Remove additional subdirectory for python3 build

Python2 builds are not common anymore. Make basic unbound directory for
primary build in normal default directory. Try subdirectory only for
alternative secondary build, if enabled.

.gitignore

@@ -85,3 +85,9 @@ unbound-1.4.5.tar.gz
 /unbound-1.19.0.tar.gz.asc
 /unbound-1.19.1.tar.gz
 /unbound-1.19.1.tar.gz.asc
+/unbound-1.19.3.tar.gz
+/unbound-1.19.3.tar.gz.asc
+/unbound-1.20.0.tar.gz
+/unbound-1.20.0.tar.gz.asc
+/unbound-1.21.1.tar.gz
+/unbound-1.21.1.tar.gz.asc

Yorgos.asc

@@ -0,0 +1,128 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8
+SJr7Y+hr6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBv
+omb9s8Bo28uKn8tbTMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jI
+qxDYS8sylWlDn6Qim+77feLlObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6
+W6AqukhpuKuWvoAUXKjfguXQolxeexubmKaLcGOTvecw+cbh/a5SPHRtRVr9qTxp
+elk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpAk1fXA+mYfx5BcFpECYdU9kz4
+UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36TgAP8RKrvFfPUym5OP
+YbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2yBVbGnjNr
+S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
+2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVr
+g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
+tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
+BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
+NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt
+C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs
+n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU
+BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f
+DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI
+Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP
+ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8
+RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA
+zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK
+9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1
+5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY
+nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
+Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
+AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP
+8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG
+pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu
+gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW
+ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7
+bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar
+qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/
+yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn
+aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6
+tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh
+KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP
+qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS
+AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
+Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
+cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
+B7x2UfSyF4USp47LSmUQnC59IF8jzaElgBha3gwEuXL3d2qBepoV/e9RiXJClUAT
++O7qdxzDq1eiZ+NXUjDCmrkuWjHLAZAv0jx1KUTCQ2no62UM95igtJ+Kn56Lc2+J
+CqFJztaZeX8CgXXryxNpsyhZJ33dIoLCT03K25wrV5Y+eag05slQ9sC3iQI9BBMB
+CAAnBQJX2RCwAhsjBQkFo5qABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEM/z
+NE2Qh6SQ3JUP/2G3bRNObS7zsfN3rjkbjLxaDOwNggRdbeXM5rHDVEG9SWesCGaI
+vyQdkSGQoIaKUgNv7Yp8O8pEnD4IwdhNSaXVIB3pBtdOD0UM1wuxRpfqJOUxZEoW
+T2Jr31Tg2qepp6nT7UmdiF7uCBDy8Jm6k6Q+6UT58cPaesRQdSPi6Go7ho2/xVvK
+Ve9ufSTSTdG5+7bJDu6Iv7sydKUEG4jPDqo+jjVLn1X6Rfp+E4JAvOvFrSJHW5sa
+A332xV40GeV+aM1ndP7dPkz8+AGB3QD7JF2DLcqvLo0TYOvjnlOGYcNp8gzp23g9
+KFwe2sdbdtVpuWaJUSpXXiUZnFzrrVxDNiEBjqsPa5ysOxzJ+1gUbcrIjUeNeAFh
+us4XL+IidPATnhTIX3X/uPRB87KaTaA8XUqsuSd2DM9mLxdHKC9Jf8D1t+ywYrek
+Cp+K80vCtFPWBM4+w8nGugTNKJEGIXZDGFOF/c7r6xKkaOYK0Y+IGJawlV5LaADl
+BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
+5acnIZibCERayo8ZuI+r/X3bLHfDx0oh2h+cL3utNZUqmgZNR0Di8P+x0hUYsYPO
+TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
+Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
+CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
+TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1
+/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K
