Replace downloaded key with existing Paul's key

Keep only one instance of the key.

.gitignore

@@ -85,3 +85,19 @@ unbound-1.4.5.tar.gz
 /unbound-1.19.0.tar.gz.asc
 /unbound-1.19.1.tar.gz
 /unbound-1.19.1.tar.gz.asc
+/unbound-1.19.3.tar.gz
+/unbound-1.19.3.tar.gz.asc
+/unbound-1.20.0.tar.gz
+/unbound-1.20.0.tar.gz.asc
+/unbound-1.21.0.tar.gz
+/unbound-1.21.0.tar.gz.asc
+/unbound-1.21.1.tar.gz
+/unbound-1.21.1.tar.gz.asc
+/unbound-1.22.0.tar.gz
+/unbound-1.22.0.tar.gz.asc
+/unbound-1.23.0.tar.gz
+/unbound-1.23.0.tar.gz.asc
+/unbound-1.23.1.tar.gz
+/unbound-1.23.1.tar.gz.asc
+/unbound-1.*.tar.gz
+/unbound-1.*.tar.gz.asc

Yorgos.asc

@@ -0,0 +1,128 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8
+SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv
+omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI
+qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6
+W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp
+elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4
+UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP
+YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr
+S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
+2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr
+g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
+tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
+BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
+NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d
+lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc
+BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz
+kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI
+MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL
+ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL
+8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b
+CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO
+jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv
+ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU
+OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl
+InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
+Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
+AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP
+8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA
+18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J
+9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc
+mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY
+HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/
+4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi
+7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7
+rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6
+AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B
+pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK
+3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS
+AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
+Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
+cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
+B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT
++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J
+CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB
+CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z
+NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI
+vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW
+T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK
+Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa
+A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9
+KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh
+us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek
+Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl
+BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
+5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO
+TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
+Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
+CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
+TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4
+Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D
+Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N
+O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH
+gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E
+oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui
+6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE
+dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p
+oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa
+7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/
+btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz
+a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
+VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
+jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
+hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
+Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB
+w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw
+fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV
+CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv
+pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje
+c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A
+nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5
+t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO
+dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG
+WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH
+4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ
+PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz
+Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
+gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
+FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
+b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q
+h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA
+5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5
+cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H
+Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew
+7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i
+5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w
+8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N
+jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas
+/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7
+UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ
+rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB
+EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
+lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
+rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
+YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm
+ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N
+W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP
+GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
+6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4
+hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
+LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
+sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
+AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH
+pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V
+ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8
+yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ
+yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1
+0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb
+Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ
+kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc
+aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ
+GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS
+UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+
+ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g=
+=Ubkv
+-----END PGP PUBLIC KEY BLOCK-----

fedora-defaults.conf

@@ -0,0 +1,229 @@
+# Fedora distribution defaults
+
+server:
+	# verbosity number, 0 is least verbose. 1 is default.
+	verbosity: 1
+
+	# print statistics to the log (for every thread) every N seconds.
+	# Set to "" or 0 to disable. Default is disabled.
+	# Needs to be disabled for munin plugin
+	statistics-interval: 0
+
+	# enable cumulative statistics, without clearing them after printing.
+	# Needs to be disabled for munin plugin
+	statistics-cumulative: no
+
+	# enable extended statistics (query types, answer codes, status)
+	# Needs to be enabled for munin plugin
+	extended-statistics: yes
+
+	# number of threads to create. 1 disables threading.
+	# num-threads: 1
+	num-threads: 4
+
+	# specify the interfaces to answer queries from by ip-address.
+	# The default is to listen to localhost (127.0.0.1 and ::1).
+	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
+	# specify every interface[@port] on a new 'interface:' labelled line.
+	# The listen interfaces are not changed on reload, only on restart.
+	# interface: 0.0.0.0
+	# interface: ::0
+	# interface: 192.0.2.153
+	# interface: 192.0.2.154
+	# interface: 192.0.2.154@5003
+	# interface: 2001:DB8::5
+	# interface: eth0@5003
+	#
+	# for dns over tls and raw dns over port 80
+	# interface: 0.0.0.0@443
+	# interface: ::0@443
+	# interface: 0.0.0.0@80
+	# interface: ::0@80
+
+	# enable this feature to copy the source address of queries to reply.
+	# Socket options are not supported on all platforms. experimental.
+	# interface-automatic: yes
+	#
+	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+	# NOTE: Disabled per Fedora policy not to listen to * on default install
+	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
+	interface-automatic: no
+
+	# permit Unbound to use this port number or port range for
+	# making outgoing queries, using an outgoing interface.
+	# Only ephemeral ports are allowed by SElinux
+	outgoing-port-permit: 32768-60999
+
+	# IANA-assigned port numbers.
+	# If multiple outgoing-port-permit and outgoing-port-avoid options
+	# are present, they are processed in order.
+	# Our SElinux policy does not allow non-ephemeral ports to be used
+	outgoing-port-avoid: 0-32767
+	outgoing-port-avoid: 61000-65535
+
+	# use SO_REUSEPORT to distribute queries over threads.
+	# at extreme load it could be better to turn it off to distribute even.
+	so-reuseport: yes
+	 
+	# use IP_TRANSPARENT so the interface: addresses can be non-local
+	# and you can config non-existing IPs that are going to work later on
+	# (uses IP_BINDANY on FreeBSD).
+	ip-transparent: yes
+
+	# Enable UDP, "yes" or "no".
+	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
+	# disable UDP to avoid being used in DNS amplification attacks.
+	# do-udp: yes
+
+	# Enable EDNS TCP keepalive option.
+	edns-tcp-keepalive: yes
+
+	# Fedora note: do not activate this - not compiled in because
+	# it causes frequent unbound crashes. Also, socket activation
+	# is bad when you have things like dnsmasq also running with libvirt.
+	# Use systemd socket activation for UDP, TCP, and control sockets.
+	# use-systemd: no
+
+	# If you give "" no chroot is performed. The path must not end in a /.
+	# chroot: "/etc/unbound"
+	chroot: ""
+
+	# If you give a server: directory: dir before include: file statements
+	# then those includes can be relative to the working directory.
+	directory: "/etc/unbound"
+
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	log-time-ascii: yes
+
+	# Harden against unseemly large queries.
+	harden-large-queries: yes
+
+	# Harden against unverified (outside-zone, including sibling zone) glue rrsets
+	harden-unverified-glue: yes
+
+	# Default off, because the lookups burden the server.  Experimental
+	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+	harden-referral-path: yes
+
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to A when possible.
+	qname-minimisation: yes
+
+	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+	# and other denials, using information from previous NXDOMAINs answers.
+	aggressive-nsec: yes
+
+	# threshold, a warning is printed and a defensive action is taken,
+	# the cache is cleared to flush potential poison out of it.
+	# A suggested value is 10000000, the default is 0 (turned off).
+	unwanted-reply-threshold: 10000000
+
+	# if yes, perform prefetching of almost expired message cache entries.
+	prefetch: yes
+
+	# if yes, perform key lookups adjacent to normal lookups.
+	prefetch-key: yes
+
+	# deny queries of type ANY with an empty response.
+	deny-any: yes
+
+	# if yes, Unbound rotates RRSet order in response.
+	rrset-roundrobin: yes
+
+	# if yes, Unbound doesn't insert authority/additional sections
+	# into response messages when those sections are not required.
+	minimal-responses: yes
+
+	# module configuration of the server. A string with identifiers
+	# separated by spaces. Syntax: "[dns64] [validator] iterator"
+	# most modules have to be listed at the beginning of the line,
+	# except cachedb(just before iterator), and python (at the beginning,
+	# or, just before the iterator).
+	# For redis cachedb use:
+	#    "ipsecmod validator cachedb iterator"
+	module-config: "ipsecmod validator iterator"
+
+	# trust anchor signaling sends a RFC8145 key tag query after priming.
+	trust-anchor-signaling: yes
+
+	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
+	root-key-sentinel: yes
+
+	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
+	# you need external update procedures to track changes in keys.
+	# trusted-keys-file: ""
+	#
+	trusted-keys-file: /etc/unbound/keys.d/*.key
+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# Should additional section of secure message also be kept clean of
+	# unsecure data. Useful to shield the users of this validator from
+	# potential bogus data in the additional section. All unsigned data
+	# in the additional section is removed from secure messages.
+	val-clean-additional: yes
+
+	# Turn permissive mode on to permit bogus messages. Thus, messages
+	# for which security checks failed will be returned to clients,
+	# instead of SERVFAIL. It still performs the security checks, which
+	# result in interesting log files and possibly the AD bit in
+	# replies if the message is found secure. The default is off.
+	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
+	val-permissive-mode: no
+
+	# Serve expired responses from cache, with serve-expired-reply-ttl in
+	# the response, and then attempt to fetch the data afresh.
+	serve-expired: yes
+
+	# Limit serving of expired responses to configured seconds after
+	# expiration. 0 disables the limit.
+	serve-expired-ttl: 14400
+
+	# Have the validator log failed validations for your diagnosis.
+	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+	val-log-level: 1
+
+	# service clients over TLS (on the TCP sockets) with plain DNS inside
+	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+	# Give the certificate to use and private key.
+	# default is "" (disabled).  requires restart to take effect.
+	# tls-service-key: "/etc/unbound/unbound_server.key"
+	# tls-service-pem: "/etc/unbound/unbound_server.pem"
+
+	# Fedora/RHEL: use system-wide crypto policies
+	tls-ciphers: "PROFILE=SYSTEM"
+
+	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
+	# Fedora defaults to yes.
+	ede: yes
+
+	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
+	# Answer as EDNS0 option to expired responses.
+	# Note that the ede option above needs to be enabled for this to work.
+	# Fedora defaults to yes.
+	ede-serve-expired: yes
+
+	# Enable or disable ipsecmod (it still needs to be defined in
+	# module-config above). Can be used when ipsecmod needs to be
+	# enabled/disabled via remote-control(below).
+	# Fedora: module will be enabled on-demand by libreswan
+	ipsecmod-enabled: no
+
+	# Path to executable external hook. It must be defined when ipsecmod is
+	# listed in module-config (above).
+	ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
+
+python:
+	# Script file to load
+	# python-script: "/etc/unbound/ubmodule-tst.py"
+ 
+# Remote control config section moved into own remote-control.conf
+
+#   the module-config then you need one dynlib-file per instance.
+dynlib:
+	# Script file to load
+	# dynlib-file: "/etc/unbound/dynlib.so"
+
+# Fedora: DNSCrypt support not enabled since it requires linking to
+#         another crypto library
+#

