.gz
+/unbound-1.18.0.tar.gz.asc
+/unbound-1.19.0.tar.gz
+/unbound-1.19.0.tar.gz.asc
+/unbound-1.19.1.tar.gz
+/unbound-1.19.1.tar.gz.asc
+/unbound-1.19.3.tar.gz
+/unbound-1.19.3.tar.gz.asc
+/unbound-1.20.0.tar.gz
+/unbound-1.20.0.tar.gz.asc
+/unbound-1.21.0.tar.gz
+/unbound-1.21.0.tar.gz.asc
+/unbound-1.21.1.tar.gz
+/unbound-1.21.1.tar.gz.asc
+/unbound-1.22.0.tar.gz
+/unbound-1.22.0.tar.gz.asc
+/unbound-1.23.0.tar.gz
+/unbound-1.23.0.tar.gz.asc
+/unbound-1.23.1.tar.gz
+/unbound-1.23.1.tar.gz.asc
+/unbound-1.*.tar.gz
+/unbound-1.*.tar.gz.asc
--- a/Yorgos.asc
+++ b/Yorgos.asc
@ -0,0 +1,128 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8
+SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv
+omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI
+qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6
+W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp
+elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4
+UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP
+YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr
+S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
+2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr
+g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
+tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
+BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
+NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d
+lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc
+BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz
+kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI
+MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL
+ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL
+8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b
+CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO
+jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv
+ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU
+OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl
+InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
+Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
+AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP
+8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA
+18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J
+9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc
+mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY
+HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/
+4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi
+7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7
+rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6
+AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B
+pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK
+3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS
+AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
+Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
+cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
+B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT
+O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J
+CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB
+CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z
+NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI
+vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW
+T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK
+Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa
+A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9
+KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh
+us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek
+Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl
+BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
+5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO
+TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
+Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
+CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
+TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4
+Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D
+Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N
+O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH
+gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E
+oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui
+6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE
+dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p
+oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa
+7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/
+btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz
+a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
+VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
+jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
+hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
+Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB
+w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw
+fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV
+CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv
+pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje
+c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A
+nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5
+t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO
+dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG
+WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH
+4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ
+PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz
+Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
+gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
+FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
+b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q
+h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA
+5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5
+cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H
+Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew
+7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i
+5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w
+8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N
+jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas
+/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7
+UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ
+rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB
+EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
+lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
+rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
+YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm
+ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N
+W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP
+GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
+6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4
+hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
+LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
+sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
+AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH
+pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V
+ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8
+yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ
+yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1
+0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb
+Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ
+kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc
+aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ
+GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS
+UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+
+ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g=
+=Ubkv
+-----END PGP PUBLIC KEY BLOCK-----
--- a/917
+++ b/917
@ -0,0 +1,917 @@
+* Thu Nov 02 2023 Petr Menšík <pemensik@redhat.com> - 1.19.0-1
+- Update to 1.19.0 (#2248686)
+
+* Wed Sep 06 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-2
+- Skip failing tests on ELN builds
+
+* Fri Sep 01 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-1
+- Update to 1.18.0 (#2236097)
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.17.1-3
+- Rebuilt for Python 3.12
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
+- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
+- Add support for building with redis
+
+* Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-2
+- Move unbound user creation to libs (#2149036)
+- Use systemd-sysusers for user creation (#2105416)
+- Keep original DNSSEC root key as config (#2132103)
+
+* Tue Nov 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-1
+- Update to 1.17.0 (#2134348)
+
+* Wed Oct 05 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-3
+- Correct issues made by unbound-anchor package split (#2110858)
+
+* Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-2
+- Update License tag to SPDX identifier
+
+* Fri Sep 23 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-1
+- Update to 1.16.3 (#2128638)
+
+* Tue Aug 09 2022 Paul Wouters <pwouters@redhat.com> - 1.16.2-3
+- sync up to upstream unbound.conf
+- Enable Extended DNS Error codes (RFC8914)
+
+* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
+- Require openssl tool for unbound-keygen (#2116790)
+
+* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
+- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-6
+- Move unbound-anchor to separate package
+- Move unbound-host and unbound-streamtcp to unbound-utils package
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.16.0-5
+- Rebuilt for Python 3.11
+
+* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-4
+- Restart keygen service before every unbound start
+
+* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
+- Update to 1.16.0
+
+* Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-3
+- Stop creating wrong devel manual pages (#2078929)
+
+* Wed Apr 20 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-2
+- Update icannbundle.pem
+
+* Tue Mar 29 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
+- Update to 1.15.0 (#2030608)
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-4
+- Rebuilt for protobuf 3.19.0
+
+* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-3
+- Rebuilt for protobuf 3.18.1
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.13.2-2
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Aug 12 2021 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
+- Resolves: rhbz#1992985 unbound-1.13.2 is available
+- Use system-wide crypto policies
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 1.13.1-7
+- Rebuilt for Python 3.10
+
+* Fri Apr 23 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-6
+- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
+- Resolves: rhbz#1935101
+
+* Tue Apr 13 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-5
+- Fix unbound.service to use After=network-online.target
+
+* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-4
+- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
+  environment variable equals to "yes"
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.13.1-3
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Mon Feb 15 2021 Victor Stinner <vstinner@python.org> - 1.13.1-2
+- Fix build on Python 3.10 (rhbz#1889726).
+
+* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
+- Resolves rhbz#1860887 unbound-1.13.1 is available
+- Fixup unbound.conf
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Dec 10 2020 Petr Menšík <pemensik@redhat.com> - 1.13.0-1
+- Update to 1.13.0
+
+* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
+- Update to 1.12.0 (#1860887)
+
+* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
+- Move command line tools to utils subpackage
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-3
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.10.1-2
+- Rebuilt for Python 3.9
+
+* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
+- Resolves: rhbz#1837279 unbound-1.10.1 is available
+- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
+- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
+- Updated unbound.conf for new options in 1.10.1
+
+* Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
+- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.
+
+* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.10.0-2
+- Resolves: rhbz#1824536 unbound crash
+
+* Thu Mar 19 2020 Petr Menšík <pemensik@redhat.com> - 1.10.0-1
+- Update to 1.10.0 (#1805199)
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Dec 13 2019 Paul Wouters <pwouters@redhat.com> - 1.9.6-1
+- Resolves: rhbz#1758107 unbound-1.9.5 is available
+- Resolves: CVE-2019-18934
+
+* Fri Nov 01 2019 Paul Wouters <pwouters@redhat.com> - 1.9.4-1
+- Fix build on rhel/centos systems
+- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query
+
+* Thu Sep 26 2019 Petr Menšík <pihhan@gmail.com> - 1.9.3-2
+- Obsolete no longer provided python2 subpackage (#1749400)
+
+* Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
+- Updated to 1.9.3
+- Resolves: rhbz#1672578 unbound-1.9.2 is available
+- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
+- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
+
+* Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
+- Subpackage python2-unbound has been removed
+  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
+
+* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-7
+- Rebuilt for Python 3.8
+
+* Mon Aug  5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.8.3-6
+- Drop install-time requirements on systemd (#1723777)
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 11 2019 Paul Wouters <pwouters@redhat.com> - 1.8.3-3
+- Remove KSK-2010 from configs - it has been revoked
+
+* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-2
+- Another dns64 fixup
+
+* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-1
+- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes
+
+* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-2
+- Fix dns64 allocation in wrong region for returned internal queries.
+
+* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
+- Updated to 1.8.2.