+o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3
+GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7
+iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2
+WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN
+9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM
+LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ
+CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc
+/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j
+QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA
+zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
+VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
+jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
+hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
+Hj7gVoaWw65Ov7vngwNCKH3fjOkcoINTH/nEw4WWh6UV5ZN49GRqa6oWdUJMZbgB
+w8z357RLN6YLe7KMh4oGpUIvfH6Vfq6CIb6s9pfgjAvq8O7p9n0/0FG77j84MuGw
+fdhq8eSazO/j9LUCBM+8k4kCPQQTAQgAJwUCV9kQiwIbIwUJBaOagAULCQgHAgYV
+CAkKCwIEFgIDAQIeAQIXgAAKCRDP8zRNkIekkN9pD/wI8JAyjJEIjUJNLRuARDDv
+pJrQjAo/02naPcGs4yyUd7yRkhzVKLFLvif8XICxxLWk6FdT0PJeKGTvRoe2+Rje
+c14rO30niRymWkBi36iDW46Dpt7Jx+LUDhUMYPL+woKSoHmbBGWLSYXKxaD8F93A
+nVs97nP4PWpspv2BFiuwKGsSsOyyQPPvr7jCin3H5oPH9qDnIV0KonAYbzzEKod5
+t0Rgzo/nWXZBFXWC5xvKeghwkdT++gYS/ThvQY2ua6A1XRE8BntyldD081NPi3NO
+dWa9m8ufFOJsEEiWcpdT+EWoDw5JyGAR7U3IOVl3BTo7shdcYEvRVrDMBpac+ItG
+WvogUv7alBdHWi48amvZE06RI/nDJ/rxj13S/4POgMHU++aQI5a1G5H3jBu4cehH
+4iT1UKmozfzVEfcHb2dsaKnnuFzQxmol0lZu1ETyof+Lxvs+wErN0QR+VDNweJEJ
+PMXiEcjASdLtrEKgFSP2B5yGGzt93C+HbD+VQOU359aAnvVjbTAVz8izuMphd6Bz
+Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
+gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
+FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
+b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q
+h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM
+f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3
+aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp
+n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW
++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM
+4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV
+0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3
+1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH
+ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC
+87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4
+sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB
+EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
+lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
+rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
+YylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVPNCYm
+ZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64N
+W/RJ7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvP
+GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
+6RcZ02fr7SCZZhdBrlrflvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4
+hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
+LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
+sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
+AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH
+pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A
+GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo
+JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3
+60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR
+tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS
+xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS
+fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm
+sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/
+ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O
+BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK
+SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8=
+=iknu
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.19.1.tar.gz) = c81192b70f14a4e289cf738bf6b647cf25b58b1ab11076dee306ff25a530b6a1bbeca71cfa8820d80f48fd843019beb29a68796a1b1fcec6e561dfeccd62d96a
-SHA512 (unbound-1.19.1.tar.gz.asc) = 2e4c6b7df844d1fb93d948791a20b9ff201bd1e6de6c89a830ddce06e24e5d770409265005f549757ef3a9c99d11b9860ae21711425d76d42bf2c33240dd3b52
+SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7
+SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248