mkroot.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+SOURCE="/usr/share/dns-root-data/root.key"
+DEST="${1:-root.key}"
+
+mk_key() {
+echo "# Generated from $SOURCE"
+echo "# Use /var/lib/unbound/root.key instead."
+echo "trusted-keys {"
+while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
+echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
+done < "$SOURCE"
+echo "};"
+}
+
+mk_key > "$DEST"
+touch -r "$SOURCE" "$DEST"

module-setup.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/bash
+
+check() {
+    require_binaries unbound unbound-checkconf unbound-control || return 1
+    # the module will be only included if explicitly required either
+    # by configuration or another module
+    return 255
+}
+
+depends() {
+    # because of pid file we need sysusers to create unbound user
+    echo systemd systemd-sysusers
+    return 0
+}
+
+install() {
+    # We have to make unbound wanted by network-online target to make sure
+    # there is a synchronization point when other services are able
+    # to make queries
+    inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
+
+    # /etc and /var/lib do not have its variables
+    inst_multiple -o \
+    "$systemdsystemunitdir"/unbound.service \
+    /etc/unbound/conf.d/remote-control.conf \
+    /etc/unbound/openssl-sha1.conf \
+    /usr/share/unbound/fedora-defaults.conf \
+    /usr/share/unbound/conf.d/*.conf \
+    /etc/unbound/local.d/*.conf \
+    /etc/unbound/keys.d/*.key \
+    /etc/unbound/unbound.conf \
+    /etc/unbound/unbound_control.key \
+    /etc/unbound/unbound_control.pem \
+    /etc/unbound/unbound_server.key \
+    /etc/unbound/unbound_server.pem \
+    "$sysusers"/unbound.conf \
+    "$tmpfilesdir"/unbound.conf \
+    /var/lib/unbound/root.key \
+    unbound \
+    unbound-checkconf \
+    unbound-control
+
+    $SYSTEMCTL -q --root "$initdir" enable unbound.service
+}

nlnetlabs2026-g2.asc

@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
+50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
+0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
++kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
+Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
+SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
+gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
+LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
+S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
+eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
+9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
+EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
+l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
+HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
+rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
+OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
+vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
+eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
+NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
+K6vVKMmB0qru6ERJ3g==
+=4R8U
+-----END PGP PUBLIC KEY BLOCK-----

openssl-sha1.conf

@@ -0,0 +1,8 @@
+# OpenSSL configuration file to allow SHA1 validation,
+# regardless of crypto-policy selected.
+# Use it by adding into /etc/sysconfig/unbound:
+# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf
+.include = /etc/ssl/openssl.cnf
+
+[evp_properties]
+rh-allow-sha1-signatures = yes

plans/all.fmf

@@ -1,7 +1,7 @@
 summary: Test plan with all Fedora tests
 discover:
        how: fmf
-       url: https://src.fedoraproject.org/tests/unbound.git
+       url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
 execute:
        how: tmt
 

plans/tier1-public.fmf

@@ -1,7 +1,7 @@
 summary: Public (Fedora) Tier1 beakerlib tests
 discover:
     how: fmf
-    url: https://src.fedoraproject.org/tests/unbound.git
+    url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
     filter: 'tier: 1'
 execute:
     how: tmt

remote-control-include.conf

@@ -0,0 +1,4 @@
+# Previous defaults allowed any process to change settings, CVE-2023-1488
+# If you want to modify remote configuration, replace this file with
+# contents of included file and modify afterwards.
+include: "/usr/share/unbound/conf.d/remote-control.conf"

remote-control.conf

@@ -0,0 +1,26 @@
+# Remote control config section update.
+# Previous defaults allowed any process to change settings, CVE-2023-1488
+# This file can be used also by: unbound-control -c <path>
+remote-control:
+	# Enable remote control with unbound-control(8) here.
+	# set up the keys and certificates with unbound-control-setup.
+	control-enable: yes
+
+	# set to an absolute path to use a unix local name pipe, certificates
+	# are not used for that, so key and cert files need not be present.
+	control-interface: "/run/unbound/control"
+
+	# For local sockets this option is ignored, and TLS is not used.
+	control-use-cert: "yes"
+
+	# Unbound server key file.
+	server-key-file: "/etc/unbound/unbound_server.key"
+
+	# Unbound server certificate file.
+	server-cert-file: "/etc/unbound/unbound_server.pem"
+
+	# unbound-control key file.
+	control-key-file: "/etc/unbound/unbound_control.key"
+
+	# unbound-control certificate file.
+	control-cert-file: "/etc/unbound/unbound_control.pem"

root.anchor

@@ -1 +1,2 @@
+.	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}

root.key

@@ -1,6 +0,0 @@
-; // The root key in bind format. This can be read by most tools, including
-; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
-trusted-keys {
-"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
-
-};

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a
-SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52
+SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
+SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21

tmpfiles-unbound-libs.conf

@@ -0,0 +1,2 @@
+d /var/lib/unbound          0755  unbound unbound -
+L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key

tmpfiles-unbound.conf

@@ -1 +1 @@
-D /run/unbound 0755 unbound unbound -
+D /run/unbound 0775 unbound root -

unbound-1.19-EDE-cpu-lock.patch

@@ -1,14 +0,0 @@
-diff --git a/unbound-1.19.1/util/data/msgencode.c b/unbound-1.19.1/util/data/msgencode.c
-index 80ae33a38..898ff8412 100644
---- a/unbound-1.19.1/util/data/msgencode.c
-+++ b/unbound-1.19.1/util/data/msgencode.c
-@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list)
- 				curr->opt_len = 2;
- 				prev = curr;
- 				curr = curr->next;
-+			} else {
-+				prev = curr;
-+				curr = curr->next;
- 			}
- 		} else {
- 			/* continue */