+- Enabled deny ANY query support and edns-tcp-keepalive
+- Set serve-stale timeout to 4h
+- Updated unbound.conf for latest options
+
+* Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
+- Allow group by default to unbound-control (#1640259)
+
+* Mon Oct 08 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-1
+- Update to 1.8.1
+
+* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
+- Skip ipv6 forwarders without ipv6 support (#1633874)
+
+* Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
+- Rebase to 1.8.0
+
+* Tue Aug 14 2018 Paul Wouters <pwouters@redhat.com> - 1.7.3-9
+- Fix for restarting unbound service after deleting key/pem files for remote control
+
+* Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
+- Release memory in unbound-host
+
+* Mon Jul 23 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-7
+- Remove unused Group tag
+
+* Wed Jul 18 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-6
+- Cleanup generated client and server keys (#1601773)
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-4
+- Do not call ldconfig if possible
+
+* Wed Jul 04 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-3
+- Update trust anchors also behind firewall (#1598078)
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.3-2
+- Rebuilt for Python 3.7
+
+* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-1
+- Update to 1.7.3 (#1593708)
+
+* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.2-3
+- Remove last python2 dependency from python3 build
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.2-2
+- Rebuilt for Python 3.7
+
+* Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
+- Resolves rhbz#1589807 unbound-1.7.2 is available
+- Add patch to fix stub/forward zone not returning ServFail when TTL expires
+- Enabled the new root-key-sentinel option
+
+* Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
+- Update to 1.7.1 (#1574495)
+
+* Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
+- Require gcc and make on build
+- Remove group, simplify systemd requires
+- Simplify building with single python version, make python3 primary
+
+* Mon Apr 09 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-4
+- Patch for prefetching after flushing cache
+
+* Fri Apr 06 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-3
+- Patch for referral with auth-zone: response
+
+
+* Wed Mar 21 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-2
+- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry
+
+* Thu Mar 15 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-1
+- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes)
+
+* Thu Feb 22 2018 Petr Menšík <pemensik@redhat.com> - 1.6.8-6
+- Uncomment again original max-upd-size
+
+* Wed Feb 21 2018 Petr Menšík <pemensik@redhat.com> - 1.6.8-5
+- Use default RPM build flags and configure parameters (#1539097)
+
+* Wed Feb 21 2018 Petr Menšík <pemensik@redhat.com> - 1.6.8-4
+- Remove group writable bit from some config files (#1528445)
+
+* Wed Feb 14 2018 Filipe Rosset <rosset.filipe@gmail.com> - 1.6.8-3
+- rebuilt due new libevent 2.1.8
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.6.8-2
+- Escape macros in %%changelog
+
+* Mon Jan 22 2018 Paul Wouters <pwouters@redhat.com> - 1.6.8-1
+- Resolves rhbz#1483572 unbound-1.6.8 is available
+- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records
+- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all]
+
+* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.6.7-2
+- Python 2 binary package renamed to python2-unbound
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+
+* Thu Oct 12 2017 Paul Wouters <pwouters@redhat.com> - 1.6.7-1
+- Updated to 1.6.7 (minor bugfixes)
+
+* Tue Oct 03 2017 Petr Menšík <pemensik@redhat.com> - 1.6.6-3
+- Update icannbundle.pem
+
+* Mon Oct 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-2
+- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics
+
+* Fri Sep 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-1
+- Resolves: rhbz#1483572 unbound-1.6.6 is available
+- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)
+
+* Wed Aug 16 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-4
+- Rebuilt with KSK2017 added to root.key and root.anchor
+- Remove noreplace for root key files. We can only improve these files over local copies
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sun Jul 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-1
+- Updated to 1.6.4 full release, patch to allow missing ipsechook
+- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook
+
+* Thu Jun 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-0.rc2
+- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes)
+
+* Tue Jun 13 2017 Paul Wouters <pwouters@redhat.com> - 1.6.3-1
+- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled)
+
+* Thu Jun 08 2017 Paul Wouters <pwouters@redhat.com> - 1.6.2-2
+- Patch for cmd: unbound-control set_option val-permissive-mode: yes
+
+* Wed Apr 26 2017 Paul Wouters <pwouters@redhat.com> - 1.6.2-1
+- Update to 1.6.2 (rhbz#1425649)
+- Updated unbound.conf with new options
+
+* Wed Mar 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-6
+- Call make unbound-event-install to install unbound-event.h
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Jan 18 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-4
+- Remove obsoleted DLV key
+
+* Mon Jan 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-3
+- Actually remove dependency because minimum is always satisfied
+
+* Mon Jan 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-2
+- Depend on openssl-libs, not opensl
+
+* Wed Dec 21 2016 Kevin Fenzi <kevin@scrye.com> - 1.6.0-1
+- Update to 1.6.0
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 1.5.10-3
+- Rebuild for Python 3.6
+
+* Wed Oct 26 2016 Ilya Evseev <evseev.i@cdnnow.ru> - 1.5.10-2
+- Bugfix building without python2 and python3
+- Fixup streamtcp build (Paul)
+
+* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1
+- Updated to 1.5.10 (better TCP handling, bugfixes)
+- Install pkgconfig file in -devel package
+- Updated unbound.conf
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.9-4
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Thu Jul 07 2016 Paul Wouters <pwouters@redhat.com> - 1.5.9-3
+- Fix upper port range to 60999 because that's what selinux allows
+
+* Thu Jun 16 2016 Paul Wouters <pwouters@redhat.com> - 1.5.9-2
+- Patch for allowing more queries before failure (needed for query minimalization)
+
+* Mon Jun 13 2016 Paul Wouters <pwouters@redhat.com> - 1.5.9-1
+- Updated to 1.5.9
+
+* Thu Apr 21 2016 Toshio Kuratomi <toshio@fedoraproject.org> - 1.5.8-2
+- Fix streamtcp to link against libpython3.x instead of libpython2.x
+
+* Wed Mar 02 2016 Paul Wouters <pwouters@redhat.com> - 1.5.8-1
+- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch
+- Updated unbound.conf with new upstream options
+- Enabled ip-transparent: yes (see rhbz#1291449)
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Jan 21 2016 Tomas Hozza <thozza@redhat.com> - 1.5.7-2
+- Fix escaping of shell chars in unbound-control-setup (#1294339)
+
+* Fri Dec 11 2015 Paul Wouters <pwouters@redhat.com> - 1.5.7-1
+- Update to 1.5.7
+- Enable query minimalization for enhanced DNS query privacy
+- Enable nxdomain hardening to assist with query minimalization and SBLs
+- Updated default unbound.conf for new features from upstream.
+
+* Fri Nov 13 2015 Tomas Hozza <thozza@redhat.com> - 1.5.6-1
+- Update to 1.5.6 (#1176729)
+
+* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.5.5-2
+- Rebuilt for Python3.5 rebuild
+
+* Wed Oct 07 2015 Tomas Hozza <thozza@redhat.com> - 1.5.5-1
+- New upstream release 1.5.5 (#1269137)
+- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2)
+
+* Tue Sep 15 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-5
+- Removed dependency and ordering on unbound-anchor.service in unbound.service
+
+* Thu Sep 03 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-4
+- Prefer Python3 build over Python2 build for now (#1254566)
+
+* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-3
+- Added ExecReload section to unbound.service (#1195785)
+- Removed After syslog.target since it is not needed any more
+
+* Thu Jul 16 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-2
+- Start unbound-anchor.timer only on new installations
+- Rename root.anchor to root.key in %%post section
+
+* Tue Jul 14 2015 Paul Wouters <pwouters@redhat.com> - 1.5.4-1
+- Update to 1.5.4
+- Removed patches merged into upstream
+
+* Tue Jun 16 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-8
+- Revert: Use low maximum negative cache TTL (5 sec) (#1229596)
+
+* Mon Jun 15 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-7
+- Add option for maximum negative cache TTL (#1229599)
+- Use low maximum negative cache TTL (5 sec) (#1229596)
+
+* Tue May 26 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-6
+- Removed usage of DLV from the default configuration (#1223363)
+
+* Wed May 13 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-5
+- unbound.service now Wants unbound-anchor.timer
+- unbound-anchor man page moved to the unbound-libs
+
+* Mon May 11 2015 Paul Wouters <pwouters@redhat.com> - 1.5.3-4
+- Fixup scriptlets causing systemctl: command not found
+- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs
+
+* Mon Apr 27 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-3
+- migrate cronjob to systemd timer unit (#1177285)
+- change the period for unbound-anchor from monthly to daily (#1180267)
+- Thanks to Tomasz Torcz <ttorcz@fedoraproject.org> for the initial patch
+
+* Thu Apr 16 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-2
+- Fix FTBFS (#1206129)
+- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080)
+
+* Mon Mar 16 2015 Paul Wouters <pwouters@redhat.com> - 1.5.3-1
+- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling
+- Updated to 1.5.2 which fixes DNSSEC validation with different
+  trust anchors upstream, local-zone has a new keyword 'inform'
+
+* Mon Feb 02 2015 Paul Wouters <pwouters@redhat.com> - 1.5.1-4
+- Build with --enable-ecdsa
+
+* Sun Feb 01 2015 Paul Wouters <pwouters@redhat.com> - 1.5.1-3
+- Fix post to create root.anchor, not root.key, to match cron job
+
+* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.5.1-2