unbound-1.19-EDE-cpu-lock.patch

@@ -1,14 +0,0 @@
-diff --git a/unbound-1.19.1/util/data/msgencode.c b/unbound-1.19.1/util/data/msgencode.c
-index 80ae33a38..898ff8412 100644
---- a/unbound-1.19.1/util/data/msgencode.c
-+++ b/unbound-1.19.1/util/data/msgencode.c
-@@ -886,6 +886,9 @@ ede_trim_text(struct edns_option** list)
- 				curr->opt_len = 2;
- 				prev = curr;
- 				curr = curr->next;
-+			} else {
-+				prev = curr;
-+				curr = curr->next;
- 			}
- 		} else {
- 			/* continue */

unbound-1.19-b.root-servers.net-conf.patch

@@ -1,38 +0,0 @@
-From 101f9efb8de8e5e41fe40d05461276299e4c8980 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Tue, 16 Jan 2024 16:13:29 +0100
-Subject: [PATCH] Update b.root-servers.net also in example config file
-
-Addition to commit a8739bad76d4d179290627e989c7ef236345bda6, which
-updated only address specified in code. But addresses provided in
-example configuration were not updated, I think they should be updated
-too.
----
- unbound-1.19.0/doc/example.conf.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/unbound-1.19.0/doc/example.conf.in b/unbound-1.19.0/doc/example.conf.in
-index b79a322..3a15357 100644
---- a/unbound-1.19.0/doc/example.conf.in
-+++ b/unbound-1.19.0/doc/example.conf.in
-@@ -1203,7 +1203,7 @@ include: /etc/unbound/conf.d/*.conf
- # notifies.
- auth-zone:
- 	name: "."
--	primary: 199.9.14.201         # b.root-servers.net
-+	primary: 170.247.170.2        # b.root-servers.net
- 	primary: 192.33.4.12          # c.root-servers.net
- 	primary: 199.7.91.13          # d.root-servers.net
- 	primary: 192.5.5.241          # f.root-servers.net
-@@ -1211,7 +1211,7 @@ auth-zone:
- 	primary: 193.0.14.129         # k.root-servers.net
- 	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
- 	primary: 192.0.32.132         # xfr.lax.dns.icann.org
--	primary: 2001:500:200::b      # b.root-servers.net
-+	primary: 2801:1b8:10::b       # b.root-servers.net
- 	primary: 2001:500:2::c        # c.root-servers.net
- 	primary: 2001:500:2d::d       # d.root-servers.net
- 	primary: 2001:500:2f::f       # f.root-servers.net
--- 
-2.43.0
-

unbound-1.19-b.root-servers.net.patch

@@ -1,35 +0,0 @@
-From 72c65bfc2fe35cf4f0665a5e3f173f4f8f6f151b Mon Sep 17 00:00:00 2001
-From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
-Date: Wed, 6 Dec 2023 13:25:58 +0100
-Subject: [PATCH] - Updated IPv4 and IPv6 address for b.root-servers.net in
- root hints.
-
----
- unbound-1.19.0/iterator/iter_hints.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/unbound-1.19.0/iterator/iter_hints.c b/unbound-1.19.0/iterator/iter_hints.c
-index a60d9a6..6b56daa 100644
---- a/unbound-1.19.0/iterator/iter_hints.c
-+++ b/unbound-1.19.0/iterator/iter_hints.c
-@@ -129,7 +129,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
- 	dp->has_parent_side_NS = 1;
-       if(do_ip4) {
- 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "198.41.0.4"))	goto failed;
--	if(!ah(dp, "B.ROOT-SERVERS.NET.", "199.9.14.201")) goto failed;
-+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "170.247.170.2"))	goto failed;
- 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "192.33.4.12"))	goto failed;
- 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "199.7.91.13"))	goto failed;
- 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "192.203.230.10")) goto failed;
-@@ -144,7 +144,7 @@ compile_time_root_prime(int do_ip4, int do_ip6)
-       }
-       if(do_ip6) {
- 	if(!ah(dp, "A.ROOT-SERVERS.NET.", "2001:503:ba3e::2:30")) goto failed;
--	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2001:500:200::b")) goto failed;
-+	if(!ah(dp, "B.ROOT-SERVERS.NET.", "2801:1b8:10::b")) goto failed;
- 	if(!ah(dp, "C.ROOT-SERVERS.NET.", "2001:500:2::c")) goto failed;
- 	if(!ah(dp, "D.ROOT-SERVERS.NET.", "2001:500:2d::d")) goto failed;
- 	if(!ah(dp, "E.ROOT-SERVERS.NET.", "2001:500:a8::e")) goto failed;
--- 
-2.43.0
-

unbound-fedora-config.patch

@@ -1,4 +1,4 @@
-From 77710cef1d7001fc52b7f19b0b9e305fd355f07e Mon Sep 17 00:00:00 2001
+From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 10 Nov 2023 12:58:31 +0100
 Subject: [PATCH] Customize unbound.conf for Fedora defaults
@@ -7,13 +7,13 @@ Set some Fedora/RHEL specific changes to example configuration file. By
 patching upstream provided config file we would not need to manually
 update external copy in source RPM.
 ---
- unbound-1.19.1/doc/example.conf.in | 200 ++++++++++++++++++-----------
- 1 file changed, 127 insertions(+), 73 deletions(-)
+ doc/example.conf.in | 196 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 126 insertions(+), 70 deletions(-)
 