unbound-1.19-b.root-servers.net-conf.patch

@@ -1,38 +0,0 @@
-From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Tue, 16 Jan 2024 16:13:29 +0100
-Subject: [PATCH] Update b.root-servers.net also in example config file
-
-Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which
-updated only address specified in code. But addresses provided in
-example configuration were not updated, I think they should be updated
-too.
----
- unbound-1.19.0/doc/example.conf.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in
-index b79a322..3a15357 100644
---- a/unbound-1.19.0/doc/example.conf.in
-+++ b/unbound-1.19.0/doc/example.conf.in
-@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf
- # notifies.
- auth-zone:
- 	name: "."
--	primary: 199.9.14.201         # b.root-servers.net
-+	primary: 170.247.170.2        # b.root-servers.net
- 	primary: 192.33.4.12          # c.root-servers.net
- 	primary: 199.7.91.13          # d.root-servers.net
- 	primary: 192.5.5.241          # f.root-servers.net
-@@ -1211,7 +1211,7 @@ auth-zone:
- 	primary: 193.0.14.129         # k.root-servers.net
- 	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
- 	primary: 192.0.32.132         # xfr.lax.dns.icann.org
--	primary: 2001:500:200::b      # b.root-servers.net
-+	primary: 2801:1b8:10::b       # b.root-servers.net
- 	primary: 2001:500:2::c        # c.root-servers.net
- 	primary: 2001:500:2d::d       # d.root-servers.net
- 	primary: 2001:500:2f::f       # f.root-servers.net
--- 
-2.43.0
-

unbound-1.19-b.root-servers.net.patch

@@ -1,35 +0,0 @@
-From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001
-From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
-Date: Wed, 6 Dec 2023 13:25:58 +0100
-Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in
- root hints.
-
----
- unbound-1.19.0/iterator/iter_hints.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c
-index a60d9a6..6b56daa 100644
---- a/unbound-1.19.0/iterator/iter_hints.c
-+++ b/unbound-1.19.0/iterator/iter_hints.c
-@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
- 	dp->has_parent_side_NS = 1;
-       if(do_ip4) {
- 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	goto failed;
--	if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
-+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2"))	goto failed;
- 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	goto failed;
- 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13"))	goto failed;
- 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
-@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
-       }
-       if(do_ip6) {
- 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
--	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
-+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
- 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
- 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
- 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
--- 
-2.43.0
-

unbound-1.24-quic-on-demand-only.patch

@@ -0,0 +1,171 @@
+From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 24 Nov 2025 13:44:14 +0100
+Subject: [PATCH] Do not initialize quic_table unless it is enabled
+
+Fedora in FIPS mode might fail to initialize ngtcp2 library, because
+some ciphers desired are not available.
+
+Make it possible to skip initialization by setting explicitly quic_port
+to 0. Unless we have some listeners for port 853 configured, skip its
+initialization as well.
+
+Related: https://pagure.io/freeipa/issue/9877
+---
+ daemon/daemon.c           | 14 +++++++++-----
+ services/listen_dnsport.c | 14 +++++++++++---
+ util/configparser.y       | 15 +++++++++------
+ util/netevent.c           |  3 +++
+ 4 files changed, 32 insertions(+), 14 deletions(-)
+
+diff --git a/daemon/daemon.c b/daemon/daemon.c
+index f882bb9ad..a9cc25c67 100644
+--- a/daemon/daemon.c
++++ b/daemon/daemon.c
+@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
+ 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
+ 
+ #ifdef HAVE_NGTCP2
+-	daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
+-	if(!daemon->doq_table)
+-		fatal_exit("could not create doq_table: out of memory");
++	if (cfg_has_quic(daemon->cfg)) {
++		daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
++		if(!daemon->doq_table)
++			fatal_exit("could not create doq_table: out of memory");
++	}
+ #endif
+ 	
+ 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
+@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
+ 	daemon->dnscenv = NULL;
+ #endif
+ #ifdef HAVE_NGTCP2
+-	doq_table_delete(daemon->doq_table);
+-	daemon->doq_table = NULL;
++	if (daemon->doq_table) {
++		doq_table_delete(daemon->doq_table);
++		daemon->doq_table = NULL;
++	}
+ #endif
+ 	daemon->cfg = NULL;
+ }
+diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
+index f7fcca194..ab8f1ba72 100644
+--- a/services/listen_dnsport.c
++++ b/services/listen_dnsport.c
+@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
+ 			cp = comm_point_create_udp(base, ports->fd,
+ 				front->udp_buff, ports->pp2_enabled, cb,
+ 				cb_arg, ports->socket);
+-		} else if(ports->ftype == listen_type_doq) {
++		} else if(ports->ftype == listen_type_doq && doq_table) {
+ #ifndef HAVE_NGTCP2
+ 			log_warn("Unbound is not compiled with "
+ 				"ngtcp2. This is required to use DNS "
+@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
+ struct doq_table*
+ doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
+ {
+-	struct doq_table* table = calloc(1, sizeof(*table));
++	struct doq_table* table;
++
++	if (!cfg->quic_port)
++		return NULL;
++	table = calloc(1, sizeof(*table));
+ 	if(!table)
+ 		return NULL;
+ #ifdef USE_NGTCP2_CRYPTO_OSSL
+@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
+ {
+ 	struct doq_table* table = (struct doq_table*)arg;
+ 	struct doq_conn* conn;
+-	if(!node)
++	if(!node || !table)
+ 		return;
+ 	conn = (struct doq_conn*)node->key;
+ 	if(conn->timer.timer_in_list) {
+@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
+ {
+ 	struct doq_timer key;
+ 	struct rbnode_type* node;
++	log_assert(table != NULL);
+ 	memset(&key, 0, sizeof(key));
+ 	key.time.tv_sec = tv->tv_sec;
+ 	key.time.tv_usec = tv->tv_usec;
+@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
+ 	key.node.key = &key;
+ 	key.cid = (void*)data;
+ 	key.cidlen = datalen;
++	log_assert(table != NULL);
+ 	node = rbtree_search(table->conid_tree, &key);
+ 	if(node)
+ 		return (struct doq_conid*)node->key;
+@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
+ 	struct config_file* cfg, size_t mem)
+ {
+ 	size_t cur;
++	if (!table)
++		return 0;
+ 	lock_basic_lock(&table->size_lock);
+ 	cur = table->current_size;
+ 	lock_basic_unlock(&table->size_lock);
+diff --git a/util/configparser.y b/util/configparser.y
+index bf9c196fc..f159b8cec 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
+ server_quic_port: VAR_QUIC_PORT STRING_ARG
+ 	{
+ 		OUTYY(("P(server_quic_port:%s)\n", $2));
++		if(atoi($2) == 0 && strcmp($2,"0")!=0)
++			yyerror("port number expected");
++		else {
++			cfg_parser->cfg->quic_port = atoi($2);
+ #ifndef HAVE_NGTCP2
+-		log_warn("%s:%d: Unbound is not compiled with "
+-			"ngtcp2. This is required to use DNS "
+-			"over QUIC.", cfg_parser->filename, cfg_parser->line);
++			if (cfg_parser->cfg->quic_port != 0)
++				log_warn("%s:%d: Unbound is not compiled with "
++					"ngtcp2. This is required to use DNS "
++					"over QUIC.", cfg_parser->filename, cfg_parser->line);
+ #endif
+-		if(atoi($2) == 0)
+-			yyerror("port number expected");
+-		else cfg_parser->cfg->quic_port = atoi($2);
++		}
+ 		free($2);
+ 	};
+ server_quic_size: VAR_QUIC_SIZE STRING_ARG
+diff --git a/util/netevent.c b/util/netevent.c
+index aedcb5e07..93db16675 100644
+--- a/util/netevent.c
++++ b/util/netevent.c
+@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
+ {
+ 	size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
+ 	struct doq_server_socket* doq_socket;
++	log_assert(doq_table != NULL);
+ 	doq_socket = calloc(1, sizeof(*doq_socket));
+ 	if(!doq_socket) {
+ 		return NULL;
+@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
+ {
+ 	struct doq_conn* conn;
+ 	struct doq_conn_key key;
++	log_assert(table != NULL);
+ 	doq_conn_key_from_repinfo(&key, repinfo);
+ 	lock_rw_rdlock(&table->lock);
+ 	conn = doq_conn_find(table, &key.paddr.addr,
+@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
+ 	struct config_file* cfg)
+ {
+ #ifdef HAVE_NGTCP2
++	log_assert(table != NULL);
+ 	struct comm_point* c = (struct comm_point*)calloc(1,
+ 		sizeof(struct comm_point));
+ 	short evbits;
+-- 
+2.52.0
+