+- Change systemd-units to systemd
+- Use _tmpfilesdir macro, don't mark tmpfiles as config
+
+* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.5.1-1
+- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066)
+- Removed unbound-aarch64.patch which was merged upstream
+- Don't require autotools for non snapshots or run autoreconf
+
+* Fri Nov 28 2014 Tomas Hozza <thozza@redhat.com> - 1.5.1-0.1.rc1
+- update to 1.5.1rc1
+
+* Fri Nov 28 2014 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 1.5.0-3
+- fix build on aarch64
+
+* Wed Nov 26 2014 Tomas Hozza <thozza@redhat.com> - 1.5.0-2
+- Fix race condition in arc4random (#1166878)
+
+* Wed Nov 19 2014 Tomas Hozza <thozza@redhat.com> - 1.5.0-1
+- update to 1.5.0
+
+* Wed Sep 24 2014 Pavel Šimerda <psimerda@redhat.com> - 1.4.22-6
+- Resolves: #1115489 - build with python 3.x for fedora >= 22
+
+* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 1.4.22-5
+- Rebuild for rpm bug 1131960
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.22-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.22-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu May 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.22-2
+- Added flushcache patch (SVN commit 3125)
+
+* Thu Mar 13 2014 Paul Wouters <pwouters@redhat.com> - 1.4.22-1
+- Updated to 1.4.22
+- No longer requires the ldns library
+
+* Thu Jan 16 2014 Tomas Hozza <thozza@redhat.com> - 1.4.21-3
+- Fix segfault on adding insecure forward zone when using only iterator (#1054192)
+
+* Mon Oct 21 2013 Tomas Hozza <thozza@redhat.com> - 1.4.21-2
+- run test suite during the build
+
+* Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1
+- Updated to 1.4.21,
+- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
+- Removed patched merged in by upstream
+- Enable statistics-cumulative for munin-plugin
+- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions
+- Updated unbound.conf
+
+* Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-19
+- Fix errors found by static analysis of source
+
+* Mon Aug 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-18
+- Change unbound.conf to only use ephemeral ports (32768-65535)
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.20-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 22 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-16
+- provide man page for unbound-streamtcp
+
+* Mon Jul 08 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-15
+- Re-introduce hardening flags for full relro and pie
+- Fixes compilation failure for python module
+
+* Wed Jul 03 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-14
+- remove missing unbound-rootkey.service from post/preun/postun sections
+- don't hardcode hardening flags, let hardened build macro handles it
+
+* Sat Jun 01 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-13
+- Run unbound-anchor as user unbound in unbound.service
+
+* Tue May 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-12
+- Enable round-robin (with noths() patch)
+- Change cron and systemd service to use root.key, not root.anchor
+
+* Sat May 25 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-10
+- Use /var/lib/unbound/root.key (more consistent with other distros)
+- Enable minimal responses
+
+* Mon Apr 22 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-8
+- Refix
+
+* Fri Apr 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-7
+- Fix runuser call in post.
+
+* Tue Apr 16 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-6
+- /var/lib/unbound should be owned by unbound. group write is not enough
+
+* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-5
+- Fix cron job syntax (rhbz#951725)
+- Use install -p to prevent .rpmnew files that are identical to originals
+
+* Mon Apr 8 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-4
+- Updated to 1.4.20
+- Build with full RELRO (not use -z,relro but with -z,relo,-z,now)
+- Fixup man page for unbound-control-setup
+- unbound.service should start before nss-lookup.target (rhbz#919955)
+- Removed patch for rhbz#888759 merged in upstream
+- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008)
+- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs
+- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691)
+- Remove Obsolete/Provides for dnssec-conf which was last seen in f13
+- Ensure any unbound-anchor failure in post is ignored
+
+* Tue Mar 05 2013 Adam Tkac <atkac redhat com> - 1.4.19-5
+- build with full RELRO
+- symlink unbound-control-setup.8 manpage to unbound-control.8
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.19-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Dec 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.19-3
+- Updated to 1.4.19 - this integrates all existing patches
+- Patch for unbound-anchor (rhbz#888759)
+
+* Fri Nov 09 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-6
+- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd
+- added unbound-munin.README file
+
+* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-5
+- Patch to allow wildcards in include: statements
+- Add directories /etc/unbound/keys.d,conf.d,local.d with
+  example entries
+- Added /etc/unbound/root.anchor, maintained by unbound-anchor
+  which is installed as monthly cron and PreExec in systemd config
+  (root.key is unused, but left installed in case people depend on it)
+- Native systemd (simple) and /etc/sysconfig/unbound support
+- Run unbound-checkconf in PreExec
+- Moved trust anchor related files to unbound-libs, as they can
+  be used without the daemon.
+- sub packages now depends on base package of same arch
+- Build munin package as noarch
+- unbound-anchor moved to unbound-libs package. It is needed
+  to update the root.anchor key file.
+
+* Tue Sep 04 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-3
+- Fix openssl thread locking bug under high query load
+
+* Thu Aug 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-2
+- Use new systemd-rpm macros (rhbz#850351)
+- Clean up old obsoleted dnssec-conf from < fedora 15
+
+* Fri Aug 03 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-1
+- Updated to 1.4.18 (FIPS related fixes mostly)
+- Removed patches that were merged in upstream
+- Added comment to root.key
+
+* Mon Jul 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-5
+- Fix for unbound crasher (upstream bug #452)
+- Support libunbound functions in man pages and place in -devel
+
+* Sun Jul 22 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.17-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jul 03 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-3
+- unbound FIPS patches for MD5,randomness (rhbz#835106)
+
+* Fri Jun 15 2012 Adam Tkac <atkac redhat com> - 1.4.17-2
+- don't build unbound-munin on RHEL
+
+* Thu May 24 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-1
+- Updated to 1.4.17 (which mostly brings in patches we already
+  applied from svn trunk)
+
+* Wed Feb 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-3
+- Since the daemon links to the libs staticly, add Requires:
+  (this is rhbz#745288)
+- Package up streamtcp as unbound-streamtcp (for monitoring)
+
+* Mon Feb 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-2
+- Don't ghost the directory (rhbz#788805)
+- Patch for unbound to support unbound-control forward_zone
+  (needed for openswan in XAUTH mode)
+
+* Thu Feb 02 2012 Paul Wouters <paul@nohats.ca> - 1.4.16-1
+- Upgraded to 1.4.16, which was relesed due to the soname
+  and some DNSSEC validation failures
+
+* Wed Feb 01 2012 Paul Wouters <paul@nohats.ca> - 1.4.15-2
+- Patch for SONAME version (libtool's -version-number vs -version-info)
+
+* Fri Jan 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.15-1
+- Upgraded to 1.4.15
+- Updated unbound.conf to show how to configure listening on tls443
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Mon Dec 19 2011 Paul Wouters <paul@cypherpunks.ca> - 1.4.14-1
+- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
+- SSL-wrapped query support for dnssec-trigger
+- EDNS handling changes
+- Removed integrated EDNS patches
+- Disabled use-caps-for-id, GoDaddy domains now break on it
+- Enabled new harden-below-nxdomain
+
+* Thu Sep 15 2011 Paul Wouters <paul@xelerance.com> - 1.4.13-1
+- Upgraded to 1.4.13
+- Removed merged in pythonmod patch
+- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks
+- Fix python to go into sitearch instead of sitelib
+
+* Wed Sep 14 2011 Tom Callaway <spot@fedoraproject.org> - 1.4.12-4
+- convert to systemd, tmpfiles.d
+
+* Mon Aug 08 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-3
+- Added pythonmod docs and examples
+
+* Mon Aug 08 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-2
+- Fix for python module load in the server (Tom Hendrikx)
+- No longer enable --enable-debug as it causes degraded  performance
+  under load.
+
+* Mon Jul 18 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-1
+- Updated to 1.4.12
+
+* Sun Jul 03 2011 Paul Wouters <paul@xelerance.com> - 1.4.11-1
+- Updated to 1.4.11
+- removed integrated CVE patch
+- updated stock unbound.conf for new options introduced
+
+* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.10-1
+- Added ghost for /var/run/unbound (bz#656710)
+
+* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-3
+- rebuilt
+
+* Wed May 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-2
+- Applied patch for CVE-2011-1922 DoS vulnerability
+
+* Sun Mar 27 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-1
+- Updated to 1.4.9
+
+* Sat Feb 12 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-2
+- rebuilt
+
+* Tue Jan 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-1
+- Updated to 1.4.8
+- Enable root key for DNSSEC
+- Fix unbound-munin to use proper file (could cause excessive logging)
+- Build unbound-python per default
+- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl
+
+* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-4
+- Revert last build - it was on the wrong branch
+
+* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-3
+- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines
+  (see comments in inbound.conf)
+
+* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-2
+- Bump release - forgot to upload the new tar ball.