-diff --git a/unbound-1.19.1/doc/example.conf.in b/unbound-1.19.1/doc/example.conf.in
-index fcfb1da..a61b530 100644
---- a/unbound-1.19.1/doc/example.conf.in
-+++ b/unbound-1.19.1/doc/example.conf.in
+diff --git a/doc/example.conf.in b/doc/example.conf.in
+index 130cb4e..7174d81 100644
+--- a/doc/example.conf.in
++++ b/doc/example.conf.in
 @@ -17,11 +17,12 @@ server:
  	# whitespace is not necessary, but looks cleaner.
  
@@ -120,7 +120,7 @@ index fcfb1da..a61b530 100644
  
  	# use IP_FREEBIND so the interface: addresses can be non-local
  	# and you can bind to nonexisting IPs and interfaces that are down.
-@@ -256,6 +275,8 @@ server:
+@@ -276,6 +295,8 @@ server:
  	# nat64-prefix: 64:ff9b::0/96
  
  	# Enable UDP, "yes" or "no".
@@ -129,16 +129,16 @@ index fcfb1da..a61b530 100644
  	# do-udp: yes
  
  	# Enable TCP, "yes" or "no".
-@@ -281,7 +302,7 @@ server:
+@@ -301,7 +322,7 @@ server:
  	# tcp-idle-timeout: 30000
  
  	# Enable EDNS TCP keepalive option.
 -	# edns-tcp-keepalive: no
 +	edns-tcp-keepalive: yes
  
- 	# Timeout for EDNS TCP keepalive, in msec.
- 	# edns-tcp-keepalive-timeout: 120000
-@@ -290,6 +311,9 @@ server:
+ 	# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
+ 	# if edns-tcp-keepalive is set.
+@@ -311,6 +332,9 @@ server:
  	# can be dropped. Default is 0, disabled. In seconds, such as 3.
  	# sock-queue-timeout: 0
  
@@ -148,7 +148,7 @@ index fcfb1da..a61b530 100644
  	# Use systemd socket activation for UDP, TCP, and control sockets.
  	# use-systemd: no
  
-@@ -402,6 +426,7 @@ server:
+@@ -424,6 +448,7 @@ server:
  	#
  	# If you give "" no chroot is performed. The path must not end in a /.
  	# chroot: "@UNBOUND_CHROOT_DIR@"
@@ -156,7 +156,7 @@ index fcfb1da..a61b530 100644
  
  	# if given, user privileges are dropped (after binding port),
  	# and the given username is assumed. Default is user "unbound".
-@@ -413,7 +438,7 @@ server:
+@@ -435,7 +460,7 @@ server:
  	# is not changed.
  	# If you give a server: directory: dir before include: file statements
  	# then those includes can be relative to the working directory.
@@ -165,7 +165,7 @@ index fcfb1da..a61b530 100644
  
  	# the log file, "" means log to stderr.
  	# Use of this option sets use-syslog to "no".
-@@ -428,7 +453,7 @@ server:
+@@ -450,7 +475,7 @@ server:
  	# log-identity: ""
  
  	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
@@ -174,7 +174,7 @@ index fcfb1da..a61b530 100644
  
  	# print one line with time, IP, name, type, class for every query.
  	# log-queries: no
-@@ -497,22 +522,22 @@ server:
+@@ -522,22 +547,22 @@ server:
  	# harden-large-queries: no
  
  	# Harden against out of zone rrsets, to avoid spoofing attempts.
@@ -201,7 +201,7 @@ index fcfb1da..a61b530 100644
  
  	# Harden against algorithm downgrade when multiple algorithms are
  	# advertised in the DS record.  If no, allows the weakest algorithm
-@@ -526,7 +551,7 @@ server:
+@@ -551,7 +576,7 @@ server:
  	# Sent minimum amount of information to upstream servers to enhance
  	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
  	# to A when possible.
@@ -210,7 +210,7 @@ index fcfb1da..a61b530 100644
  