unbound-1.24-swig-function.patch

@@ -0,0 +1,26 @@
+From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 24 Oct 2025 20:20:50 +0200
+Subject: [PATCH] Use $action instead of $function in python SWIG interface
+
+$function is not supported since SWIG 4.4.0.
+---
+ libunbound/python/libunbound.i | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
+index dc12514..4576844 100644
+--- a/libunbound/python/libunbound.i
++++ b/libunbound/python/libunbound.i
+@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
+ %{ 
+   //printf("resolve_start(%lX)\n",(long unsigned int)arg1);
+   Py_BEGIN_ALLOW_THREADS 
+-  $function 
++  $action 
+   Py_END_ALLOW_THREADS 
+   //printf("resolve_stop()\n");
+ %} 
+-- 
+2.51.0
+

unbound-anchor.service

@@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8)
 Type=oneshot
 User=unbound
 EnvironmentFile=-/etc/sysconfig/unbound
-ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
+ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
 SuccessExitStatus=1

unbound-as112-networks.conf

@@ -0,0 +1,118 @@
+# Allow forwarding of private ranges, which are marked forwardable by IANA
+# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
+# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
+#
+# Using this configuration file will simplify forwarding to potentially private ranges.
+# Enables forwarding of networks marked as forwardable at IANA special registry.
+# This is useful when upstream forwarder may be still inside private network. That is the case
+# when unbound works as a localhost DNS cache, not network wide resolver.
+
+server:
+	# RFC 8375: Special-Use Domain 'home.arpa.'
+	local-zone: "home.arpa." nodefault
+
+	# RFC 1918: Address Allocation for Private Internets
+	local-zone: "10.in-addr.arpa." nodefault
+	local-zone: "16.172.in-addr.arpa." nodefault
+	local-zone: "17.172.in-addr.arpa." nodefault
+	local-zone: "18.172.in-addr.arpa." nodefault
+	local-zone: "19.172.in-addr.arpa." nodefault
+	local-zone: "20.172.in-addr.arpa." nodefault
+	local-zone: "21.172.in-addr.arpa." nodefault
+	local-zone: "22.172.in-addr.arpa." nodefault
+	local-zone: "23.172.in-addr.arpa." nodefault
+	local-zone: "24.172.in-addr.arpa." nodefault
+	local-zone: "25.172.in-addr.arpa." nodefault
+	local-zone: "26.172.in-addr.arpa." nodefault
+	local-zone: "27.172.in-addr.arpa." nodefault
+	local-zone: "28.172.in-addr.arpa." nodefault
+	local-zone: "29.172.in-addr.arpa." nodefault
+	local-zone: "30.172.in-addr.arpa." nodefault
+	local-zone: "31.172.in-addr.arpa." nodefault
+	local-zone: "168.192.in-addr.arpa." nodefault
+	# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
+	local-zone: "64.100.in-addr.arpa." nodefault
+	local-zone: "65.100.in-addr.arpa." nodefault
+	local-zone: "66.100.in-addr.arpa." nodefault
+	local-zone: "67.100.in-addr.arpa." nodefault
+	local-zone: "68.100.in-addr.arpa." nodefault
+	local-zone: "69.100.in-addr.arpa." nodefault
+	local-zone: "70.100.in-addr.arpa." nodefault
+	local-zone: "71.100.in-addr.arpa." nodefault
+	local-zone: "72.100.in-addr.arpa." nodefault
+	local-zone: "73.100.in-addr.arpa." nodefault
+	local-zone: "74.100.in-addr.arpa." nodefault
+	local-zone: "75.100.in-addr.arpa." nodefault
+	local-zone: "76.100.in-addr.arpa." nodefault
+	local-zone: "77.100.in-addr.arpa." nodefault
+	local-zone: "78.100.in-addr.arpa." nodefault
+	local-zone: "79.100.in-addr.arpa." nodefault
+	local-zone: "80.100.in-addr.arpa." nodefault
+	local-zone: "81.100.in-addr.arpa." nodefault
+	local-zone: "82.100.in-addr.arpa." nodefault
+	local-zone: "83.100.in-addr.arpa." nodefault
+	local-zone: "84.100.in-addr.arpa." nodefault
+	local-zone: "85.100.in-addr.arpa." nodefault
+	local-zone: "86.100.in-addr.arpa." nodefault
+	local-zone: "87.100.in-addr.arpa." nodefault
+	local-zone: "88.100.in-addr.arpa." nodefault
+	local-zone: "89.100.in-addr.arpa." nodefault
+	local-zone: "90.100.in-addr.arpa." nodefault
+	local-zone: "91.100.in-addr.arpa." nodefault
+	local-zone: "92.100.in-addr.arpa." nodefault
+	local-zone: "93.100.in-addr.arpa." nodefault
+	local-zone: "94.100.in-addr.arpa." nodefault
+	local-zone: "95.100.in-addr.arpa." nodefault
+	local-zone: "96.100.in-addr.arpa." nodefault
+	local-zone: "97.100.in-addr.arpa." nodefault
+	local-zone: "98.100.in-addr.arpa." nodefault
+	local-zone: "99.100.in-addr.arpa." nodefault
+	local-zone: "100.100.in-addr.arpa." nodefault
+	local-zone: "101.100.in-addr.arpa." nodefault
+	local-zone: "102.100.in-addr.arpa." nodefault
+	local-zone: "103.100.in-addr.arpa." nodefault
+	local-zone: "104.100.in-addr.arpa." nodefault
+	local-zone: "105.100.in-addr.arpa." nodefault
+	local-zone: "106.100.in-addr.arpa." nodefault
+	local-zone: "107.100.in-addr.arpa." nodefault
+	local-zone: "108.100.in-addr.arpa." nodefault
+	local-zone: "109.100.in-addr.arpa." nodefault
+	local-zone: "110.100.in-addr.arpa." nodefault
+	local-zone: "111.100.in-addr.arpa." nodefault
+	local-zone: "112.100.in-addr.arpa." nodefault
+	local-zone: "113.100.in-addr.arpa." nodefault
+	local-zone: "114.100.in-addr.arpa." nodefault
+	local-zone: "115.100.in-addr.arpa." nodefault
+	local-zone: "116.100.in-addr.arpa." nodefault
+	local-zone: "117.100.in-addr.arpa." nodefault
+	local-zone: "118.100.in-addr.arpa." nodefault
+	local-zone: "119.100.in-addr.arpa." nodefault
+	local-zone: "120.100.in-addr.arpa." nodefault
+	local-zone: "121.100.in-addr.arpa." nodefault
+	local-zone: "122.100.in-addr.arpa." nodefault
+	local-zone: "123.100.in-addr.arpa." nodefault
+	local-zone: "124.100.in-addr.arpa." nodefault
+	local-zone: "125.100.in-addr.arpa." nodefault
+	local-zone: "126.100.in-addr.arpa." nodefault
+	local-zone: "127.100.in-addr.arpa." nodefault
+
+	# RFC 4193: Unique Local IPv6 Unicast Addresses
+	local-zone: "d.f.ip6.arpa." nodefault
+
+	# RFC 2606: Reserved Top Level DNS Names
+	local-zone:      "test." nodefault
+	domain-insecure: "test"
+	domain-insecure: "example"
+
+	# RFC 6762: Multicast DNS, Appendix G
+	domain-insecure: "local"
+	domain-insecure: "intranet"
+	domain-insecure: "private"
+	domain-insecure: "corp"
+	domain-insecure: "home"
+	domain-insecure: "lan"
+
+	# draft-davies-internal-tld
+	domain-insecure: "internal"

unbound-fedora-config.patch

@@ -1,60 +1,30 @@
-From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Fri, 10 Nov 2023 12:58:31 +0100
+From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Fri, 15 Nov 2024 13:25:34 +0100
 Subject: [PATCH] Customize unbound.conf for Fedora defaults
 
 Set some Fedora/RHEL specific changes to example configuration file. By
 patching upstream provided config file we would not need to manually
 update external copy in source RPM.
 ---
- unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++-----------
- 1 file changed, 127 insertions(+), 73 deletions(-)
+ doc/example.conf.in | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
 
-diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in
-index fcfb1da..a61b530 100644
---- a/unbound-1.19.1/doc/example.conf.in
-+++ b/unbound-1.19.1/doc/example.conf.in
-@@ -17,11 +17,12 @@ server:
- 	# whitespace is not necessary, but looks cleaner.
- 
- 	# verbosity number, 0 is least verbose. 1 is default.
--	# verbosity: 1
-+	verbosity: 1
- 
- 	# print statistics to the log (for every thread) every N seconds.
- 	# Set to "" or 0 to disable. Default is disabled.
--	# statistics-interval: 0
-+	# Needs to be disabled for munin plugin
-+	statistics-interval: 0
- 
- 	# enable shm for stats, default no.  if you enable also enable
- 	# statistics-interval, every time it also writes stats to the
-@@ -32,11 +33,13 @@ server:
- 	# shm-key: 11777
- 
- 	# enable cumulative statistics, without clearing them after printing.
--	# statistics-cumulative: no
-+	# Needs to be disabled for munin plugin
-+	statistics-cumulative: no
- 
- 	# enable extended statistics (query types, answer codes, status)
--	# printed from unbound-control. Default off, because of speed.
--	# extended-statistics: no
-+	# printed from unbound-control. default off, because of speed.
-+	# Needs to be enabled for munin plugin
-+	extended-statistics: yes
- 
- 	# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
- 	# rpz-actions) from printing if their value is 0.
-@@ -44,22 +47,35 @@ server:
- 	# statistics-inhibit-zero: yes
- 
- 	# number of threads to create. 1 disables threading.
--	# num-threads: 1
-+	num-threads: 4
- 
- 	# specify the interfaces to answer queries from by ip-address.
- 	# The default is to listen to localhost (127.0.0.1 and ::1).
+diff --git a/doc/example.conf.in b/doc/example.conf.in
+index 59090c6..3a86809 100644
+--- a/doc/example.conf.in
++++ b/doc/example.conf.in
+@@ -8,6 +8,9 @@
+ # Use this anywhere in the file to include other text into this file.
+ #include: "otherfile.conf"
+
++# Default Fedora settings
++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
++
+ # Use this anywhere in the file to include other text, that explicitly starts a
+ # clause, into this file. Text after this directive needs to start a clause.
+ #include-toplevel: "otherfile.conf"
+@@ -51,11 +51,19 @@ server:
  	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
  	# specify every interface[@port] on a new 'interface:' labelled line.
  	# The listen interfaces are not changed on reload, only on restart.
@@ -74,53 +44,7 @@ index fcfb1da..a61b530 100644
  
  	# enable this feature to copy the source address of queries to reply.
  	# Socket options are not supported on all platforms. experimental.
--	# interface-automatic: no
-+	# interface-automatic: yes
-+	#
-+	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
-+	# NOTE: Disabled per Fedora policy not to listen to * on default install
-+	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
-+	interface-automatic: no
- 
- 	# instead of the default port, open additional ports separated by
- 	# spaces when interface-automatic is enabled, by listing them here.
-@@ -94,7 +110,8 @@ server:
- 
- 	# permit Unbound to use this port number or port range for
- 	# making outgoing queries, using an outgoing interface.
--	# outgoing-port-permit: 32768
-+	# Only ephemeral ports are allowed by SElinux
-+	outgoing-port-permit: 32768-60999
- 
- 	# deny Unbound the use this of port number or port range for
- 	# making outgoing queries, using an outgoing interface.
-@@ -103,7 +120,9 @@ server:
- 	# IANA-assigned port numbers.
- 	# If multiple outgoing-port-permit and outgoing-port-avoid options
- 	# are present, they are processed in order.
--	# outgoing-port-avoid: "3200-3208"
-+	# Our SElinux policy does not allow non-ephemeral ports to be used
-+	outgoing-port-avoid: 0-32767
-+	outgoing-port-avoid: 61000-65535
- 
- 	# number of outgoing simultaneous tcp buffers to hold per thread.
- 	# outgoing-num-tcp: 10
-@@ -121,12 +140,12 @@ server:
- 
- 	# use SO_REUSEPORT to distribute queries over threads.
- 	# at extreme load it could be better to turn it off to distribute even.
--	# so-reuseport: yes
-+	so-reuseport: yes
- 
- 	# use IP_TRANSPARENT so the interface: addresses can be non-local
- 	# and you can config non-existing IPs that are going to work later on
- 	# (uses IP_BINDANY on FreeBSD).
--	# ip-transparent: no
-+	ip-transparent: yes
- 
- 	# use IP_FREEBIND so the interface: addresses can be non-local
- 	# and you can bind to nonexisting IPs and interfaces that are down.
-@@ -256,6 +275,8 @@ server:
+@@ -285,6 +293,8 @@ server:
  	# nat64-prefix: 64:ff9b::0/96
  
  	# Enable UDP, "yes" or "no".
@@ -129,16 +53,7 @@ index fcfb1da..a61b530 100644
  	# do-udp: yes
  
  	# Enable TCP, "yes" or "no".
-@@ -281,7 +302,7 @@ server:
- 	# tcp-idle-timeout: 30000
- 
- 	# Enable EDNS TCP keepalive option.
--	# edns-tcp-keepalive: no
-+	edns-tcp-keepalive: yes
- 
- 	# Timeout for EDNS TCP keepalive, in msec.
- 	# edns-tcp-keepalive-timeout: 120000
-@@ -290,6 +311,9 @@ server:
+@@ -320,6 +330,9 @@ server:
  	# can be dropped. Default is 0, disabled. In seconds, such as 3.
  	# sock-queue-timeout: 0
  
@@ -148,188 +63,7 @@ index fcfb1da..a61b530 100644
  	# Use systemd socket activation for UDP, TCP, and control sockets.
  	# use-systemd: no
  