+
+* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-1
+- Upgraded to 1.4.5
+
+* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-2
+- Added accidentally omitted svn patches to cvs
+
+* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-1
+- Upgraded to 1.4.4 with svn patches
+- Obsolete dnssec-conf to ensure it is de-installed
+
+* Thu Mar 11 2010 Paul Wouters <paul@xelerance.com> - 1.4.3-1
+- Update to 1.4.3 that fixes 64bit crasher
+
+* Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1
+- Updated to 1.4.2
+- Updated unbound.conf with new options
+- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
+- Enabled re-fetching popular records before they expire
+- Enabled logging of DNSSEC validation errors
+
+* Mon Mar 01 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-5
+- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
+  with pthreads
+
+* Wed Feb 24 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-3
+- Change make/configure lines to attempt to fix -lphtread linking issue
+
+* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
+- Removed dependancy for dnssec-conf
+- Added ISC DLV key (formerly in dnssec-conf)
+- Fixup old DLV locations in unbound.conf file via %%post
+- Fix parent child disagreement handling and no-ipv6 present [svn r1953]
+
+* Tue Jan 05 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-1
+- Updated to 1.4.1
+- Changed %%define to %%global
+
+* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-2
+- Bump version
+
+* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-1
+- Upgraded to 1.3.4. Security fix with validating NSEC3 records
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.3.3-2
+- rebuilt with new openssl
+
+* Mon Aug 17 2009 Paul Wouters <paul@xelerance.com> - 1.3.3-1
+- Updated to 1.3.3
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-2
+- Added missing glob patch to cvs
+- Place python macros within the %%with_python check
+
+* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-1
+- Updated to 1.3.0
+- Added unbound-python sub package. disabled for now
+- Patch from svn to fix DLV lookups
+- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
+  minimal-responses)
+- Added Default-Start and Default-Stop to unbound.init
+- Re-enabled --enable-sha2
+- Re-enabled glob.patch
+
+* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
+- unbound-iterator.patch was not commited
+
+* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6
+- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793
+
+* Tue Mar 17 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-5
+- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys
+
+* Tue Mar 10 2009 Adam Tkac <atkac redhat com> - 1.2.1-4
+- enable DNSSEC only if it is enabled in sysconfig/dnssec
+
+* Mon Mar 09 2009 Adam Tkac <atkac redhat com> - 1.2.1-3
+- add DNSSEC support to initscript and enabled it per default
+- add requires dnssec-conf
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Feb 10 2009 Paul Wouters <paul@xelerance.com - 1.2.1-1
+- updated to 1.2.1
+
+* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.0-2
+- rebuild with new openssl
+
+* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1
+- Updated to 1.2.0
+- Added dependancy on minimum SSL for CVE-2008-5077
+- Added dependancy on bc for unbound-munin
+- Added minimum requirement of libevent 1.4.5. Crashes with older versions
+  (note: libevent is stale in EL-4 and not in EL-5, needs fixing there)
+- Removed dependancy on selinux-policy (will get used when available)
+- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
+- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
+- Enable val-clean-additional to drop addition unsigned data from signed
+  response.
+- Removed patches (got merged into upstream)
+
+* Mon Jan  5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-7
+- Modified scandir patch to silently fail when wildcard matches nothing
+- Patch to allow unbound-checkconf to find empty wildcard matches
+
+* Mon Jan  5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-6
+- Added scandir patch for trusted-keys-file: option, which
+  is used to load multiple dnssec keys in bind file format
+
+* Mon Dec  8 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-4
+- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules.
+
+* Mon Dec  1 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-3
+- We did not own the /etc/unbound directory (#474020)
+- Fixed cvs anomalies
+
+* Fri Nov 28 2008 Adam Tkac <atkac redhat com> - 1.1.1-2
+- removed all obsolete chroot related stuff
+- label control certs after generation correctly
+
+* Thu Nov 20 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-1
+- Updated to unbound 1.1.1 which fixes a crasher and
+  addresses nlnetlabs bug #219
+
+* Wed Nov 19 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-3
+- Remove the chroot, obsoleted by SElinux
+- Add additional munin plugin links supported by unbound plugin
+- Move configuration directory from /var/lib/unbound to /etc/unbound
+- Modified unbound.init and unbound.conf to account for chroot changes
+- Updated unbound.conf with new available options
+- Enabled dns-0x20 protection per default
+
+* Wed Nov 19 2008 Adam Tkac <atkac redhat com> - 1.1.0-2
+- unbound-1.1.0-log_open.patch
+  - make sure log is opened before chroot call
+  - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219
+- removed /dev/log and /var/run/unbound and /etc/resolv.conf from
+  chroot, not needed
+- don't mount files in chroot, it causes problems during updates
+- fixed typo in default config file
+
+* Fri Nov 14 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-1
+- Updated to version 1.1.0
+- Updated unbound.conf's statistics options and remote-control
+  to work properly for munin
+- Added unbound-munin package
+- Generate unbound remote-control  key/certs on first startup
+- Required ldns is now 1.4.0
+
+* Wed Oct 22 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-5
+- Only call ldconfig in -libs package
+- Move configure into build section
+- devel subpackage should only depend on libs subpackage
+
+* Tue Oct 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-4
+- Fix CFLAGS getting lost in build
+- Don't enable interface-automatic:yes because that
+  causes unbound to listen on 0.0.0.0 instead of 127.0.0.1
+
+* Sun Oct 19 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-3
+- Split off unbound-libs, make build verbose
+
+* Thu Oct  9 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-2
+- FSB compliance, chroot fixes, initscript fixes
+
+* Thu Sep 11 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-1
+- Upgraded to 1.0.2
+
+* Wed Jul 16 2008 Paul Wouters <paul@xelerance.com> - 1.0.1-1
+- upgraded to new release
+
+* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-2
+- Build against ldns-1.3.0
+
+* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1
+- Split of -devel package, fixed dependancies, make rpmlint happy
+
+* Fri Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
+- Using parts from ports collection entry by Jaap Akkerhuis.
+- Using Fedoraproject wiki guidelines.
+
+* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11
+- Initial version.
--- a/fedora-defaults.conf
+++ b/fedora-defaults.conf
@ -0,0 +1,229 @@
+# Fedora distribution defaults
+
+server:
+	# verbosity number, 0 is least verbose. 1 is default.
+	verbosity: 1
+
+	# print statistics to the log (for every thread) every N seconds.
+	# Set to "" or 0 to disable. Default is disabled.
+	# Needs to be disabled for munin plugin
+	statistics-interval: 0
+
+	# enable cumulative statistics, without clearing them after printing.
+	# Needs to be disabled for munin plugin
+	statistics-cumulative: no
+
+	# enable extended statistics (query types, answer codes, status)
+	# Needs to be enabled for munin plugin
+	extended-statistics: yes
+
+	# number of threads to create. 1 disables threading.
+	# num-threads: 1
+	num-threads: 4
+
+	# specify the interfaces to answer queries from by ip-address.
+	# The default is to listen to localhost (127.0.0.1 and ::1).
+	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
+	# specify every interface[@port] on a new 'interface:' labelled line.
+	# The listen interfaces are not changed on reload, only on restart.
+	# interface: 0.0.0.0
+	# interface: ::0
+	# interface: 192.0.2.153
+	# interface: 192.0.2.154
+	# interface: 192.0.2.154@5003
+	# interface: 2001:DB8::5
+	# interface: eth0@5003
+	#
+	# for dns over tls and raw dns over port 80
+	# interface: 0.0.0.0@443
+	# interface: ::0@443
+	# interface: 0.0.0.0@80
+	# interface: ::0@80
+
+	# enable this feature to copy the source address of queries to reply.
+	# Socket options are not supported on all platforms. experimental.
+	# interface-automatic: yes
+	#
+	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+	# NOTE: Disabled per Fedora policy not to listen to * on default install
+	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
+	interface-automatic: no
+
+	# permit Unbound to use this port number or port range for
+	# making outgoing queries, using an outgoing interface.
+	# Only ephemeral ports are allowed by SElinux
+	outgoing-port-permit: 32768-60999
+
+	# IANA-assigned port numbers.
+	# If multiple outgoing-port-permit and outgoing-port-avoid options
+	# are present, they are processed in order.
+	# Our SElinux policy does not allow non-ephemeral ports to be used
+	outgoing-port-avoid: 0-32767
+	outgoing-port-avoid: 61000-65535
+
+	# use SO_REUSEPORT to distribute queries over threads.