  	# QNAME minimisation in strict mode. Do not fall-back to sending full
  	# QNAME to potentially broken nameservers. A lot of domains will not be
-@@ -536,7 +561,7 @@ server:
+@@ -561,7 +586,7 @@ server:
  
  	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
  	# and other denials, using information from previous NXDOMAINs answers.
@@ -219,7 +219,7 @@ index fcfb1da..a61b530 100644
  
  	# Use 0x20-encoded random bits in the query to foil spoof attempts.
  	# This feature is an experimental implementation of draft dns-0x20.
-@@ -569,7 +594,7 @@ server:
+@@ -594,7 +619,7 @@ server:
  	# threshold, a warning is printed and a defensive action is taken,
  	# the cache is cleared to flush potential poison out of it.
  	# A suggested value is 10000000, the default is 0 (turned off).
@@ -228,7 +228,7 @@ index fcfb1da..a61b530 100644
  
  	# Do not query the following addresses. No DNS queries are sent there.
  	# List one address per entry. List classless netblocks with /size,
-@@ -581,20 +606,20 @@ server:
+@@ -606,20 +631,20 @@ server:
  	# do-not-query-localhost: yes
  
  	# if yes, perform prefetching of almost expired message cache entries.
@@ -254,7 +254,7 @@ index fcfb1da..a61b530 100644
  
  	# true to disable DNSSEC lameness check in iterator.
  	# disable-dnssec-lame-check: no
-@@ -604,7 +629,9 @@ server:
+@@ -629,7 +654,9 @@ server:
  	# most modules have to be listed at the beginning of the line,
  	# except cachedb(just before iterator), and python (at the beginning,
  	# or, just before the iterator).
@@ -265,7 +265,7 @@ index fcfb1da..a61b530 100644
  
  	# File with trusted keys, kept uptodate using RFC5011 probes,
  	# initial file like trust-anchor-file, then it stores metadata.
-@@ -618,10 +645,10 @@ server:
+@@ -643,10 +670,10 @@ server:
  	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
  
  	# trust anchor signaling sends a RFC8145 key tag query after priming.
@@ -278,7 +278,7 @@ index fcfb1da..a61b530 100644
  
  	# File with trusted keys for validation. Specify more than one file
  	# with several entries, one file per entry.
-@@ -642,6 +669,9 @@ server:
+@@ -667,6 +694,9 @@ server:
  	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
  	# you need external update procedures to track changes in keys.
  	# trusted-keys-file: ""
@@ -288,7 +288,7 @@ index fcfb1da..a61b530 100644
  
  	# Ignore chain of trust. Domain is treated as insecure.
  	# domain-insecure: "example.com"
-@@ -669,14 +699,15 @@ server:
+@@ -694,14 +724,15 @@ server:
  	# unsecure data. Useful to shield the users of this validator from
  	# potential bogus data in the additional section. All unsigned data
  	# in the additional section is removed from secure messages.
@@ -306,7 +306,7 @@ index fcfb1da..a61b530 100644
  
  	# Ignore the CD flag in incoming queries and refuse them bogus data.
  	# Enable it if the only clients of Unbound are legacy servers (w2008)
-@@ -690,11 +721,11 @@ server:
+@@ -715,11 +746,11 @@ server:
  
  	# Serve expired responses from cache, with serve-expired-reply-ttl in
  	# the response, and then attempt to fetch the data afresh.
@@ -320,7 +320,7 @@ index fcfb1da..a61b530 100644
  	#
  	# Set the TTL of expired records to the serve-expired-ttl value after a
  	# failed attempt to retrieve the record from upstream. This makes sure
-@@ -721,7 +752,7 @@ server:
+@@ -746,7 +777,7 @@ server:
  
  	# Have the validator log failed validations for your diagnosis.
  	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
@@ -329,7 +329,7 @@ index fcfb1da..a61b530 100644
  
  	# It is possible to configure NSEC3 maximum iteration counts per
  	# keysize. Keep this table very short, as linear search is done.
-@@ -865,6 +896,8 @@ server:
+@@ -890,6 +921,8 @@ server:
  	# you need to do the reverse notation yourself.
  	# local-data-ptr: "192.0.2.3 www.example.com"
  
@@ -338,7 +338,7 @@ index fcfb1da..a61b530 100644
  	# tag a localzone with a list of tag names (in "" with spaces between)
  	# local-zone-tag: "example.com" "tag2 tag3"
  
-@@ -875,8 +908,8 @@ server:
+@@ -900,8 +933,8 @@ server:
  	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
  	# Give the certificate to use and private key.
  	# default is "" (disabled).  requires restart to take effect.
@@ -349,7 +349,7 @@ index fcfb1da..a61b530 100644
  	# tls-port: 853
  	# https-port: 443
  
-@@ -884,6 +917,8 @@ server:
+@@ -909,6 +942,8 @@ server:
  	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
  	# cipher setting for TLSv1.3
  	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
@@ -358,22 +358,24 @@ index fcfb1da..a61b530 100644
  
  	# Pad responses to padded queries received over TLS
  	# pad-responses: yes
-@@ -1005,12 +1040,12 @@ server:
- 	# fast-server-num: 3
+@@ -1050,12 +1085,14 @@ server:
+ 	# cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt"
  
  	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
 -	# ede: no
++	# Fedora defaults to yes.
 +	ede: yes
  
  	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
  	# Answer as EDNS0 option to expired responses.
  	# Note that the ede option above needs to be enabled for this to work.
 -	# ede-serve-expired: no
++	# Fedora defaults to yes.
 +	ede-serve-expired: yes
  
  	# Specific options for ipsecmod. Unbound needs to be configured with
  	# --enable-ipsecmod for these to take effect.
-@@ -1018,12 +1053,14 @@ server:
+@@ -1063,12 +1100,14 @@ server:
  	# Enable or disable ipsecmod (it still needs to be defined in
  	# module-config above). Can be used when ipsecmod needs to be
  	# enabled/disabled via remote-control(below).
@@ -391,7 +393,7 @@ index fcfb1da..a61b530 100644
  	# When enabled Unbound will reply with SERVFAIL if the return value of
  	# the ipsecmod-hook is not 0.
  	# ipsecmod-strict: no
-@@ -1056,7 +1093,7 @@ server:
+@@ -1101,7 +1140,7 @@ server:
  # o and give a python-script to run.
  python:
  	# Script file to load
@@ -400,7 +402,7 @@ index fcfb1da..a61b530 100644
  
  # Dynamic library config section. To enable:
  # o use --with-dynlibmodule to configure before compiling.
-@@ -1067,13 +1104,14 @@ python:
+@@ -1112,13 +1151,14 @@ python:
  #   the module-config then you need one dynlib-file per instance.
  dynlib:
  	# Script file to load
@@ -417,7 +419,7 @@ index fcfb1da..a61b530 100644
  
  	# what interfaces are listened to for remote control.
  	# give 0.0.0.0 and ::0 to listen to all interfaces.
-@@ -1081,6 +1119,7 @@ remote-control:
+@@ -1126,6 +1166,7 @@ remote-control:
  	# are not used for that, so key and cert files need not be present.
  	# control-interface: 127.0.0.1
  	# control-interface: ::1
@@ -425,7 +427,7 @@ index fcfb1da..a61b530 100644
  
  	# port number for remote control operations.
  	# control-port: 8953
-@@ -1090,16 +1129,19 @@ remote-control:
+@@ -1135,16 +1176,19 @@ remote-control:
  	# control-use-cert: "yes"
  
  	# Unbound server key file.
@@ -449,7 +451,7 @@ index fcfb1da..a61b530 100644
  
  # Stub zones.
  # Create entries like below, to make all queries for 'example.com' and
-@@ -1121,6 +1163,10 @@ remote-control:
+@@ -1166,6 +1210,10 @@ remote-control:
  #	name: "example.org"
  #	stub-host: ns.example.com.
  
@@ -460,7 +462,7 @@ index fcfb1da..a61b530 100644
  # Forward zones
  # Create entries like below, to make all queries for 'example.com' and
  # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1138,6 +1184,10 @@ remote-control:
+@@ -1183,6 +1231,10 @@ remote-control:
  # forward-zone:
  # 	name: "example.org"
  # 	forward-host: fwd.example.com
@@ -471,16 +473,13 @@ index fcfb1da..a61b530 100644
  
  # Authority zones
  # The data for these zones is kept locally, from a file or downloaded.
-@@ -1145,30 +1195,31 @@ remote-control:
- # upstream (which saves a lookup to the upstream).  The first example
- # has a copy of the root for local usage.  The second serves example.org
- # authoritatively.  zonefile: reads from file (and writes to it if you also
--# download it), primary: fetches with AXFR and IXFR, or url to zonefile.
--# With allow-notify: you can give additional (apart from primaries and urls)
--# sources of notifies.
+@@ -1193,27 +1245,28 @@ remote-control:
+ # download it), primary: fetches with AXFR and IXFR, or url to zonefile.
+ # With allow-notify: you can give additional (apart from primaries and urls)
+ # sources of notifies.
 -# auth-zone:
 -#	name: "."
--#	primary: 199.9.14.201         # b.root-servers.net
+-#	primary: 170.247.170.2        # b.root-servers.net
 -#	primary: 192.33.4.12          # c.root-servers.net
 -#	primary: 199.7.91.13          # d.root-servers.net
 -#	primary: 192.5.5.241          # f.root-servers.net
@@ -488,7 +487,7 @@ index fcfb1da..a61b530 100644
 -#	primary: 193.0.14.129         # k.root-servers.net
 -#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 -#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
--#	primary: 2001:500:200::b      # b.root-servers.net
+-#	primary: 2801:1b8:10::b       # b.root-servers.net
 -#	primary: 2001:500:2::c        # c.root-servers.net
 -#	primary: 2001:500:2d::d       # d.root-servers.net
 -#	primary: 2001:500:2f::f       # f.root-servers.net
@@ -499,12 +498,9 @@ index fcfb1da..a61b530 100644
 -#	fallback-enabled: yes
 -#	for-downstream: no
 -#	for-upstream: yes
-+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
-+# With allow-notify: you can give additional (apart from masters) sources of
-+# notifies.
-+auth-zone:
++ auth-zone:
 +	name: "."
-+	primary: 199.9.14.201         # b.root-servers.net
++	primary: 170.247.170.2        # b.root-servers.net
 +	primary: 192.33.4.12          # c.root-servers.net
 +	primary: 199.7.91.13          # d.root-servers.net
 +	primary: 192.5.5.241          # f.root-servers.net
@@ -512,7 +508,7 @@ index fcfb1da..a61b530 100644
 +	primary: 193.0.14.129         # k.root-servers.net
 +	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 +	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-+	primary: 2001:500:200::b      # b.root-servers.net
++	primary: 2801:1b8:10::b       # b.root-servers.net
 +	primary: 2001:500:2::c        # c.root-servers.net
 +	primary: 2001:500:2d::d       # d.root-servers.net
 +	primary: 2001:500:2f::f       # f.root-servers.net
@@ -527,7 +523,7 @@ index fcfb1da..a61b530 100644
  # auth-zone:
  #	name: "example.org"
  #	for-downstream: yes
-@@ -1194,6 +1245,9 @@ remote-control:
+@@ -1239,6 +1292,9 @@ remote-control:
  #	name: "anotherview"
  #	local-zone: "example.com" refuse
  
@@ -537,7 +533,7 @@ index fcfb1da..a61b530 100644
  # DNSCrypt
  # To enable, use --enable-dnscrypt to configure before compiling.
  # Caveats:
-@@ -1266,7 +1320,7 @@ remote-control:
+@@ -1314,7 +1370,7 @@ remote-control:
  # 	dnstap-enable: no
  # 	# if set to yes frame streams will be used in bidirectional mode
  # 	dnstap-bidirectional: yes
@@ -547,5 +543,5 @@ index fcfb1da..a61b530 100644
  # 	# set it to "IPaddress[@port]" of the destination.
  # 	dnstap-ip: ""
 -- 
-2.43.0
+2.46.0
 

unbound.spec

@@ -6,6 +6,8 @@
 %bcond_without doh
 %bcond_with redis
 
+%global forgeurl0 https://github.com/NLnetLabs/unbound
+%global downloads https://nlnetlabs.nl/downloads
 %global _hardened_build 1
 
 #global extra_version rc1
@@ -30,11 +32,12 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.19.1
+Version: 1.21.1
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
-Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
+VCS: git:%{forgeurl0}
+Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source3: unbound.munin
 Source4: unbound_munin_
@@ -50,20 +53,14 @@ Source14: unbound.sysconfig
 Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
-Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
+Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 # source: https://nlnetlabs.nl/people/
 Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source20: unbound.sysusers
+Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
 
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2253461
-# https://github.com/NLnetLabs/unbound/commit/a8739bad76d4d179290627e989c7ef236345bda6
-Patch2:   unbound-1.19-b.root-servers.net.patch
-# https://github.com/NLnetLabs/unbound/pull/993
-Patch3:   unbound-1.19-b.root-servers.net-conf.patch
-# https://github.com/NLnetLabs/unbound/commit/ccbe31c21f91ae96e759547be264a34ac63f4f90
-Patch4: unbound-1.19-EDE-cpu-lock.patch
 
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@@ -192,30 +189,23 @@ Python 3 modules and extensions for unbound
 
 %prep
 %if 0%{?fedora}
-%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
+%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}
 
 %if 0%{with_python2} && 0%{with_python3}
-%global dir_primary %{pkgname}_python3
 %global python_primary %{__python3}
 %global dir_secondary %{pkgname}_python2
 %global python_secondary %{__python2}
-%else
-%global dir_primary %{pkgname}
 %endif
 
-%autosetup -c -N -n %{pkgname}
+%autosetup -N -n %{pkgname}
 
-pushd %{pkgname}
 # patches go here
-%autopatch -p2
-
+%autopatch -p1
 # only for snapshots
 # autoreconf -iv
 
-# copy common doc files - after here, since it may be patched
-cp -pr doc pythonmod libunbound ../
 
 %if 0%{?rhel} > 8
   # SHA-1 breaks some tests. Disable just some tests because of that.
@@ -225,11 +215,9 @@ cp -pr doc pythonmod libunbound ../
     mv testdata/${TEST}.rpl{,-disabled} 
   done
 %endif
-popd
 
 %if 0%{with_python2} && 0%{with_python3}
-mv %{pkgname} %{dir_primary}
-cp -a %{dir_primary} %{dir_secondary}
+  cp -a . %{dir_secondary}
 %endif
 
 %build
@@ -247,10 +235,10 @@ cp -a %{dir_primary} %{dir_secondary}
             --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
             --with-username=unbound \\\
             --enable-linux-ip-local-port-range \\\
+            --with-dynlibmodule \\\
+#
 
 
-pushd %{dir_primary}
-
 %configure  \
 %if 0%{?python_primary:1}
             --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
@@ -276,8 +264,6 @@ pushd %{dir_primary}
 %make_build
 %make_build streamtcp
 
-popd
-
 %if 0%{?python_secondary:1}
 pushd %{dir_secondary}
 %configure  \
@@ -305,11 +291,9 @@ pushd %{dir_secondary}
 popd
 %endif
 
-pushd %{dir_primary}
 %make_install unbound-event-install
 install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
 install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
-popd
 
 install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
 install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
@@ -330,11 +314,9 @@ for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unboun
 done
 %endif
 
-pushd %{dir_primary}
 # install streamtcp man page
 install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
 install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
-popd
 
 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
@@ -405,15 +387,12 @@ fi
 %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
 %check
-pushd %{dir_primary}
 #pushd pythonmod
 #make test
 #popd
 
 make check
 
-popd
-
 %if 0%{?python_secondary:1}
 pushd %{dir_secondary}
 #pushd pythonmod