-@@ -402,6 +426,7 @@ server:
- 	#
- 	# If you give "" no chroot is performed. The path must not end in a /.
- 	# chroot: "@UNBOUND_CHROOT_DIR@"
-+	chroot: ""
- 
- 	# if given, user privileges are dropped (after binding port),
- 	# and the given username is assumed. Default is user "unbound".
-@@ -413,7 +438,7 @@ server:
- 	# is not changed.
- 	# If you give a server: directory: dir before include: file statements
- 	# then those includes can be relative to the working directory.
--	# directory: "@UNBOUND_RUN_DIR@"
-+	directory: "/etc/unbound"
- 
- 	# the log file, "" means log to stderr.
- 	# Use of this option sets use-syslog to "no".
-@@ -428,7 +453,7 @@ server:
- 	# log-identity: ""
- 
- 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
--	# log-time-ascii: no
-+	log-time-ascii: yes
- 
- 	# print one line with time, IP, name, type, class for every query.
- 	# log-queries: no
-@@ -497,22 +522,22 @@ server:
- 	# harden-large-queries: no
- 
- 	# Harden against out of zone rrsets, to avoid spoofing attempts.
--	# harden-glue: yes
-+	harden-glue: yes
- 
- 	# Harden against receiving dnssec-stripped data. If you turn it
- 	# off, failing to validate dnskey data for a trustanchor will
- 	# trigger insecure mode for that zone (like without a trustanchor).
- 	# Default on, which insists on dnssec data for trust-anchored zones.
--	# harden-dnssec-stripped: yes
-+	harden-dnssec-stripped: yes
- 
- 	# Harden against queries that fall under dnssec-signed nxdomain names.
--	# harden-below-nxdomain: yes
-+	harden-below-nxdomain: yes
- 
- 	# Harden the referral path by performing additional queries for
- 	# infrastructure data.  Validates the replies (if possible).
- 	# Default off, because the lookups burden the server.  Experimental
- 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
--	# harden-referral-path: no
-+	harden-referral-path: yes
- 
- 	# Harden against algorithm downgrade when multiple algorithms are
- 	# advertised in the DS record.  If no, allows the weakest algorithm
-@@ -526,7 +551,7 @@ server:
- 	# Sent minimum amount of information to upstream servers to enhance
- 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
- 	# to A when possible.
--	# qname-minimisation: yes
-+	qname-minimisation: yes
- 
- 	# QNAME minimisation in strict mode. Do not fall-back to sending full
- 	# QNAME to potentially broken nameservers. A lot of domains will not be
-@@ -536,7 +561,7 @@ server:
- 
- 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
- 	# and other denials, using information from previous NXDOMAINs answers.
--	# aggressive-nsec: yes
-+	aggressive-nsec: yes
- 
- 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
- 	# This feature is an experimental implementation of draft dns-0x20.
-@@ -569,7 +594,7 @@ server:
- 	# threshold, a warning is printed and a defensive action is taken,
- 	# the cache is cleared to flush potential poison out of it.
- 	# A suggested value is 10000000, the default is 0 (turned off).
--	# unwanted-reply-threshold: 0
-+	unwanted-reply-threshold: 10000000
- 
- 	# Do not query the following addresses. No DNS queries are sent there.
- 	# List one address per entry. List classless netblocks with /size,
-@@ -581,20 +606,20 @@ server:
- 	# do-not-query-localhost: yes
- 
- 	# if yes, perform prefetching of almost expired message cache entries.
--	# prefetch: no
-+	prefetch: yes
- 
- 	# if yes, perform key lookups adjacent to normal lookups.
--	# prefetch-key: no
-+	prefetch-key: yes
- 
- 	# deny queries of type ANY with an empty response.
--	# deny-any: no
-+	deny-any: yes
- 
- 	# if yes, Unbound rotates RRSet order in response.
--	# rrset-roundrobin: yes
-+	rrset-roundrobin: yes
- 
- 	# if yes, Unbound doesn't insert authority/additional sections
- 	# into response messages when those sections are not required.
--	# minimal-responses: yes
-+	minimal-responses: yes
- 
- 	# true to disable DNSSEC lameness check in iterator.
- 	# disable-dnssec-lame-check: no
-@@ -604,7 +629,9 @@ server:
- 	# most modules have to be listed at the beginning of the line,
- 	# except cachedb(just before iterator), and python (at the beginning,
- 	# or, just before the iterator).
--	# module-config: "validator iterator"
-+	# For redis cachedb use:
-+	#    "ipsecmod validator cachedb iterator"
-+	module-config: "ipsecmod validator iterator"
- 
- 	# File with trusted keys, kept uptodate using RFC5011 probes,
- 	# initial file like trust-anchor-file, then it stores metadata.
-@@ -618,10 +645,10 @@ server:
- 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
- 
- 	# trust anchor signaling sends a RFC8145 key tag query after priming.
--	# trust-anchor-signaling: yes
-+	trust-anchor-signaling: yes
- 
- 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
--	# root-key-sentinel: yes
-+	root-key-sentinel: yes
- 
- 	# File with trusted keys for validation. Specify more than one file
- 	# with several entries, one file per entry.
-@@ -642,6 +669,9 @@ server:
- 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
- 	# you need external update procedures to track changes in keys.
- 	# trusted-keys-file: ""
-+	#
-+	trusted-keys-file: /etc/unbound/keys.d/*.key
-+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
- 
- 	# Ignore chain of trust. Domain is treated as insecure.
- 	# domain-insecure: "example.com"
-@@ -669,14 +699,15 @@ server:
- 	# unsecure data. Useful to shield the users of this validator from
- 	# potential bogus data in the additional section. All unsigned data
- 	# in the additional section is removed from secure messages.
--	# val-clean-additional: yes
-+	val-clean-additional: yes
- 
- 	# Turn permissive mode on to permit bogus messages. Thus, messages
- 	# for which security checks failed will be returned to clients,
- 	# instead of SERVFAIL. It still performs the security checks, which
- 	# result in interesting log files and possibly the AD bit in
- 	# replies if the message is found secure. The default is off.
--	# val-permissive-mode: no
-+	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
-+	val-permissive-mode: no
- 
- 	# Ignore the CD flag in incoming queries and refuse them bogus data.
- 	# Enable it if the only clients of Unbound are legacy servers (w2008)
-@@ -690,11 +721,11 @@ server:
- 
- 	# Serve expired responses from cache, with serve-expired-reply-ttl in
- 	# the response, and then attempt to fetch the data afresh.
--	# serve-expired: no
-+	serve-expired: yes
- 	#
- 	# Limit serving of expired responses to configured seconds after
- 	# expiration. 0 disables the limit.
--	# serve-expired-ttl: 0
-+	serve-expired-ttl: 14400
- 	#
- 	# Set the TTL of expired records to the serve-expired-ttl value after a
- 	# failed attempt to retrieve the record from upstream. This makes sure
-@@ -721,7 +752,7 @@ server:
- 
- 	# Have the validator log failed validations for your diagnosis.
- 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
--	# val-log-level: 0
-+	val-log-level: 1
- 
- 	# It is possible to configure NSEC3 maximum iteration counts per
- 	# keysize. Keep this table very short, as linear search is done.
-@@ -865,6 +896,8 @@ server:
+@@ -906,6 +919,8 @@ server:
  	# you need to do the reverse notation yourself.
  	# local-data-ptr: "192.0.2.3 www.example.com"
  
@@ -338,7 +72,7 @@ index fcfb1da..a61b530 100644
  	# tag a localzone with a list of tag names (in "" with spaces between)
  	# local-zone-tag: "example.com" "tag2 tag3"
  
-@@ -875,8 +908,8 @@ server:
+@@ -916,8 +931,8 @@ server:
  	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
  	# Give the certificate to use and private key.
  	# default is "" (disabled).  requires restart to take effect.
@@ -348,108 +82,18 @@ index fcfb1da..a61b530 100644
 +	# tls-service-pem: "/etc/unbound/unbound_server.pem"
  	# tls-port: 853
  	# https-port: 443
- 
-@@ -884,6 +917,8 @@ server:
- 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
- 	# cipher setting for TLSv1.3
- 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
-+	# Fedora/RHEL: use system-wide crypto policies
-+	tls-ciphers: "PROFILE=SYSTEM"
- 
- 	# Pad responses to padded queries received over TLS
- 	# pad-responses: yes
-@@ -1005,12 +1040,12 @@ server:
- 	# fast-server-num: 3
- 
- 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
--	# ede: no
-+	ede: yes
- 
- 	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
- 	# Answer as EDNS0 option to expired responses.
- 	# Note that the ede option above needs to be enabled for this to work.
--	# ede-serve-expired: no
-+	ede-serve-expired: yes
- 
- 	# Specific options for ipsecmod. Unbound needs to be configured with
- 	# --enable-ipsecmod for these to take effect.
-@@ -1018,12 +1053,14 @@ server:
- 	# Enable or disable ipsecmod (it still needs to be defined in
- 	# module-config above). Can be used when ipsecmod needs to be
- 	# enabled/disabled via remote-control(below).
--	# ipsecmod-enabled: yes
--	#
-+	# Fedora: module will be enabled on-demand by libreswan
-+	ipsecmod-enabled: no
-+
- 	# Path to executable external hook. It must be defined when ipsecmod is
- 	# listed in module-config (above).
- 	# ipsecmod-hook: "./my_executable"
--	#
-+	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
-+
- 	# When enabled Unbound will reply with SERVFAIL if the return value of
- 	# the ipsecmod-hook is not 0.
- 	# ipsecmod-strict: no
-@@ -1056,7 +1093,7 @@ server:
- # o and give a python-script to run.
- python:
- 	# Script file to load
--	# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
-+	# python-script: "/etc/unbound/ubmodule-tst.py"
- 
- # Dynamic library config section. To enable:
- # o use --with-dynlibmodule to configure before compiling.
-@@ -1067,13 +1104,14 @@ python:
- #   the module-config then you need one dynlib-file per instance.
- dynlib:
- 	# Script file to load
--	# dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
-+	# dynlib-file: "/etc/unbound/dynlib.so"
- 
- # Remote control config section.
- remote-control:
- 	# Enable remote control with unbound-control(8) here.
- 	# set up the keys and certificates with unbound-control-setup.
--	# control-enable: no
-+	# Note: required for unbound-munin package
-+	control-enable: yes
- 
- 	# what interfaces are listened to for remote control.
- 	# give 0.0.0.0 and ::0 to listen to all interfaces.
-@@ -1081,6 +1119,7 @@ remote-control:
- 	# are not used for that, so key and cert files need not be present.
- 	# control-interface: 127.0.0.1
- 	# control-interface: ::1
-+	control-interface: "/run/unbound/control"
- 
- 	# port number for remote control operations.
- 	# control-port: 8953
-@@ -1090,16 +1129,19 @@ remote-control:
- 	# control-use-cert: "yes"
- 
- 	# Unbound server key file.
--	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
-+	server-key-file: "/etc/unbound/unbound_server.key"
- 
- 	# Unbound server certificate file.
--	# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
-+	server-cert-file: "/etc/unbound/unbound_server.pem"
- 
- 	# unbound-control key file.
--	# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
-+	control-key-file: "/etc/unbound/unbound_control.key"
- 
+ 	# quic-port: 853
+@@ -1166,6 +1181,9 @@ remote-control:
  	# unbound-control certificate file.
--	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-+	control-cert-file: "/etc/unbound/unbound_control.pem"
-+
+ 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+
 +# Stub and Forward zones
-+include: /etc/unbound/conf.d/*.conf
- 
++include: "@sysconfdir@/unbound/conf.d/*.conf"
++
  # Stub zones.
  # Create entries like below, to make all queries for 'example.com' and
-@@ -1121,6 +1163,10 @@ remote-control:
+ # 'example.org' go to the given list of nameservers. list zero or more
+@@ -1186,6 +1207,10 @@ remote-control:
  #	name: "example.org"
  #	stub-host: ns.example.com.
  
@@ -460,7 +104,7 @@ index fcfb1da..a61b530 100644
  # Forward zones
  # Create entries like below, to make all queries for 'example.com' and
  # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1138,6 +1184,10 @@ remote-control:
+@@ -1203,6 +1228,10 @@ remote-control:
  # forward-zone:
  # 	name: "example.org"
  # 	forward-host: fwd.example.com
@@ -471,81 +115,6 @@ index fcfb1da..a61b530 100644
  
  # Authority zones
  # The data for these zones is kept locally, from a file or downloaded.
-@@ -1145,30 +1195,31 @@ remote-control:
- # upstream (which saves a lookup to the upstream).  The first example
- # has a copy of the root for local usage.  The second serves example.org
- # authoritatively.  zonefile: reads from file (and writes to it if you also
--# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
--# With allow-notify: you can give additional (apart from primaries and urls)
--# sources of notifies.
--# auth-zone:
--#	name: "."
--#	primary: 199.9.14.201         # b.root-servers.net
--#	primary: 192.33.4.12          # c.root-servers.net
--#	primary: 199.7.91.13          # d.root-servers.net
--#	primary: 192.5.5.241          # f.root-servers.net
--#	primary: 192.112.36.4         # g.root-servers.net
--#	primary: 193.0.14.129         # k.root-servers.net
--#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
--#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
--#	primary: 2001:500:200::b      # b.root-servers.net
--#	primary: 2001:500:2::c        # c.root-servers.net
--#	primary: 2001:500:2d::d       # d.root-servers.net
--#	primary: 2001:500:2f::f       # f.root-servers.net
--#	primary: 2001:500:12::d0d     # g.root-servers.net
--#	primary: 2001:7fd::1          # k.root-servers.net
--#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
--#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
--#	fallback-enabled: yes
--#	for-downstream: no
--#	for-upstream: yes
-+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
-+# With allow-notify: you can give additional (apart from masters) sources of
-+# notifies.
-+auth-zone:
-+	name: "."
-+	primary: 199.9.14.201         # b.root-servers.net
-+	primary: 192.33.4.12          # c.root-servers.net
-+	primary: 199.7.91.13          # d.root-servers.net
-+	primary: 192.5.5.241          # f.root-servers.net
-+	primary: 192.112.36.4         # g.root-servers.net
-+	primary: 193.0.14.129         # k.root-servers.net
-+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-+	primary: 2001:500:200::b      # b.root-servers.net
-+	primary: 2001:500:2::c        # c.root-servers.net
-+	primary: 2001:500:2d::d       # d.root-servers.net
-+	primary: 2001:500:2f::f       # f.root-servers.net
-+	primary: 2001:500:12::d0d     # g.root-servers.net
-+	primary: 2001:7fd::1          # k.root-servers.net
-+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
-+	fallback-enabled: yes
-+	for-downstream: no
-+	for-upstream: yes
-+
- # auth-zone:
- #	name: "example.org"
- #	for-downstream: yes
-@@ -1194,6 +1245,9 @@ remote-control:
- #	name: "anotherview"
- #	local-zone: "example.com" refuse
- 
-+# Fedora: DNSCrypt support not enabled since it requires linking to
-+#         another crypto library
-+#
- # DNSCrypt
- # To enable, use --enable-dnscrypt to configure before compiling.
- # Caveats:
-@@ -1266,7 +1320,7 @@ remote-control:
- # 	dnstap-enable: no
- # 	# if set to yes frame streams will be used in bidirectional mode
- # 	dnstap-bidirectional: yes
--# 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
-+# 	dnstap-socket-path: "/etc/unbound/dnstap.sock"
- # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
- # 	# set it to "IPaddress[@port]" of the destination.
- # 	dnstap-ip: ""
 -- 
-2.43.0
+2.47.0
 

unbound-initrd.conf

@@ -0,0 +1,5 @@
+[Unit]
+Before=network-online.target
+
+[Install]
+WantedBy=network-online.target

unbound-local-root.conf

@@ -0,0 +1,30 @@
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream).
+#
+# Download local root copy and answer TLD queries from it. Because
+# auth-zone has higher precedence, defined forward-zones to internal
+# only TLD will not work. Use stub-zone or disable this zone.
+# Good for a network-wide resolvers, worse for a localhost caching forwarder.
+auth-zone:
+	name: "."
+	primary: 170.247.170.2        # b.root-servers.net
+	primary: 192.33.4.12          # c.root-servers.net
+	primary: 199.7.91.13          # d.root-servers.net
+	primary: 192.5.5.241          # f.root-servers.net
+	primary: 192.112.36.4         # g.root-servers.net
+	primary: 193.0.14.129         # k.root-servers.net
+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+	primary: 2801:1b8:10::b       # b.root-servers.net
+	primary: 2001:500:2::c        # c.root-servers.net
+	primary: 2001:500:2d::d       # d.root-servers.net
+	primary: 2001:500:2f::f       # f.root-servers.net
+	primary: 2001:500:12::d0d     # g.root-servers.net
+	primary: 2001:7fd::1          # k.root-servers.net
+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes

unbound.service

@@ -1,6 +1,9 @@
 [Unit]
 Description=Unbound recursive Domain Name Server
-After=network-online.target
+After=network.target
+# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429,
+# if interface: specifies exact address, not localhost nor wildcard
+#After=network-online.target
 After=unbound-keygen.service
 Wants=unbound-keygen.service
 After=unbound-anchor.service
@@ -9,7 +12,7 @@ Before=nss-lookup.target
 Wants=nss-lookup.target
 
 [Service]
-Type=simple
+Type=notify
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS

unbound.spec

@@ -2,10 +2,20 @@
 %{?!with_python3:     %global with_python3     1}
 %{?!with_munin:       %global with_munin       1}
 %bcond_without dnstap
-%bcond_with    systemd
+%bcond_without systemd
 %bcond_without doh
+%if 0%{?fedora} >= 43 && !0%{?rhel}
+# Do not build with QUIC support in RHEL, until we have also client support.
+%bcond_without ngtcp2
+%endif
+%if 0%{?rhel} && ! 0%{?epel}
 %bcond_with redis
+%else
+%bcond_without redis
+%endif
 
+%global forgeurl0 https://github.com/NLnetLabs/unbound
+%global downloads https://nlnetlabs.nl/downloads
 %global _hardened_build 1
 
 #global extra_version rc1
@@ -30,15 +40,16 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.19.1
+Version: 1.24.2
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
-Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
+VCS: git:%{forgeurl0}
+Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source3: unbound.munin
 Source4: unbound_munin_
-Source5: root.key
+Source5: mkroot.sh
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
@@ -50,26 +61,41 @@ Source14: unbound.sysconfig
 Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
-Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-# source: https://nlnetlabs.nl/people/
-Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
+Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
+# https://nlnetlabs.nl/signing-keys/
+Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc
 Source20: unbound.sysusers
+Source21: remote-control.conf
+Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
+Source23: unbound-as112-networks.conf
+Source24: unbound-local-root.conf
+Source25: openssl-sha1.conf
+Source26: remote-control-include.conf
+Source27: fedora-defaults.conf
+Source28: module-setup.sh
+Source29: unbound-initrd.conf
+Source30: tmpfiles-unbound-libs.conf
 
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2253461
-# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6
-Patch2:   unbound-1.19-b.root-servers.net.patch
-# https://github.com/NLnetLabs/unbound/pull/993
-Patch3:   unbound-1.19-b.root-servers.net-conf.patch
-# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90
-Patch4: unbound-1.19-EDE-cpu-lock.patch
+# https://github.com/NLnetLabs/unbound/pull/1331
+Patch2:   unbound-1.24-swig-function.patch
+# https://github.com/NLnetLabs/unbound/pull/1381
+Patch3:   unbound-1.24-quic-on-demand-only.patch
 
 BuildRequires: gcc, make
-BuildRequires: flex, openssl-devel
+BuildRequires: openssl-devel
 BuildRequires: libevent-devel expat-devel
 BuildRequires: pkgconfig
-%if 0%{?fedora}
+
+# Required for configure regeneration
+BuildRequires: automake autoconf libtool
+BuildRequires: autoconf-archive
+# Regenerate config parser too
+BuildRequires: bison flex byacc
+BuildRequires: dns-root-data
+
+%if 0%{?fedora} || 0%{?rhel} >= 9
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
@@ -95,9 +121,9 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
 %endif
-# Required for SVN versions
-# BuildRequires: bison
-# BuildRequires: automake autoconf libtool
+%if %{with ngtcp2}
+BuildRequires: ngtcp2-crypto-ossl-devel
+%endif
 
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -139,7 +165,7 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
 Recommends: %{name}-anchor
-%{?sysusers_requires_compat}
+Requires: dns-root-data
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@@ -189,33 +215,33 @@ Conflicts: python2-unbound < 1.9.3
 Python 3 modules and extensions for unbound
 %endif
 
+%package dracut
+Summary: Unbound dracut module
+Requires: dracut%{?_isa}
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description dracut
+Unbound dracut module allowing use of Unbound for name resolution
+in initramfs.
 
 %prep
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} >= 9
+# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key
+%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \
 %{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}
 
 %if 0%{with_python2} && 0%{with_python3}
-%global dir_primary %{pkgname}_python3
 %global python_primary %{__python3}
 %global dir_secondary %{pkgname}_python2
 %global python_secondary %{__python2}
-%else
-%global dir_primary %{pkgname}
 %endif
 
-%autosetup -c -N -n %{pkgname}
+%autosetup -N -n %{pkgname}
 
-pushd %{pkgname}
 # patches go here
-%autopatch -p2
-
-# only for snapshots
-# autoreconf -iv
-
-# copy common doc files - after here, since it may be patched
-cp -pr doc pythonmod libunbound ../
+%autopatch -p1
 
 %if 0%{?rhel} > 8
   # SHA-1 breaks some tests. Disable just some tests because of that.
@@ -225,31 +251,35 @@ cp -pr doc pythonmod libunbound ../
     mv testdata/${TEST}.rpl{,-disabled} 
   done
 %endif
-popd
 
 %if 0%{with_python2} && 0%{with_python3}
-mv %{pkgname} %{dir_primary}
-cp -a %{dir_primary} %{dir_secondary}
+  cp -a . %{dir_secondary}
 %endif
 
 %build
-# This is needed to rebuild the configure script to support Python 3.x
-# autoreconf -iv
-
 # ./configure script common arguments
 %global configure_args --with-libevent --with-pthreads --with-ssl \\\
             --disable-rpath --disable-static \\\
             --enable-relro-now --enable-pie \\\
             --enable-subnet --enable-ipsecmod \\\
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
+            --with-share-dir=%{_datadir}/%{name} \\\
             --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
             --with-username=unbound \\\
             --enable-linux-ip-local-port-range \\\
+            --with-dynlibmodule \\\
+#
 
+# always regenerate configure
+rm -f config.h.in aclocal.m4 configure ltmain.sh
+rm -f {ax_pthread,ax_swig_python}.m4
+cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 .
+# ensure bison is used to generate fresh parser
+rm -f util/configparser.{c,h} util/configlexer.c
 
-pushd %{dir_primary}
+autoreconf -fiv
 
 %configure  \
 %if 0%{?python_primary:1}
@@ -264,20 +294,18 @@ pushd %{dir_primary}
 %if %{with doh}
             --with-libnghttp2 \
 %endif
-%if 0%{?rhel}
-            --disable-sha1 \
-%endif
 %if %{with redis}
             --with-libhiredis \
             --enable-cachedb \
+%endif
+%if %{with ngtcp2}
+            --with-libngtcp2 \
 %endif
             %{configure_args}
 
 %make_build
 %make_build streamtcp
 
-popd
-
 %if 0%{?python_secondary:1}
 pushd %{dir_secondary}
 %configure  \
@@ -287,6 +315,9 @@ pushd %{dir_secondary}
 %endif
 %if %{with systemd}
             --enable-systemd \
+%endif
+%if %{with ngtcp2}
+            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -305,11 +336,9 @@ pushd %{dir_secondary}
 popd
 %endif
 
-pushd %{dir_primary}
 %make_install unbound-event-install
 install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
-install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
-popd
+install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
 
 install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
 install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
@@ -330,25 +359,21 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun
 done
 %endif
 
-pushd %{dir_primary}
 # install streamtcp man page
-install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
-popd
+install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
 
 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
+install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
+install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf
 
 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
-install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
-install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
-# make initial key static
-pushd %{buildroot}%{_sharedstatedir}/unbound
-  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
-  ln -s "$KEYPATH" root.key
-popd
+sh %{SOURCE5} root.key
+install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/
+ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key"
+ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key"
 
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@@ -367,16 +392,27 @@ mkdir -p %{buildroot}%{_rundir}/unbound
 # Install directories for easier config file drop in
 
 mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
-install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
-install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
-install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
+install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
+install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
+install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf
+install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf
+
+mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
+install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/
+install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/
+install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/
+install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
 
+# install dracut module
+mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
+
+install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
+install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 
-%pre libs
-%sysusers_create_compat %{SOURCE20}
 
 %post
 %systemd_post unbound.service
@@ -404,21 +440,19 @@ fi
 %postun anchor
 %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
+%triggerun -- unbound < 1.23.1-4
+if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then
+   # change permissions of existing key just once, where it were generated with wrong perms
+   %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || :
+fi
+
+
 %check
-pushd %{dir_primary}
-#pushd pythonmod
-#make test
-#popd
-
+export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf"
 make check
 
-popd
-
 %if 0%{?python_secondary:1}
 pushd %{dir_secondary}
-#pushd pythonmod
-#make test
-#popd
 make check
 popd
 %endif
@@ -428,9 +462,10 @@ popd
 %doc doc/CREDITS doc/FEATURES
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-keygen.service
-%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
+%attr(0775,unbound,root) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
@@ -440,11 +475,12 @@ popd
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
-%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
+%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
 %{_sbindir}/unbound
 %{_sbindir}/unbound-checkconf
 %{_sbindir}/unbound-control
 %{_sbindir}/unbound-control-setup
+%{_datadir}/%{name}/
 %{_mandir}/man5/*
 %exclude %{_mandir}/man8/unbound-anchor*
 %{_mandir}/man8/*
@@ -486,10 +522,11 @@ popd
 %{_sysusersdir}/%{name}.conf
 %{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
+%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
-%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key
+%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
 
 %files anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
@@ -506,5 +543,8 @@ popd
 %{_sbindir}/unbound-streamtcp
 %{_mandir}/man1/unbound-*
 
+%files dracut
+%{_prefix}/lib/dracut/modules.d/99unbound
+
 %changelog
 %autochangelog

unbound.sysconfig

@@ -5,3 +5,6 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"
 
 # for extra debug, add "-v -v" or change verbosity: in unbound.conf
 UNBOUND_OPTIONS=""
+
+# Uncoment to validate SHA1 in any crypto policy
+# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf

wouter.nlnetlabs.nl.key

@@ -1,123 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
-SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
-1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
-TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
-l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
-qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
-Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
-x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
-WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
-/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
-hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
-zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
-ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
-HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
-XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
-8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
-Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
-UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
-MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
-/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
-Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
-SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
-oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
-Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
-AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
-bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
-4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
-ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
-L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
-DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
-e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
-T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
-/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
-bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
-OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
-ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
-AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
-bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
-2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
-Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
-Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
-4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
-zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
-5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
-46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
-GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
-JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
-lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
-iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
-AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
-bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
-4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
-bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
-GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
-vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
-+Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
-/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
-aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
-7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
-sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
-vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
-r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
-lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
-q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
-Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
-jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
-Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
-7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
-Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
-i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
-ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
-H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
-AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
-V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
-gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
-DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
-PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
-ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
-xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
-UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
-2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
-oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
-2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
-Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
-bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
-RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
-XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
-rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
-eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
-Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
-g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
-kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
-YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
-c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
-k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
-AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
-HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
-VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
-Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
-0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
-yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
-v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
-ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
-G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
-RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
-1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
-7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
-CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
-LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
-bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
-EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
-8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
-ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
-ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
-s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
-HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
-9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
-p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
-5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
-=Oqje
------END PGP PUBLIC KEY BLOCK-----