+	# at extreme load it could be better to turn it off to distribute even.
+	so-reuseport: yes
+	 
+	# use IP_TRANSPARENT so the interface: addresses can be non-local
+	# and you can config non-existing IPs that are going to work later on
+	# (uses IP_BINDANY on FreeBSD).
+	ip-transparent: yes
+
+	# Enable UDP, "yes" or "no".
+	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
+	# disable UDP to avoid being used in DNS amplification attacks.
+	# do-udp: yes
+
+	# Enable EDNS TCP keepalive option.
+	edns-tcp-keepalive: yes
+
+	# Fedora note: do not activate this - not compiled in because
+	# it causes frequent unbound crashes. Also, socket activation
+	# is bad when you have things like dnsmasq also running with libvirt.
+	# Use systemd socket activation for UDP, TCP, and control sockets.
+	# use-systemd: no
+
+	# If you give "" no chroot is performed. The path must not end in a /.
+	# chroot: "/etc/unbound"
+	chroot: ""
+
+	# If you give a server: directory: dir before include: file statements
+	# then those includes can be relative to the working directory.
+	directory: "/etc/unbound"
+
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	log-time-ascii: yes
+
+	# Harden against unseemly large queries.
+	harden-large-queries: yes
+
+	# Harden against unverified (outside-zone, including sibling zone) glue rrsets
+	harden-unverified-glue: yes
+
+	# Default off, because the lookups burden the server.  Experimental
+	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+	harden-referral-path: yes
+
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to A when possible.
+	qname-minimisation: yes
+
+	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+	# and other denials, using information from previous NXDOMAINs answers.
+	aggressive-nsec: yes
+
+	# threshold, a warning is printed and a defensive action is taken,
+	# the cache is cleared to flush potential poison out of it.
+	# A suggested value is 10000000, the default is 0 (turned off).
+	unwanted-reply-threshold: 10000000
+
+	# if yes, perform prefetching of almost expired message cache entries.
+	prefetch: yes
+
+	# if yes, perform key lookups adjacent to normal lookups.
+	prefetch-key: yes
+
+	# deny queries of type ANY with an empty response.
+	deny-any: yes
+
+	# if yes, Unbound rotates RRSet order in response.
+	rrset-roundrobin: yes
+
+	# if yes, Unbound doesn't insert authority/additional sections
+	# into response messages when those sections are not required.
+	minimal-responses: yes
+
+	# module configuration of the server. A string with identifiers
+	# separated by spaces. Syntax: "[dns64] [validator] iterator"
+	# most modules have to be listed at the beginning of the line,
+	# except cachedb(just before iterator), and python (at the beginning,
+	# or, just before the iterator).
+	# For redis cachedb use:
+	#    "ipsecmod validator cachedb iterator"
+	module-config: "ipsecmod validator iterator"
+
+	# trust anchor signaling sends a RFC8145 key tag query after priming.
+	trust-anchor-signaling: yes
+
+	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
+	root-key-sentinel: yes
+
+	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
+	# you need external update procedures to track changes in keys.
+	# trusted-keys-file: ""
+	#
+	trusted-keys-file: /etc/unbound/keys.d/*.key
+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# Should additional section of secure message also be kept clean of
+	# unsecure data. Useful to shield the users of this validator from
+	# potential bogus data in the additional section. All unsigned data
+	# in the additional section is removed from secure messages.
+	val-clean-additional: yes
+
+	# Turn permissive mode on to permit bogus messages. Thus, messages
+	# for which security checks failed will be returned to clients,
+	# instead of SERVFAIL. It still performs the security checks, which
+	# result in interesting log files and possibly the AD bit in
+	# replies if the message is found secure. The default is off.
+	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
+	val-permissive-mode: no
+
+	# Serve expired responses from cache, with serve-expired-reply-ttl in
+	# the response, and then attempt to fetch the data afresh.
+	serve-expired: yes
+
+	# Limit serving of expired responses to configured seconds after
+	# expiration. 0 disables the limit.
+	serve-expired-ttl: 14400
+
+	# Have the validator log failed validations for your diagnosis.
+	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+	val-log-level: 1
+
+	# service clients over TLS (on the TCP sockets) with plain DNS inside
+	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+	# Give the certificate to use and private key.
+	# default is "" (disabled).  requires restart to take effect.
+	# tls-service-key: "/etc/unbound/unbound_server.key"
+	# tls-service-pem: "/etc/unbound/unbound_server.pem"
+
+	# Fedora/RHEL: use system-wide crypto policies
+	tls-ciphers: "PROFILE=SYSTEM"
+
+	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
+	# Fedora defaults to yes.
+	ede: yes
+
+	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
+	# Answer as EDNS0 option to expired responses.
+	# Note that the ede option above needs to be enabled for this to work.
+	# Fedora defaults to yes.
+	ede-serve-expired: yes
+
+	# Enable or disable ipsecmod (it still needs to be defined in
+	# module-config above). Can be used when ipsecmod needs to be
+	# enabled/disabled via remote-control(below).
+	# Fedora: module will be enabled on-demand by libreswan
+	ipsecmod-enabled: no
+
+	# Path to executable external hook. It must be defined when ipsecmod is
+	# listed in module-config (above).
+	ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
+
+python:
+	# Script file to load
+	# python-script: "/etc/unbound/ubmodule-tst.py"
+ 
+# Remote control config section moved into own remote-control.conf
+
+#   the module-config then you need one dynlib-file per instance.
+dynlib:
+	# Script file to load
+	# dynlib-file: "/etc/unbound/dynlib.so"
+
+# Fedora: DNSCrypt support not enabled since it requires linking to
+#         another crypto library
+#
--- a/mkroot.sh
+++ b/mkroot.sh
@ -0,0 +1,17 @@
+#!/bin/sh
+
+SOURCE="/usr/share/dns-root-data/root.key"
+DEST="${1:-root.key}"
+
+mk_key() {
+echo "# Generated from $SOURCE"
+echo "# Use /var/lib/unbound/root.key instead."
+echo "trusted-keys {"
+while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
+echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
+done < "$SOURCE"
+echo "};"
+}
+
+mk_key > "$DEST"
+touch -r "$SOURCE" "$DEST"
--- a/module-setup.sh
+++ b/module-setup.sh
@ -0,0 +1,44 @@
+#!/usr/bin/bash
+
+check() {
+    require_binaries unbound unbound-checkconf unbound-control || return 1
+    # the module will be only included if explicitly required either
+    # by configuration or another module
+    return 255
+}
+
+depends() {
+    # because of pid file we need sysusers to create unbound user
+    echo systemd systemd-sysusers
+    return 0
+}
+
+install() {
+    # We have to make unbound wanted by network-online target to make sure
+    # there is a synchronization point when other services are able
+    # to make queries
+    inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
+
+    # /etc and /var/lib do not have its variables
+    inst_multiple -o \
+    "$systemdsystemunitdir"/unbound.service \
+    /etc/unbound/conf.d/remote-control.conf \
+    /etc/unbound/openssl-sha1.conf \
+    /usr/share/unbound/fedora-defaults.conf \
+    /usr/share/unbound/conf.d/*.conf \
+    /etc/unbound/local.d/*.conf \
+    /etc/unbound/keys.d/*.key \
+    /etc/unbound/unbound.conf \
+    /etc/unbound/unbound_control.key \
+    /etc/unbound/unbound_control.pem \
+    /etc/unbound/unbound_server.key \
+    /etc/unbound/unbound_server.pem \
+    "$sysusers"/unbound.conf \
+    "$tmpfilesdir"/unbound.conf \
+    /var/lib/unbound/root.key \
+    unbound \
+    unbound-checkconf \
+    unbound-control
+
+    $SYSTEMCTL -q --root "$initdir" enable unbound.service
+}
--- a/nlnetlabs2026-g2.asc
+++ b/nlnetlabs2026-g2.asc
@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
+50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
+0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
+Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
+SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
+gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
+LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
+S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
+eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
+9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
+EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
+l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
+HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
+rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
+OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
+vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
+eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
+NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
+K6vVKMmB0qru6ERJ3g==
+=4R8U
+-----END PGP PUBLIC KEY BLOCK-----
--- a/openssl-sha1.conf
+++ b/openssl-sha1.conf
@ -0,0 +1,8 @@
+# OpenSSL configuration file to allow SHA1 validation,
+# regardless of crypto-policy selected.
+# Use it by adding into /etc/sysconfig/unbound:
+# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf
+.include = /etc/ssl/openssl.cnf
+
+[evp_properties]
+rh-allow-sha1-signatures = yes
--- a/plans/all.fmf
+++ b/plans/all.fmf
@ -1,7 +1,7 @@
 summary: Test plan with all Fedora tests
 discover:
       how: fmf
-       url: https://src.fedoraproject.org/tests/unbound.git
+       url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
 execute:
       how: tmt

--- a/plans/tier1-public.fmf
+++ b/plans/tier1-public.fmf
@ -1,7 +1,7 @@
 summary: Public (Fedora) Tier1 beakerlib tests
 discover:
    how: fmf
-    url: https://src.fedoraproject.org/tests/unbound.git
+    url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
    filter: 'tier: 1'
 execute:
    how: tmt
--- a/remote-control-include.conf
+++ b/remote-control-include.conf
@ -0,0 +1,4 @@
+# Previous defaults allowed any process to change settings, CVE-2023-1488
+# If you want to modify remote configuration, replace this file with
+# contents of included file and modify afterwards.
+include: "/usr/share/unbound/conf.d/remote-control.conf"
--- a/remote-control.conf
+++ b/remote-control.conf
@ -0,0 +1,26 @@
+# Remote control config section update.
+# Previous defaults allowed any process to change settings, CVE-2023-1488
+# This file can be used also by: unbound-control -c <path>
+remote-control:
+	# Enable remote control with unbound-control(8) here.
+	# set up the keys and certificates with unbound-control-setup.
+	control-enable: yes
+
+	# set to an absolute path to use a unix local name pipe, certificates
+	# are not used for that, so key and cert files need not be present.
+	control-interface: "/run/unbound/control"
+
+	# For local sockets this option is ignored, and TLS is not used.
+	control-use-cert: "yes"
+
+	# Unbound server key file.
+	server-key-file: "/etc/unbound/unbound_server.key"
+
+	# Unbound server certificate file.
+	server-cert-file: "/etc/unbound/unbound_server.pem"
+
+	# unbound-control key file.
+	control-key-file: "/etc/unbound/unbound_control.key"
+
+	# unbound-control certificate file.
+	control-cert-file: "/etc/unbound/unbound_control.pem"
--- a/root.anchor
+++ b/root.anchor
@ -1 +1,2 @@
+.	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
--- a/root.key
+++ b/root.key
@ -1,6 +0,0 @@
-; // The root key in bind format. This can be read by most tools, including
-; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
-trusted-keys {
-"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
-
-};
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572
-SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f
+SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
+SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
--- a/tmpfiles-unbound-libs.conf
+++ b/tmpfiles-unbound-libs.conf
@ -0,0 +1,2 @@
+d /var/lib/unbound          0755  unbound unbound -
+L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key
--- a/tmpfiles-unbound.conf
+++ b/tmpfiles-unbound.conf
@ -1 +1 @@
-D /run/unbound 0755 unbound unbound -
+D /run/unbound 0775 unbound root -
--- a/unbound-1.24-quic-on-demand-only.patch
+++ b/unbound-1.24-quic-on-demand-only.patch
@ -0,0 +1,171 @@
+From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 24 Nov 2025 13:44:14 +0100
+Subject: [PATCH] Do not initialize quic_table unless it is enabled
+
+Fedora in FIPS mode might fail to initialize ngtcp2 library, because
+some ciphers desired are not available.
+
+Make it possible to skip initialization by setting explicitly quic_port
+to 0. Unless we have some listeners for port 853 configured, skip its
+initialization as well.
+
+Related: https://pagure.io/freeipa/issue/9877
+---
+ daemon/daemon.c           | 14 +++++++++-----
+ services/listen_dnsport.c | 14 +++++++++++---
+ util/configparser.y       | 15 +++++++++------
+ util/netevent.c           |  3 +++
+ 4 files changed, 32 insertions(+), 14 deletions(-)
+
+diff --git a/daemon/daemon.c b/daemon/daemon.c
+index f882bb9ad..a9cc25c67 100644
+--- a/daemon/daemon.c
+++ b/daemon/daemon.c
+@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
+ 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
+ 
+ #ifdef HAVE_NGTCP2
+-	daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
+-	if(!daemon->doq_table)
+-		fatal_exit("could not create doq_table: out of memory");
+	if (cfg_has_quic(daemon->cfg)) {
+		daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
+		if(!daemon->doq_table)
+			fatal_exit("could not create doq_table: out of memory");
+	}
+ #endif
+ 	
+ 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
+@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
+ 	daemon->dnscenv = NULL;
+ #endif
+ #ifdef HAVE_NGTCP2
+-	doq_table_delete(daemon->doq_table);
+-	daemon->doq_table = NULL;
+	if (daemon->doq_table) {
+		doq_table_delete(daemon->doq_table);
+		daemon->doq_table = NULL;
+	}
+ #endif
+ 	daemon->cfg = NULL;
+ }
+diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
+index f7fcca194..ab8f1ba72 100644
+--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
+@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
+ 			cp = comm_point_create_udp(base, ports->fd,
+ 				front->udp_buff, ports->pp2_enabled, cb,
+ 				cb_arg, ports->socket);
+-		} else if(ports->ftype == listen_type_doq) {
+		} else if(ports->ftype == listen_type_doq && doq_table) {
+ #ifndef HAVE_NGTCP2
+ 			log_warn("Unbound is not compiled with "
+ 				"ngtcp2. This is required to use DNS "
+@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
+ struct doq_table*
+ doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
+ {
+-	struct doq_table* table = calloc(1, sizeof(*table));
+	struct doq_table* table;
+
+	if (!cfg->quic_port)
+		return NULL;
+	table = calloc(1, sizeof(*table));
+ 	if(!table)
+ 		return NULL;
+ #ifdef USE_NGTCP2_CRYPTO_OSSL
+@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
+ {
+ 	struct doq_table* table = (struct doq_table*)arg;
+ 	struct doq_conn* conn;
+-	if(!node)
+	if(!node || !table)
+ 		return;
+ 	conn = (struct doq_conn*)node->key;
+ 	if(conn->timer.timer_in_list) {
+@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
+ {
+ 	struct doq_timer key;
+ 	struct rbnode_type* node;
+	log_assert(table != NULL);
+ 	memset(&key, 0, sizeof(key));
+ 	key.time.tv_sec = tv->tv_sec;
+ 	key.time.tv_usec = tv->tv_usec;
+@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
+ 	key.node.key = &key;
+ 	key.cid = (void*)data;
+ 	key.cidlen = datalen;
+	log_assert(table != NULL);
+ 	node = rbtree_search(table->conid_tree, &key);
+ 	if(node)
+ 		return (struct doq_conid*)node->key;
+@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
+ 	struct config_file* cfg, size_t mem)
+ {
+ 	size_t cur;
+	if (!table)
+		return 0;
+ 	lock_basic_lock(&table->size_lock);
+ 	cur = table->current_size;
+ 	lock_basic_unlock(&table->size_lock);
+diff --git a/util/configparser.y b/util/configparser.y
+index bf9c196fc..f159b8cec 100644
+--- a/util/configparser.y
+++ b/util/configparser.y
+@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
+ server_quic_port: VAR_QUIC_PORT STRING_ARG
+ 	{
+ 		OUTYY(("P(server_quic_port:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2,"0")!=0)
+			yyerror("port number expected");
+		else {
+			cfg_parser->cfg->quic_port = atoi($2);
+ #ifndef HAVE_NGTCP2
+-		log_warn("%s:%d: Unbound is not compiled with "
+-			"ngtcp2. This is required to use DNS "
+-			"over QUIC.", cfg_parser->filename, cfg_parser->line);
+			if (cfg_parser->cfg->quic_port != 0)
+				log_warn("%s:%d: Unbound is not compiled with "
+					"ngtcp2. This is required to use DNS "
+					"over QUIC.", cfg_parser->filename, cfg_parser->line);
+ #endif
+-		if(atoi($2) == 0)
+-			yyerror("port number expected");
+-		else cfg_parser->cfg->quic_port = atoi($2);
+		}
+ 		free($2);
+ 	};
+ server_quic_size: VAR_QUIC_SIZE STRING_ARG
+diff --git a/util/netevent.c b/util/netevent.c
+index aedcb5e07..93db16675 100644
+--- a/util/netevent.c
+++ b/util/netevent.c
+@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
+ {
+ 	size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
+ 	struct doq_server_socket* doq_socket;
+	log_assert(doq_table != NULL);
+ 	doq_socket = calloc(1, sizeof(*doq_socket));
+ 	if(!doq_socket) {
+ 		return NULL;
+@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
+ {
+ 	struct doq_conn* conn;
+ 	struct doq_conn_key key;
+	log_assert(table != NULL);
+ 	doq_conn_key_from_repinfo(&key, repinfo);
+ 	lock_rw_rdlock(&table->lock);
+ 	conn = doq_conn_find(table, &key.paddr.addr,
+@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
+ 	struct config_file* cfg)
+ {
+ #ifdef HAVE_NGTCP2
+	log_assert(table != NULL);
+ 	struct comm_point* c = (struct comm_point*)calloc(1,
+ 		sizeof(struct comm_point));
+ 	short evbits;
+-- 
+2.52.0
+
--- a/unbound-1.24-swig-function.patch
+++ b/unbound-1.24-swig-function.patch
@ -0,0 +1,26 @@
+From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 24 Oct 2025 20:20:50 +0200
+Subject: [PATCH] Use $action instead of $function in python SWIG interface
+
+$function is not supported since SWIG 4.4.0.
+---
+ libunbound/python/libunbound.i | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
+index dc12514..4576844 100644
+--- a/libunbound/python/libunbound.i
+++ b/libunbound/python/libunbound.i
+@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
+ %{ 
+   //printf("resolve_start(%lX)\n",(long unsigned int)arg1);
+   Py_BEGIN_ALLOW_THREADS 
+-  $function 
+  $action 
+   Py_END_ALLOW_THREADS 
+   //printf("resolve_stop()\n");
+ %} 
+-- 
+2.51.0
+
--- a/unbound-anchor.service
+++ b/unbound-anchor.service
@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8)
 Type=oneshot
 User=unbound
 EnvironmentFile=-/etc/sysconfig/unbound
-ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
+ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
 SuccessExitStatus=1
--- a/unbound-as112-networks.conf
+++ b/unbound-as112-networks.conf
@ -0,0 +1,118 @@
+# Allow forwarding of private ranges, which are marked forwardable by IANA
+# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
+# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
+#
+# Using this configuration file will simplify forwarding to potentially private ranges.
+# Enables forwarding of networks marked as forwardable at IANA special registry.
+# This is useful when upstream forwarder may be still inside private network. That is the case
+# when unbound works as a localhost DNS cache, not network wide resolver.
+
+server:
+	# RFC 8375: Special-Use Domain 'home.arpa.'
+	local-zone: "home.arpa." nodefault
+
+	# RFC 1918: Address Allocation for Private Internets
+	local-zone: "10.in-addr.arpa." nodefault
+	local-zone: "16.172.in-addr.arpa." nodefault
+	local-zone: "17.172.in-addr.arpa." nodefault
+	local-zone: "18.172.in-addr.arpa." nodefault
+	local-zone: "19.172.in-addr.arpa." nodefault
+	local-zone: "20.172.in-addr.arpa." nodefault
+	local-zone: "21.172.in-addr.arpa." nodefault
+	local-zone: "22.172.in-addr.arpa." nodefault
+	local-zone: "23.172.in-addr.arpa." nodefault
+	local-zone: "24.172.in-addr.arpa." nodefault
+	local-zone: "25.172.in-addr.arpa." nodefault
+	local-zone: "26.172.in-addr.arpa." nodefault
+	local-zone: "27.172.in-addr.arpa." nodefault
+	local-zone: "28.172.in-addr.arpa." nodefault
+	local-zone: "29.172.in-addr.arpa." nodefault
+	local-zone: "30.172.in-addr.arpa." nodefault
+	local-zone: "31.172.in-addr.arpa." nodefault
+	local-zone: "168.192.in-addr.arpa." nodefault
+	# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
+	local-zone: "64.100.in-addr.arpa." nodefault
+	local-zone: "65.100.in-addr.arpa." nodefault
+	local-zone: "66.100.in-addr.arpa." nodefault
+	local-zone: "67.100.in-addr.arpa." nodefault
+	local-zone: "68.100.in-addr.arpa." nodefault
+	local-zone: "69.100.in-addr.arpa." nodefault
+	local-zone: "70.100.in-addr.arpa." nodefault
+	local-zone: "71.100.in-addr.arpa." nodefault
+	local-zone: "72.100.in-addr.arpa." nodefault
+	local-zone: "73.100.in-addr.arpa." nodefault
+	local-zone: "74.100.in-addr.arpa." nodefault
+	local-zone: "75.100.in-addr.arpa." nodefault
+	local-zone: "76.100.in-addr.arpa." nodefault
+	local-zone: "77.100.in-addr.arpa." nodefault
+	local-zone: "78.100.in-addr.arpa." nodefault
+	local-zone: "79.100.in-addr.arpa." nodefault
+	local-zone: "80.100.in-addr.arpa." nodefault
+	local-zone: "81.100.in-addr.arpa." nodefault
+	local-zone: "82.100.in-addr.arpa." nodefault
+	local-zone: "83.100.in-addr.arpa." nodefault
+	local-zone: "84.100.in-addr.arpa." nodefault
+	local-zone: "85.100.in-addr.arpa." nodefault
+	local-zone: "86.100.in-addr.arpa." nodefault
+	local-zone: "87.100.in-addr.arpa." nodefault
+	local-zone: "88.100.in-addr.arpa." nodefault
+	local-zone: "89.100.in-addr.arpa." nodefault
+	local-zone: "90.100.in-addr.arpa." nodefault
+	local-zone: "91.100.in-addr.arpa." nodefault
+	local-zone: "92.100.in-addr.arpa." nodefault
+	local-zone: "93.100.in-addr.arpa." nodefault
+	local-zone: "94.100.in-addr.arpa." nodefault
+	local-zone: "95.100.in-addr.arpa." nodefault
+	local-zone: "96.100.in-addr.arpa." nodefault
+	local-zone: "97.100.in-addr.arpa." nodefault
+	local-zone: "98.100.in-addr.arpa." nodefault
+	local-zone: "99.100.in-addr.arpa." nodefault
+	local-zone: "100.100.in-addr.arpa." nodefault
+	local-zone: "101.100.in-addr.arpa." nodefault
+	local-zone: "102.100.in-addr.arpa." nodefault
+	local-zone: "103.100.in-addr.arpa." nodefault
+	local-zone: "104.100.in-addr.arpa." nodefault
+	local-zone: "105.100.in-addr.arpa." nodefault
+	local-zone: "106.100.in-addr.arpa." nodefault
+	local-zone: "107.100.in-addr.arpa." nodefault
+	local-zone: "108.100.in-addr.arpa." nodefault
+	local-zone: "109.100.in-addr.arpa." nodefault
+	local-zone: "110.100.in-addr.arpa." nodefault
+	local-zone: "111.100.in-addr.arpa." nodefault
+	local-zone: "112.100.in-addr.arpa." nodefault
+	local-zone: "113.100.in-addr.arpa." nodefault
+	local-zone: "114.100.in-addr.arpa." nodefault
+	local-zone: "115.100.in-addr.arpa." nodefault
+	local-zone: "116.100.in-addr.arpa." nodefault
+	local-zone: "117.100.in-addr.arpa." nodefault
+	local-zone: "118.100.in-addr.arpa." nodefault
+	local-zone: "119.100.in-addr.arpa." nodefault
+	local-zone: "120.100.in-addr.arpa." nodefault
+	local-zone: "121.100.in-addr.arpa." nodefault
+	local-zone: "122.100.in-addr.arpa." nodefault
+	local-zone: "123.100.in-addr.arpa." nodefault
+	local-zone: "124.100.in-addr.arpa." nodefault
+	local-zone: "125.100.in-addr.arpa." nodefault
+	local-zone: "126.100.in-addr.arpa." nodefault
+	local-zone: "127.100.in-addr.arpa." nodefault
+
+	# RFC 4193: Unique Local IPv6 Unicast Addresses
+	local-zone: "d.f.ip6.arpa." nodefault
+
+	# RFC 2606: Reserved Top Level DNS Names
+	local-zone:      "test." nodefault
+	domain-insecure: "test"
+	domain-insecure: "example"
+
+	# RFC 6762: Multicast DNS, Appendix G
+	domain-insecure: "local"
+	domain-insecure: "intranet"
+	domain-insecure: "private"
+	domain-insecure: "corp"
+	domain-insecure: "home"
+	domain-insecure: "lan"
+
+	# draft-davies-internal-tld
+	domain-insecure: "internal"
--- a/unbound-fedora-config.patch
+++ b/unbound-fedora-config.patch
@ -0,0 +1,120 @@
+From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 15 Nov 2024 13:25:34 +0100
+Subject: [PATCH] Customize unbound.conf for Fedora defaults
+
+Set some Fedora/RHEL specific changes to example configuration file. By
+patching upstream provided config file we would not need to manually
+update external copy in source RPM.
+---
+ doc/example.conf.in | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/doc/example.conf.in b/doc/example.conf.in
+index 59090c6..3a86809 100644
+--- a/doc/example.conf.in
+++ b/doc/example.conf.in
+@@ -8,6 +8,9 @@
+ # Use this anywhere in the file to include other text into this file.
+ #include: "otherfile.conf"
+
+# Default Fedora settings
+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
+
+ # Use this anywhere in the file to include other text, that explicitly starts a
+ # clause, into this file. Text after this directive needs to start a clause.
+ #include-toplevel: "otherfile.conf"
+@@ -51,11 +51,19 @@ server:
+ 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
+ 	# specify every interface[@port] on a new 'interface:' labelled line.
+ 	# The listen interfaces are not changed on reload, only on restart.
+	# interface: 0.0.0.0
+	# interface: ::0
+ 	# interface: 192.0.2.153
+ 	# interface: 192.0.2.154
+ 	# interface: 192.0.2.154@5003
+ 	# interface: 2001:DB8::5
+ 	# interface: eth0@5003
+	#
+	# for dns over tls and raw dns over port 80
+	# interface: 0.0.0.0@443
+	# interface: ::0@443
+	# interface: 0.0.0.0@80
+	# interface: ::0@80
+ 
+ 	# enable this feature to copy the source address of queries to reply.
+ 	# Socket options are not supported on all platforms. experimental.
+@@ -285,6 +293,8 @@ server:
+ 	# nat64-prefix: 64:ff9b::0/96
+ 
+ 	# Enable UDP, "yes" or "no".
+	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
+	# disable UDP to avoid being used in DNS amplification attacks.
+ 	# do-udp: yes
+ 
+ 	# Enable TCP, "yes" or "no".
+@@ -320,6 +330,9 @@ server:
+ 	# can be dropped. Default is 0, disabled. In seconds, such as 3.
+ 	# sock-queue-timeout: 0
+ 
+	# Fedora note: do not activate this - not compiled in because
+	# it causes frequent unbound crashes. Also, socket activation
+	# is bad when you have things like dnsmasq also running with libvirt.
+ 	# Use systemd socket activation for UDP, TCP, and control sockets.
+ 	# use-systemd: no
+ 
+@@ -906,6 +919,8 @@ server:
+ 	# you need to do the reverse notation yourself.
+ 	# local-data-ptr: "192.0.2.3 www.example.com"
+ 
+	include: /etc/unbound/local.d/*.conf
+
+ 	# tag a localzone with a list of tag names (in "" with spaces between)
+ 	# local-zone-tag: "example.com" "tag2 tag3"
+ 
+@@ -916,8 +931,8 @@ server:
+ 	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+ 	# Give the certificate to use and private key.
+ 	# default is "" (disabled).  requires restart to take effect.
+-	# tls-service-key: "path/to/privatekeyfile.key"
+-	# tls-service-pem: "path/to/publiccertfile.pem"
+	# tls-service-key: "/etc/unbound/unbound_server.key"
+	# tls-service-pem: "/etc/unbound/unbound_server.pem"
+ 	# tls-port: 853
+ 	# https-port: 443
+ 	# quic-port: 853
+@@ -1166,6 +1181,9 @@ remote-control:
+ 	# unbound-control certificate file.
+ 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+
+# Stub and Forward zones
+include: "@sysconfdir@/unbound/conf.d/*.conf"
+
+ # Stub zones.
+ # Create entries like below, to make all queries for 'example.com' and
+ # 'example.org' go to the given list of nameservers. list zero or more
+@@ -1186,6 +1207,10 @@ remote-control:
+ #	name: "example.org"
+ #	stub-host: ns.example.com.
+ 
+# You can now also dynamically create and delete stub-zone's using
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
+
+ # Forward zones
+ # Create entries like below, to make all queries for 'example.com' and
+ # 'example.org' go to the given list of servers. These servers have to handle
+@@ -1203,6 +1228,10 @@ remote-control:
+ # forward-zone:
+ # 	name: "example.org"
+ # 	forward-host: fwd.example.com
+#
+# You can now also dynamically create and delete forward-zone's using
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
+ 
+ # Authority zones
+ # The data for these zones is kept locally, from a file or downloaded.
+-- 
+2.47.0
+
--- a/unbound-initrd.conf
+++ b/unbound-initrd.conf
@ -0,0 +1,5 @@
+[Unit]
+Before=network-online.target
+
+[Install]
+WantedBy=network-online.target
--- a/unbound-local-root.conf
+++ b/unbound-local-root.conf
@ -0,0 +1,30 @@
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream).
+#
+# Download local root copy and answer TLD queries from it. Because
+# auth-zone has higher precedence, defined forward-zones to internal
+# only TLD will not work. Use stub-zone or disable this zone.
+# Good for a network-wide resolvers, worse for a localhost caching forwarder.
+auth-zone:
+	name: "."
+	primary: 170.247.170.2        # b.root-servers.net
+	primary: 192.33.4.12          # c.root-servers.net
+	primary: 199.7.91.13          # d.root-servers.net
+	primary: 192.5.5.241          # f.root-servers.net
+	primary: 192.112.36.4         # g.root-servers.net
+	primary: 193.0.14.129         # k.root-servers.net
+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+	primary: 2801:1b8:10::b       # b.root-servers.net
+	primary: 2001:500:2::c        # c.root-servers.net
+	primary: 2001:500:2d::d       # d.root-servers.net
+	primary: 2001:500:2f::f       # f.root-servers.net
+	primary: 2001:500:12::d0d     # g.root-servers.net
+	primary: 2001:7fd::1          # k.root-servers.net
+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes
--- a/unbound.conf
+++ b/unbound.conf
--- a/unbound.service
+++ b/unbound.service
@ -1,6 +1,9 @@
 [Unit]
 Description=Unbound recursive Domain Name Server
-After=network-online.target
+After=network.target
+# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429,
+# if interface: specifies exact address, not localhost nor wildcard
+#After=network-online.target
 After=unbound-keygen.service
 Wants=unbound-keygen.service
 After=unbound-anchor.service
@ -9,11 +12,12 @@ Before=nss-lookup.target
 Wants=nss-lookup.target

 [Service]
-Type=simple
+Type=notify
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
+Restart=on-abnormal

 [Install]
 WantedBy=multi-user.target
--- a/unbound.spec
+++ b/unbound.spec
--- a/unbound.sysconfig
+++ b/unbound.sysconfig
@ -5,3 +5,6 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"

 # for extra debug, add "-v -v" or change verbosity: in unbound.conf
 UNBOUND_OPTIONS=""
+
+# Uncoment to validate SHA1 in any crypto policy
+# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf
--- a/unbound.sysusers
+++ b/unbound.sysusers
@ -0,0 +1 @@
+u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin
--- a/wouter.nlnetlabs.nl.key
+++ b/wouter.nlnetlabs.nl.key
@ -1,123 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
-SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
-1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
-TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
-l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
-qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
-Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
-x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
-WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
-/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
-hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
-zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
-ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
-HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
-XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
-8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
-Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
-UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
-MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
-/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
-Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
-SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
-oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
-Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
-AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
-bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
-4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
-ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
-L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
-DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
-e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
-T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
-/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
-bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
-OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
-ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
-AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
-bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
-2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
-Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
-Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
-4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
-zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
-5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
-46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
-GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
-JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
-lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
-iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
-AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
-bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
-4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
-bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
-GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
-vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
-+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
-/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
-aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
-7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
-sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
-vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
-r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
-lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
-q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
-Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
-jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
-Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
-7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
-Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
-i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
-ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
-H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
-AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
-V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
-gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
-DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
-PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
-ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
-xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
-UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
-2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
-oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
-2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
-Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
-bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
-RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
-XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
-rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
-eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
-Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
-g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
-kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
-YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
-c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
-k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
-AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
-HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
-VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
-Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
-0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
-yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
-v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
-ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
-G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
-RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
-1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
-7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
-CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
-LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
-bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
-EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
-8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
-ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
-ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
-s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
-HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
-9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
-p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
-5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
-=Oqje
-----END PGP PUBLIC KEY BLOCK-----
				`@ -0,0 +1 @@`
				`u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin`