Remove additional subdirectory for python3 build

Python2 builds are not common anymore. Make basic unbound directory for
primary build in normal default directory. Try subdirectory only for
alternative secondary build, if enabled.

.gitignore

@@ -89,15 +89,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.19.3.tar.gz.asc
 /unbound-1.20.0.tar.gz
 /unbound-1.20.0.tar.gz.asc
-/unbound-1.21.0.tar.gz
-/unbound-1.21.0.tar.gz.asc
 /unbound-1.21.1.tar.gz
 /unbound-1.21.1.tar.gz.asc
-/unbound-1.22.0.tar.gz
-/unbound-1.22.0.tar.gz.asc
-/unbound-1.23.0.tar.gz
-/unbound-1.23.0.tar.gz.asc
-/unbound-1.23.1.tar.gz
-/unbound-1.23.1.tar.gz.asc
-/unbound-1.*.tar.gz
-/unbound-1.*.tar.gz.asc

Yorgos.asc

@@ -13,31 +13,31 @@ S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
 g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
 tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
 BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
-NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d
-lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc
-BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz
-kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI
-MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL
-ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL
-8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b
-CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO
-jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv
-ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU
-OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl
-InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
+NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt
+C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs
+n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU
+BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f
+DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI
+Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP
+ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8
+RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA
+zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK
+9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1
+5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY
+nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
 Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
-AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP
-8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA
-18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J
-9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc
-mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY
-HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/
-4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi
-7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7
-rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6
-AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B
-pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK
-3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS
+AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP
+8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG
+pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu
+gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW
+ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7
+bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar
+qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/
+yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn
+aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6
+tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh
+KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP
+qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS
 AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
 Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
 cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
@@ -58,18 +58,18 @@ BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
 TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
 Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
 CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
-TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4
-Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D
-Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N
-O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH
-gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E
-oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui
-6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE
-dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p
-oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa
-7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/
-btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz
-a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
+TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1
+/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K
+o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3
+GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7
+iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2
+WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN
+9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM
+LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ
+CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc
+/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j
+QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA
+zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
 VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
 jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
 hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
@@ -89,18 +89,18 @@ Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
 gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
 FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
 b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
-AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q
-h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA
-5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5
-cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H
-Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew
-7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i
-5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w
-8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N
-jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas
-/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7
-UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ
-rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB
+AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q
+h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM
+f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3
+aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp
+n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW
++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM
+4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV
+0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3
+1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH
+ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC
+87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4
+sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB
 EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
 lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
 rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
@@ -112,17 +112,17 @@ GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
 hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
 LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
 sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
-AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH
-pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V
-ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8
-yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ
-yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1
-0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb
-Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ
-kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc
-aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ
-GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS
-UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+
-ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g=
-=Ubkv
+AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH
+pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A
+GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo
+JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3
+60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR
+tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS
+xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS
+fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm
+sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/
+ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O
+BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK
+SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8=
+=iknu
 -----END PGP PUBLIC KEY BLOCK-----

fedora-defaults.conf

@@ -1,229 +0,0 @@
-# Fedora distribution defaults
-
-server:
-	# verbosity number, 0 is least verbose. 1 is default.
-	verbosity: 1
-
-	# print statistics to the log (for every thread) every N seconds.
-	# Set to "" or 0 to disable. Default is disabled.
-	# Needs to be disabled for munin plugin
-	statistics-interval: 0
-
-	# enable cumulative statistics, without clearing them after printing.
-	# Needs to be disabled for munin plugin
-	statistics-cumulative: no
-
-	# enable extended statistics (query types, answer codes, status)
-	# Needs to be enabled for munin plugin
-	extended-statistics: yes
-
-	# number of threads to create. 1 disables threading.
-	# num-threads: 1
-	num-threads: 4
-
-	# specify the interfaces to answer queries from by ip-address.
-	# The default is to listen to localhost (127.0.0.1 and ::1).
-	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
-	# specify every interface[@port] on a new 'interface:' labelled line.
-	# The listen interfaces are not changed on reload, only on restart.
-	# interface: 0.0.0.0
-	# interface: ::0
-	# interface: 192.0.2.153
-	# interface: 192.0.2.154
-	# interface: 192.0.2.154@5003
-	# interface: 2001:DB8::5
-	# interface: eth0@5003
-	#
-	# for dns over tls and raw dns over port 80
-	# interface: 0.0.0.0@443
-	# interface: ::0@443
-	# interface: 0.0.0.0@80
-	# interface: ::0@80
-
-	# enable this feature to copy the source address of queries to reply.
-	# Socket options are not supported on all platforms. experimental.
-	# interface-automatic: yes
-	#
-	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
-	# NOTE: Disabled per Fedora policy not to listen to * on default install
-	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
-	interface-automatic: no
-
-	# permit Unbound to use this port number or port range for
-	# making outgoing queries, using an outgoing interface.
-	# Only ephemeral ports are allowed by SElinux
-	outgoing-port-permit: 32768-60999
-
-	# IANA-assigned port numbers.
-	# If multiple outgoing-port-permit and outgoing-port-avoid options
-	# are present, they are processed in order.
-	# Our SElinux policy does not allow non-ephemeral ports to be used
-	outgoing-port-avoid: 0-32767
-	outgoing-port-avoid: 61000-65535
-
-	# use SO_REUSEPORT to distribute queries over threads.
-	# at extreme load it could be better to turn it off to distribute even.
-	so-reuseport: yes
-	 
-	# use IP_TRANSPARENT so the interface: addresses can be non-local
-	# and you can config non-existing IPs that are going to work later on
-	# (uses IP_BINDANY on FreeBSD).
-	ip-transparent: yes
-
-	# Enable UDP, "yes" or "no".
-	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
-	# disable UDP to avoid being used in DNS amplification attacks.
-	# do-udp: yes
-
-	# Enable EDNS TCP keepalive option.
-	edns-tcp-keepalive: yes
-
-	# Fedora note: do not activate this - not compiled in because
-	# it causes frequent unbound crashes. Also, socket activation
-	# is bad when you have things like dnsmasq also running with libvirt.
-	# Use systemd socket activation for UDP, TCP, and control sockets.
-	# use-systemd: no
-
-	# If you give "" no chroot is performed. The path must not end in a /.
-	# chroot: "/etc/unbound"
-	chroot: ""
-
-	# If you give a server: directory: dir before include: file statements
-	# then those includes can be relative to the working directory.
-	directory: "/etc/unbound"
-
-	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
-	log-time-ascii: yes
-
-	# Harden against unseemly large queries.
-	harden-large-queries: yes
-
-	# Harden against unverified (outside-zone, including sibling zone) glue rrsets
-	harden-unverified-glue: yes
-
-	# Default off, because the lookups burden the server.  Experimental
-	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
-	harden-referral-path: yes
-
-	# Sent minimum amount of information to upstream servers to enhance
-	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
-	# to A when possible.
-	qname-minimisation: yes
-
-	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
-	# and other denials, using information from previous NXDOMAINs answers.
-	aggressive-nsec: yes
-
-	# threshold, a warning is printed and a defensive action is taken,
-	# the cache is cleared to flush potential poison out of it.
-	# A suggested value is 10000000, the default is 0 (turned off).
-	unwanted-reply-threshold: 10000000
-
-	# if yes, perform prefetching of almost expired message cache entries.
-	prefetch: yes
-
-	# if yes, perform key lookups adjacent to normal lookups.
-	prefetch-key: yes
-
-	# deny queries of type ANY with an empty response.
-	deny-any: yes
-
-	# if yes, Unbound rotates RRSet order in response.
-	rrset-roundrobin: yes
-
-	# if yes, Unbound doesn't insert authority/additional sections
-	# into response messages when those sections are not required.
-	minimal-responses: yes
-
-	# module configuration of the server. A string with identifiers
-	# separated by spaces. Syntax: "[dns64] [validator] iterator"
-	# most modules have to be listed at the beginning of the line,
-	# except cachedb(just before iterator), and python (at the beginning,
-	# or, just before the iterator).
-	# For redis cachedb use:
-	#    "ipsecmod validator cachedb iterator"
-	module-config: "ipsecmod validator iterator"
-
-	# trust anchor signaling sends a RFC8145 key tag query after priming.
-	trust-anchor-signaling: yes
-
-	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
-	root-key-sentinel: yes
-
-	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
-	# you need external update procedures to track changes in keys.
-	# trusted-keys-file: ""
-	#
-	trusted-keys-file: /etc/unbound/keys.d/*.key
-	auto-trust-anchor-file: "/var/lib/unbound/root.key"
-
-	# Should additional section of secure message also be kept clean of
-	# unsecure data. Useful to shield the users of this validator from
-	# potential bogus data in the additional section. All unsigned data
-	# in the additional section is removed from secure messages.
-	val-clean-additional: yes
-
-	# Turn permissive mode on to permit bogus messages. Thus, messages
-	# for which security checks failed will be returned to clients,
-	# instead of SERVFAIL. It still performs the security checks, which
-	# result in interesting log files and possibly the AD bit in
-	# replies if the message is found secure. The default is off.
-	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
-	val-permissive-mode: no
-
-	# Serve expired responses from cache, with serve-expired-reply-ttl in
-	# the response, and then attempt to fetch the data afresh.
-	serve-expired: yes
-
-	# Limit serving of expired responses to configured seconds after
-	# expiration. 0 disables the limit.
-	serve-expired-ttl: 14400
-
-	# Have the validator log failed validations for your diagnosis.
-	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
-	val-log-level: 1
-
-	# service clients over TLS (on the TCP sockets) with plain DNS inside
-	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
-	# Give the certificate to use and private key.
-	# default is "" (disabled).  requires restart to take effect.
-	# tls-service-key: "/etc/unbound/unbound_server.key"
-	# tls-service-pem: "/etc/unbound/unbound_server.pem"
-
-	# Fedora/RHEL: use system-wide crypto policies
-	tls-ciphers: "PROFILE=SYSTEM"
-
-	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
-	# Fedora defaults to yes.
-	ede: yes
-
-	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
-	# Answer as EDNS0 option to expired responses.
-	# Note that the ede option above needs to be enabled for this to work.
-	# Fedora defaults to yes.
-	ede-serve-expired: yes
-
-	# Enable or disable ipsecmod (it still needs to be defined in
-	# module-config above). Can be used when ipsecmod needs to be
-	# enabled/disabled via remote-control(below).
-	# Fedora: module will be enabled on-demand by libreswan
-	ipsecmod-enabled: no
-
-	# Path to executable external hook. It must be defined when ipsecmod is
-	# listed in module-config (above).
-	ipsecmod-hook: /usr/libexec/ipsec/_unbound-hook
-
-python:
-	# Script file to load
-	# python-script: "/etc/unbound/ubmodule-tst.py"
- 
-# Remote control config section moved into own remote-control.conf
-
-#   the module-config then you need one dynlib-file per instance.
-dynlib:
-	# Script file to load
-	# dynlib-file: "/etc/unbound/dynlib.so"
-
-# Fedora: DNSCrypt support not enabled since it requires linking to
-#         another crypto library
-#

mkroot.sh

@@ -1,17 +0,0 @@
-#!/bin/sh
-
-SOURCE="/usr/share/dns-root-data/root.key"
-DEST="${1:-root.key}"
-
-mk_key() {
-echo "# Generated from $SOURCE"
-echo "# Use /var/lib/unbound/root.key instead."
-echo "trusted-keys {"
-while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
-echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
-done < "$SOURCE"
-echo "};"
-}
-
-mk_key > "$DEST"
-touch -r "$SOURCE" "$DEST"

module-setup.sh

@@ -1,44 +0,0 @@
-#!/usr/bin/bash
-
-check() {
-    require_binaries unbound unbound-checkconf unbound-control || return 1
-    # the module will be only included if explicitly required either
-    # by configuration or another module
-    return 255
-}
-
-depends() {
-    # because of pid file we need sysusers to create unbound user
-    echo systemd systemd-sysusers
-    return 0
-}
-
-install() {
-    # We have to make unbound wanted by network-online target to make sure
-    # there is a synchronization point when other services are able
-    # to make queries
-    inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
-
-    # /etc and /var/lib do not have its variables
-    inst_multiple -o \
-    "$systemdsystemunitdir"/unbound.service \
-    /etc/unbound/conf.d/remote-control.conf \
-    /etc/unbound/openssl-sha1.conf \
-    /usr/share/unbound/fedora-defaults.conf \
-    /usr/share/unbound/conf.d/*.conf \
-    /etc/unbound/local.d/*.conf \
-    /etc/unbound/keys.d/*.key \
-    /etc/unbound/unbound.conf \
-    /etc/unbound/unbound_control.key \
-    /etc/unbound/unbound_control.pem \
-    /etc/unbound/unbound_server.key \
-    /etc/unbound/unbound_server.pem \
-    "$sysusers"/unbound.conf \
-    "$tmpfilesdir"/unbound.conf \
-    /var/lib/unbound/root.key \
-    unbound \
-    unbound-checkconf \
-    unbound-control
-
-    $SYSTEMCTL -q --root "$initdir" enable unbound.service
-}

nlnetlabs2026-g2.asc

@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
-50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
-0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
-+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
-Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
-SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
-gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
-LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
-S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
-eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
-9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
-EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
-l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
-HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
-rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
-OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
-vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
-eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
-NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
-K6vVKMmB0qru6ERJ3g==
-=4R8U
------END PGP PUBLIC KEY BLOCK-----

openssl-sha1.conf

@@ -1,8 +0,0 @@
-# OpenSSL configuration file to allow SHA1 validation,
-# regardless of crypto-policy selected.
-# Use it by adding into /etc/sysconfig/unbound:
-# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf
-.include = /etc/ssl/openssl.cnf
-
-[evp_properties]
-rh-allow-sha1-signatures = yes

plans/all.fmf

@@ -1,7 +1,7 @@
 summary: Test plan with all Fedora tests
 discover:
        how: fmf
-       url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+       url: https://src.fedoraproject.org/tests/unbound.git
 execute:
        how: tmt
 

plans/tier1-public.fmf

@@ -1,7 +1,7 @@
 summary: Public (Fedora) Tier1 beakerlib tests
 discover:
     how: fmf
-    url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+    url: https://src.fedoraproject.org/tests/unbound.git
     filter: 'tier: 1'
 execute:
     how: tmt

remote-control-include.conf

@@ -1,4 +0,0 @@
-# Previous defaults allowed any process to change settings, CVE-2023-1488
-# If you want to modify remote configuration, replace this file with
-# contents of included file and modify afterwards.
-include: "/usr/share/unbound/conf.d/remote-control.conf"

remote-control.conf

@@ -1,26 +0,0 @@
-# Remote control config section update.
-# Previous defaults allowed any process to change settings, CVE-2023-1488
-# This file can be used also by: unbound-control -c <path>
-remote-control:
-	# Enable remote control with unbound-control(8) here.
-	# set up the keys and certificates with unbound-control-setup.
-	control-enable: yes
-
-	# set to an absolute path to use a unix local name pipe, certificates
-	# are not used for that, so key and cert files need not be present.
-	control-interface: "/run/unbound/control"
-
-	# For local sockets this option is ignored, and TLS is not used.
-	control-use-cert: "yes"
-
-	# Unbound server key file.
-	server-key-file: "/etc/unbound/unbound_server.key"
-
-	# Unbound server certificate file.
-	server-cert-file: "/etc/unbound/unbound_server.pem"
-
-	# unbound-control key file.
-	control-key-file: "/etc/unbound/unbound_control.key"
-
-	# unbound-control certificate file.
-	control-cert-file: "/etc/unbound/unbound_control.pem"

root.anchor

@@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}

root.key

@@ -0,0 +1,6 @@
+; // The root key in bind format. This can be read by most tools, including
+; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+trusted-keys {
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
+
+};

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
-SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
+SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7
+SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248

tmpfiles-unbound-libs.conf

@@ -1,2 +0,0 @@
-d /var/lib/unbound          0755  unbound unbound -
-L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key

tmpfiles-unbound.conf

@@ -1 +1 @@
-D /run/unbound 0775 unbound root -
+D /run/unbound 0755 unbound unbound -

unbound-1.24-quic-on-demand-only.patch

@@ -1,171 +0,0 @@
-From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Mon, 24 Nov 2025 13:44:14 +0100
-Subject: [PATCH] Do not initialize quic_table unless it is enabled
-
-Fedora in FIPS mode might fail to initialize ngtcp2 library, because
-some ciphers desired are not available.
-
-Make it possible to skip initialization by setting explicitly quic_port
-to 0. Unless we have some listeners for port 853 configured, skip its
-initialization as well.
-
-Related: https://pagure.io/freeipa/issue/9877
----
- daemon/daemon.c           | 14 +++++++++-----
- services/listen_dnsport.c | 14 +++++++++++---
- util/configparser.y       | 15 +++++++++------
- util/netevent.c           |  3 +++
- 4 files changed, 32 insertions(+), 14 deletions(-)
-
-diff --git a/daemon/daemon.c b/daemon/daemon.c
-index f882bb9ad..a9cc25c67 100644
---- a/daemon/daemon.c
-+++ b/daemon/daemon.c
-@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
- 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
- 
- #ifdef HAVE_NGTCP2
--	daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
--	if(!daemon->doq_table)
--		fatal_exit("could not create doq_table: out of memory");
-+	if (cfg_has_quic(daemon->cfg)) {
-+		daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
-+		if(!daemon->doq_table)
-+			fatal_exit("could not create doq_table: out of memory");
-+	}
- #endif
- 	
- 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
-@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
- 	daemon->dnscenv = NULL;
- #endif
- #ifdef HAVE_NGTCP2
--	doq_table_delete(daemon->doq_table);
--	daemon->doq_table = NULL;
-+	if (daemon->doq_table) {
-+		doq_table_delete(daemon->doq_table);
-+		daemon->doq_table = NULL;
-+	}
- #endif
- 	daemon->cfg = NULL;
- }
-diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
-index f7fcca194..ab8f1ba72 100644
---- a/services/listen_dnsport.c
-+++ b/services/listen_dnsport.c
-@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
- 			cp = comm_point_create_udp(base, ports->fd,
- 				front->udp_buff, ports->pp2_enabled, cb,
- 				cb_arg, ports->socket);
--		} else if(ports->ftype == listen_type_doq) {
-+		} else if(ports->ftype == listen_type_doq && doq_table) {
- #ifndef HAVE_NGTCP2
- 			log_warn("Unbound is not compiled with "
- 				"ngtcp2. This is required to use DNS "
-@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
- struct doq_table*
- doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
- {
--	struct doq_table* table = calloc(1, sizeof(*table));
-+	struct doq_table* table;
-+
-+	if (!cfg->quic_port)
-+		return NULL;
-+	table = calloc(1, sizeof(*table));
- 	if(!table)
- 		return NULL;
- #ifdef USE_NGTCP2_CRYPTO_OSSL
-@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
- {
- 	struct doq_table* table = (struct doq_table*)arg;
- 	struct doq_conn* conn;
--	if(!node)
-+	if(!node || !table)
- 		return;
- 	conn = (struct doq_conn*)node->key;
- 	if(conn->timer.timer_in_list) {
-@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
- {
- 	struct doq_timer key;
- 	struct rbnode_type* node;
-+	log_assert(table != NULL);
- 	memset(&key, 0, sizeof(key));
- 	key.time.tv_sec = tv->tv_sec;
- 	key.time.tv_usec = tv->tv_usec;
-@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
- 	key.node.key = &key;
- 	key.cid = (void*)data;
- 	key.cidlen = datalen;
-+	log_assert(table != NULL);
- 	node = rbtree_search(table->conid_tree, &key);
- 	if(node)
- 		return (struct doq_conid*)node->key;
-@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
- 	struct config_file* cfg, size_t mem)
- {
- 	size_t cur;
-+	if (!table)
-+		return 0;
- 	lock_basic_lock(&table->size_lock);
- 	cur = table->current_size;
- 	lock_basic_unlock(&table->size_lock);
-diff --git a/util/configparser.y b/util/configparser.y
-index bf9c196fc..f159b8cec 100644
---- a/util/configparser.y
-+++ b/util/configparser.y
-@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
- server_quic_port: VAR_QUIC_PORT STRING_ARG
- 	{
- 		OUTYY(("P(server_quic_port:%s)\n", $2));
-+		if(atoi($2) == 0 && strcmp($2,"0")!=0)
-+			yyerror("port number expected");
-+		else {
-+			cfg_parser->cfg->quic_port = atoi($2);
- #ifndef HAVE_NGTCP2
--		log_warn("%s:%d: Unbound is not compiled with "
--			"ngtcp2. This is required to use DNS "
--			"over QUIC.", cfg_parser->filename, cfg_parser->line);
-+			if (cfg_parser->cfg->quic_port != 0)
-+				log_warn("%s:%d: Unbound is not compiled with "
-+					"ngtcp2. This is required to use DNS "
-+					"over QUIC.", cfg_parser->filename, cfg_parser->line);
- #endif
--		if(atoi($2) == 0)
--			yyerror("port number expected");
--		else cfg_parser->cfg->quic_port = atoi($2);
-+		}
- 		free($2);
- 	};
- server_quic_size: VAR_QUIC_SIZE STRING_ARG
-diff --git a/util/netevent.c b/util/netevent.c
-index aedcb5e07..93db16675 100644
---- a/util/netevent.c
-+++ b/util/netevent.c
-@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
- {
- 	size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
- 	struct doq_server_socket* doq_socket;
-+	log_assert(doq_table != NULL);
- 	doq_socket = calloc(1, sizeof(*doq_socket));
- 	if(!doq_socket) {
- 		return NULL;
-@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
- {
- 	struct doq_conn* conn;
- 	struct doq_conn_key key;
-+	log_assert(table != NULL);
- 	doq_conn_key_from_repinfo(&key, repinfo);
- 	lock_rw_rdlock(&table->lock);
- 	conn = doq_conn_find(table, &key.paddr.addr,
-@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
- 	struct config_file* cfg)
- {
- #ifdef HAVE_NGTCP2
-+	log_assert(table != NULL);
- 	struct comm_point* c = (struct comm_point*)calloc(1,
- 		sizeof(struct comm_point));
- 	short evbits;
--- 
-2.52.0
-

unbound-1.24-swig-function.patch

@@ -1,26 +0,0 @@
-From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 24 Oct 2025 20:20:50 +0200
-Subject: [PATCH] Use $action instead of $function in python SWIG interface
-
-$function is not supported since SWIG 4.4.0.
----
- libunbound/python/libunbound.i | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
-index dc12514..4576844 100644
---- a/libunbound/python/libunbound.i
-+++ b/libunbound/python/libunbound.i
-@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
- %{ 
-   //printf("resolve_start(%lX)\n",(long unsigned int)arg1);
-   Py_BEGIN_ALLOW_THREADS 
--  $function 
-+  $action 
-   Py_END_ALLOW_THREADS 
-   //printf("resolve_stop()\n");
- %} 
--- 
-2.51.0
-

unbound-anchor.service

@@ -6,5 +6,5 @@ Documentation=man:unbound-anchor(8)
 Type=oneshot
 User=unbound
 EnvironmentFile=-/etc/sysconfig/unbound
-ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ] || [ -f /run/unbound/anchor-disable ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
+ExecStart=/bin/bash -c 'if [ "$DISABLE_UNBOUND_ANCHOR" = "yes" ]; then echo "Updates of root keys with unbound-anchor is disabled"; else /usr/sbin/unbound-anchor $UNBOUND_ANCHOR_OPTIONS; fi'
 SuccessExitStatus=1

unbound-as112-networks.conf

@@ -1,118 +0,0 @@
-# Allow forwarding of private ranges, which are marked forwardable by IANA
-# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
-# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
-# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
-# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
-#
-# Using this configuration file will simplify forwarding to potentially private ranges.
-# Enables forwarding of networks marked as forwardable at IANA special registry.
-# This is useful when upstream forwarder may be still inside private network. That is the case
-# when unbound works as a localhost DNS cache, not network wide resolver.
-
-server:
-	# RFC 8375: Special-Use Domain 'home.arpa.'
-	local-zone: "home.arpa." nodefault
-
-	# RFC 1918: Address Allocation for Private Internets
-	local-zone: "10.in-addr.arpa." nodefault
-	local-zone: "16.172.in-addr.arpa." nodefault
-	local-zone: "17.172.in-addr.arpa." nodefault
-	local-zone: "18.172.in-addr.arpa." nodefault
-	local-zone: "19.172.in-addr.arpa." nodefault
-	local-zone: "20.172.in-addr.arpa." nodefault
-	local-zone: "21.172.in-addr.arpa." nodefault
-	local-zone: "22.172.in-addr.arpa." nodefault
-	local-zone: "23.172.in-addr.arpa." nodefault
-	local-zone: "24.172.in-addr.arpa." nodefault
-	local-zone: "25.172.in-addr.arpa." nodefault
-	local-zone: "26.172.in-addr.arpa." nodefault
-	local-zone: "27.172.in-addr.arpa." nodefault
-	local-zone: "28.172.in-addr.arpa." nodefault
-	local-zone: "29.172.in-addr.arpa." nodefault
-	local-zone: "30.172.in-addr.arpa." nodefault
-	local-zone: "31.172.in-addr.arpa." nodefault
-	local-zone: "168.192.in-addr.arpa." nodefault
-	# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
-	local-zone: "64.100.in-addr.arpa." nodefault
-	local-zone: "65.100.in-addr.arpa." nodefault
-	local-zone: "66.100.in-addr.arpa." nodefault
-	local-zone: "67.100.in-addr.arpa." nodefault
-	local-zone: "68.100.in-addr.arpa." nodefault
-	local-zone: "69.100.in-addr.arpa." nodefault
-	local-zone: "70.100.in-addr.arpa." nodefault
-	local-zone: "71.100.in-addr.arpa." nodefault
-	local-zone: "72.100.in-addr.arpa." nodefault
-	local-zone: "73.100.in-addr.arpa." nodefault
-	local-zone: "74.100.in-addr.arpa." nodefault
-	local-zone: "75.100.in-addr.arpa." nodefault
-	local-zone: "76.100.in-addr.arpa." nodefault
-	local-zone: "77.100.in-addr.arpa." nodefault
-	local-zone: "78.100.in-addr.arpa." nodefault
-	local-zone: "79.100.in-addr.arpa." nodefault
-	local-zone: "80.100.in-addr.arpa." nodefault
-	local-zone: "81.100.in-addr.arpa." nodefault
-	local-zone: "82.100.in-addr.arpa." nodefault
-	local-zone: "83.100.in-addr.arpa." nodefault
-	local-zone: "84.100.in-addr.arpa." nodefault
-	local-zone: "85.100.in-addr.arpa." nodefault
-	local-zone: "86.100.in-addr.arpa." nodefault
-	local-zone: "87.100.in-addr.arpa." nodefault
-	local-zone: "88.100.in-addr.arpa." nodefault
-	local-zone: "89.100.in-addr.arpa." nodefault
-	local-zone: "90.100.in-addr.arpa." nodefault
-	local-zone: "91.100.in-addr.arpa." nodefault
-	local-zone: "92.100.in-addr.arpa." nodefault
-	local-zone: "93.100.in-addr.arpa." nodefault
-	local-zone: "94.100.in-addr.arpa." nodefault
-	local-zone: "95.100.in-addr.arpa." nodefault
-	local-zone: "96.100.in-addr.arpa." nodefault
-	local-zone: "97.100.in-addr.arpa." nodefault
-	local-zone: "98.100.in-addr.arpa." nodefault
-	local-zone: "99.100.in-addr.arpa." nodefault
-	local-zone: "100.100.in-addr.arpa." nodefault
-	local-zone: "101.100.in-addr.arpa." nodefault
-	local-zone: "102.100.in-addr.arpa." nodefault
-	local-zone: "103.100.in-addr.arpa." nodefault
-	local-zone: "104.100.in-addr.arpa." nodefault
-	local-zone: "105.100.in-addr.arpa." nodefault
-	local-zone: "106.100.in-addr.arpa." nodefault
-	local-zone: "107.100.in-addr.arpa." nodefault
-	local-zone: "108.100.in-addr.arpa." nodefault
-	local-zone: "109.100.in-addr.arpa." nodefault
-	local-zone: "110.100.in-addr.arpa." nodefault
-	local-zone: "111.100.in-addr.arpa." nodefault
-	local-zone: "112.100.in-addr.arpa." nodefault
-	local-zone: "113.100.in-addr.arpa." nodefault
-	local-zone: "114.100.in-addr.arpa." nodefault
-	local-zone: "115.100.in-addr.arpa." nodefault
-	local-zone: "116.100.in-addr.arpa." nodefault
-	local-zone: "117.100.in-addr.arpa." nodefault
-	local-zone: "118.100.in-addr.arpa." nodefault
-	local-zone: "119.100.in-addr.arpa." nodefault
-	local-zone: "120.100.in-addr.arpa." nodefault
-	local-zone: "121.100.in-addr.arpa." nodefault
-	local-zone: "122.100.in-addr.arpa." nodefault
-	local-zone: "123.100.in-addr.arpa." nodefault
-	local-zone: "124.100.in-addr.arpa." nodefault
-	local-zone: "125.100.in-addr.arpa." nodefault
-	local-zone: "126.100.in-addr.arpa." nodefault
-	local-zone: "127.100.in-addr.arpa." nodefault
-
-	# RFC 4193: Unique Local IPv6 Unicast Addresses
-	local-zone: "d.f.ip6.arpa." nodefault
-
-	# RFC 2606: Reserved Top Level DNS Names
-	local-zone:      "test." nodefault
-	domain-insecure: "test"
-	domain-insecure: "example"
-
-	# RFC 6762: Multicast DNS, Appendix G
-	domain-insecure: "local"
-	domain-insecure: "intranet"
-	domain-insecure: "private"
-	domain-insecure: "corp"
-	domain-insecure: "home"
-	domain-insecure: "lan"
-
-	# draft-davies-internal-tld
-	domain-insecure: "internal"

unbound-fedora-config.patch

@@ -1,30 +1,60 @@
-From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 15 Nov 2024 13:25:34 +0100
+From 71cbef33920b3b5704be7eab399da506ab51cde1 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 10 Nov 2023 12:58:31 +0100
 Subject: [PATCH] Customize unbound.conf for Fedora defaults
 
 Set some Fedora/RHEL specific changes to example configuration file. By
 patching upstream provided config file we would not need to manually
 update external copy in source RPM.
 ---
- doc/example.conf.in | 33 +++++++++++++++++++++++++++++++--
- 1 file changed, 31 insertions(+), 2 deletions(-)
+ doc/example.conf.in | 196 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 126 insertions(+), 70 deletions(-)
 
 diff --git a/doc/example.conf.in b/doc/example.conf.in
-index 59090c6..3a86809 100644
+index 130cb4e..7174d81 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
-@@ -8,6 +8,9 @@
- # Use this anywhere in the file to include other text into this file.
- #include: "otherfile.conf"
-
-+# Default Fedora settings
-+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
-+
- # Use this anywhere in the file to include other text, that explicitly starts a
- # clause, into this file. Text after this directive needs to start a clause.
- #include-toplevel: "otherfile.conf"
-@@ -51,11 +51,19 @@ server:
+@@ -17,11 +17,12 @@ server:
+ 	# whitespace is not necessary, but looks cleaner.
+ 
+ 	# verbosity number, 0 is least verbose. 1 is default.
+-	# verbosity: 1
++	verbosity: 1
+ 
+ 	# print statistics to the log (for every thread) every N seconds.
+ 	# Set to "" or 0 to disable. Default is disabled.
+-	# statistics-interval: 0
++	# Needs to be disabled for munin plugin
++	statistics-interval: 0
+ 
+ 	# enable shm for stats, default no.  if you enable also enable
+ 	# statistics-interval, every time it also writes stats to the
+@@ -32,11 +33,13 @@ server:
+ 	# shm-key: 11777
+ 
+ 	# enable cumulative statistics, without clearing them after printing.
+-	# statistics-cumulative: no
++	# Needs to be disabled for munin plugin
++	statistics-cumulative: no
+ 
+ 	# enable extended statistics (query types, answer codes, status)
+-	# printed from unbound-control. Default off, because of speed.
+-	# extended-statistics: no
++	# printed from unbound-control. default off, because of speed.
++	# Needs to be enabled for munin plugin
++	extended-statistics: yes
+ 
+ 	# Inhibits selected extended statistics (qtype, qclass, qopcode, rcode,
+ 	# rpz-actions) from printing if their value is 0.
+@@ -44,22 +47,35 @@ server:
+ 	# statistics-inhibit-zero: yes
+ 
+ 	# number of threads to create. 1 disables threading.
+-	# num-threads: 1
++	num-threads: 4
+ 
+ 	# specify the interfaces to answer queries from by ip-address.
+ 	# The default is to listen to localhost (127.0.0.1 and ::1).
  	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
  	# specify every interface[@port] on a new 'interface:' labelled line.
  	# The listen interfaces are not changed on reload, only on restart.
@@ -44,7 +74,53 @@ index 59090c6..3a86809 100644
  
  	# enable this feature to copy the source address of queries to reply.
  	# Socket options are not supported on all platforms. experimental.
-@@ -285,6 +293,8 @@ server:
+-	# interface-automatic: no
++	# interface-automatic: yes
++	#
++	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
++	# NOTE: Disabled per Fedora policy not to listen to * on default install
++	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
++	interface-automatic: no
+ 
+ 	# instead of the default port, open additional ports separated by
+ 	# spaces when interface-automatic is enabled, by listing them here.
+@@ -94,7 +110,8 @@ server:
+ 
+ 	# permit Unbound to use this port number or port range for
+ 	# making outgoing queries, using an outgoing interface.
+-	# outgoing-port-permit: 32768
++	# Only ephemeral ports are allowed by SElinux
++	outgoing-port-permit: 32768-60999
+ 
+ 	# deny Unbound the use this of port number or port range for
+ 	# making outgoing queries, using an outgoing interface.
+@@ -103,7 +120,9 @@ server:
+ 	# IANA-assigned port numbers.
+ 	# If multiple outgoing-port-permit and outgoing-port-avoid options
+ 	# are present, they are processed in order.
+-	# outgoing-port-avoid: "3200-3208"
++	# Our SElinux policy does not allow non-ephemeral ports to be used
++	outgoing-port-avoid: 0-32767
++	outgoing-port-avoid: 61000-65535
+ 
+ 	# number of outgoing simultaneous tcp buffers to hold per thread.
+ 	# outgoing-num-tcp: 10
+@@ -121,12 +140,12 @@ server:
+ 
+ 	# use SO_REUSEPORT to distribute queries over threads.
+ 	# at extreme load it could be better to turn it off to distribute even.
+-	# so-reuseport: yes
++	so-reuseport: yes
+ 
+ 	# use IP_TRANSPARENT so the interface: addresses can be non-local
+ 	# and you can config non-existing IPs that are going to work later on
+ 	# (uses IP_BINDANY on FreeBSD).
+-	# ip-transparent: no
++	ip-transparent: yes
+ 
+ 	# use IP_FREEBIND so the interface: addresses can be non-local
+ 	# and you can bind to nonexisting IPs and interfaces that are down.
+@@ -276,6 +295,8 @@ server:
  	# nat64-prefix: 64:ff9b::0/96
  
  	# Enable UDP, "yes" or "no".
@@ -53,7 +129,16 @@ index 59090c6..3a86809 100644
  	# do-udp: yes
  
  	# Enable TCP, "yes" or "no".
-@@ -320,6 +330,9 @@ server:
+@@ -301,7 +322,7 @@ server:
+ 	# tcp-idle-timeout: 30000
+ 
+ 	# Enable EDNS TCP keepalive option.
+-	# edns-tcp-keepalive: no
++	edns-tcp-keepalive: yes
+ 
+ 	# Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout
+ 	# if edns-tcp-keepalive is set.
+@@ -311,6 +332,9 @@ server:
  	# can be dropped. Default is 0, disabled. In seconds, such as 3.
  	# sock-queue-timeout: 0
  
@@ -63,7 +148,188 @@ index 59090c6..3a86809 100644
  	# Use systemd socket activation for UDP, TCP, and control sockets.
  	# use-systemd: no
  
-@@ -906,6 +919,8 @@ server:
+@@ -424,6 +448,7 @@ server:
+ 	#
+ 	# If you give "" no chroot is performed. The path must not end in a /.
+ 	# chroot: "@UNBOUND_CHROOT_DIR@"
++	chroot: ""
+ 
+ 	# if given, user privileges are dropped (after binding port),
+ 	# and the given username is assumed. Default is user "unbound".
+@@ -435,7 +460,7 @@ server:
+ 	# is not changed.
+ 	# If you give a server: directory: dir before include: file statements
+ 	# then those includes can be relative to the working directory.
+-	# directory: "@UNBOUND_RUN_DIR@"
++	directory: "/etc/unbound"
+ 
+ 	# the log file, "" means log to stderr.
+ 	# Use of this option sets use-syslog to "no".
+@@ -450,7 +475,7 @@ server:
+ 	# log-identity: ""
+ 
+ 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+-	# log-time-ascii: no
++	log-time-ascii: yes
+ 
+ 	# print one line with time, IP, name, type, class for every query.
+ 	# log-queries: no
+@@ -522,22 +547,22 @@ server:
+ 	# harden-large-queries: no
+ 
+ 	# Harden against out of zone rrsets, to avoid spoofing attempts.
+-	# harden-glue: yes
++	harden-glue: yes
+ 
+ 	# Harden against receiving dnssec-stripped data. If you turn it
+ 	# off, failing to validate dnskey data for a trustanchor will
+ 	# trigger insecure mode for that zone (like without a trustanchor).
+ 	# Default on, which insists on dnssec data for trust-anchored zones.
+-	# harden-dnssec-stripped: yes
++	harden-dnssec-stripped: yes
+ 
+ 	# Harden against queries that fall under dnssec-signed nxdomain names.
+-	# harden-below-nxdomain: yes
++	harden-below-nxdomain: yes
+ 
+ 	# Harden the referral path by performing additional queries for
+ 	# infrastructure data.  Validates the replies (if possible).
+ 	# Default off, because the lookups burden the server.  Experimental
+ 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+-	# harden-referral-path: no
++	harden-referral-path: yes
+ 
+ 	# Harden against algorithm downgrade when multiple algorithms are
+ 	# advertised in the DS record.  If no, allows the weakest algorithm
+@@ -551,7 +576,7 @@ server:
+ 	# Sent minimum amount of information to upstream servers to enhance
+ 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+ 	# to A when possible.
+-	# qname-minimisation: yes
++	qname-minimisation: yes
+ 
+ 	# QNAME minimisation in strict mode. Do not fall-back to sending full
+ 	# QNAME to potentially broken nameservers. A lot of domains will not be
+@@ -561,7 +586,7 @@ server:
+ 
+ 	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+ 	# and other denials, using information from previous NXDOMAINs answers.
+-	# aggressive-nsec: yes
++	aggressive-nsec: yes
+ 
+ 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
+ 	# This feature is an experimental implementation of draft dns-0x20.
+@@ -594,7 +619,7 @@ server:
+ 	# threshold, a warning is printed and a defensive action is taken,
+ 	# the cache is cleared to flush potential poison out of it.
+ 	# A suggested value is 10000000, the default is 0 (turned off).
+-	# unwanted-reply-threshold: 0
++	unwanted-reply-threshold: 10000000
+ 
+ 	# Do not query the following addresses. No DNS queries are sent there.
+ 	# List one address per entry. List classless netblocks with /size,
+@@ -606,20 +631,20 @@ server:
+ 	# do-not-query-localhost: yes
+ 
+ 	# if yes, perform prefetching of almost expired message cache entries.
+-	# prefetch: no
++	prefetch: yes
+ 
+ 	# if yes, perform key lookups adjacent to normal lookups.
+-	# prefetch-key: no
++	prefetch-key: yes
+ 
+ 	# deny queries of type ANY with an empty response.
+-	# deny-any: no
++	deny-any: yes
+ 
+ 	# if yes, Unbound rotates RRSet order in response.
+-	# rrset-roundrobin: yes
++	rrset-roundrobin: yes
+ 
+ 	# if yes, Unbound doesn't insert authority/additional sections
+ 	# into response messages when those sections are not required.
+-	# minimal-responses: yes
++	minimal-responses: yes
+ 
+ 	# true to disable DNSSEC lameness check in iterator.
+ 	# disable-dnssec-lame-check: no
+@@ -629,7 +654,9 @@ server:
+ 	# most modules have to be listed at the beginning of the line,
+ 	# except cachedb(just before iterator), and python (at the beginning,
+ 	# or, just before the iterator).
+-	# module-config: "validator iterator"
++	# For redis cachedb use:
++	#    "ipsecmod validator cachedb iterator"
++	module-config: "ipsecmod validator iterator"
+ 
+ 	# File with trusted keys, kept uptodate using RFC5011 probes,
+ 	# initial file like trust-anchor-file, then it stores metadata.
+@@ -643,10 +670,10 @@ server:
+ 	# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
+ 
+ 	# trust anchor signaling sends a RFC8145 key tag query after priming.
+-	# trust-anchor-signaling: yes
++	trust-anchor-signaling: yes
+ 
+ 	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
+-	# root-key-sentinel: yes
++	root-key-sentinel: yes
+ 
+ 	# File with trusted keys for validation. Specify more than one file
+ 	# with several entries, one file per entry.
+@@ -667,6 +694,9 @@ server:
+ 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
+ 	# you need external update procedures to track changes in keys.
+ 	# trusted-keys-file: ""
++	#
++	trusted-keys-file: /etc/unbound/keys.d/*.key
++	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+ 
+ 	# Ignore chain of trust. Domain is treated as insecure.
+ 	# domain-insecure: "example.com"
+@@ -694,14 +724,15 @@ server:
+ 	# unsecure data. Useful to shield the users of this validator from
+ 	# potential bogus data in the additional section. All unsigned data
+ 	# in the additional section is removed from secure messages.
+-	# val-clean-additional: yes
++	val-clean-additional: yes
+ 
+ 	# Turn permissive mode on to permit bogus messages. Thus, messages
+ 	# for which security checks failed will be returned to clients,
+ 	# instead of SERVFAIL. It still performs the security checks, which
+ 	# result in interesting log files and possibly the AD bit in
+ 	# replies if the message is found secure. The default is off.
+-	# val-permissive-mode: no
++	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
++	val-permissive-mode: no
+ 
+ 	# Ignore the CD flag in incoming queries and refuse them bogus data.
+ 	# Enable it if the only clients of Unbound are legacy servers (w2008)
+@@ -715,11 +746,11 @@ server:
+ 
+ 	# Serve expired responses from cache, with serve-expired-reply-ttl in
+ 	# the response, and then attempt to fetch the data afresh.
+-	# serve-expired: no
++	serve-expired: yes
+ 	#
+ 	# Limit serving of expired responses to configured seconds after
+ 	# expiration. 0 disables the limit.
+-	# serve-expired-ttl: 0
++	serve-expired-ttl: 14400
+ 	#
+ 	# Set the TTL of expired records to the serve-expired-ttl value after a
+ 	# failed attempt to retrieve the record from upstream. This makes sure
+@@ -746,7 +777,7 @@ server:
+ 
+ 	# Have the validator log failed validations for your diagnosis.
+ 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+-	# val-log-level: 0
++	val-log-level: 1
+ 
+ 	# It is possible to configure NSEC3 maximum iteration counts per
+ 	# keysize. Keep this table very short, as linear search is done.
+@@ -890,6 +921,8 @@ server:
  	# you need to do the reverse notation yourself.
  	# local-data-ptr: "192.0.2.3 www.example.com"
  
@@ -72,7 +338,7 @@ index 59090c6..3a86809 100644
  	# tag a localzone with a list of tag names (in "" with spaces between)
  	# local-zone-tag: "example.com" "tag2 tag3"
  
-@@ -916,8 +931,8 @@ server:
+@@ -900,8 +933,8 @@ server:
  	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
  	# Give the certificate to use and private key.
  	# default is "" (disabled).  requires restart to take effect.
@@ -82,18 +348,110 @@ index 59090c6..3a86809 100644
 +	# tls-service-pem: "/etc/unbound/unbound_server.pem"
  	# tls-port: 853
  	# https-port: 443
- 	# quic-port: 853
-@@ -1166,6 +1181,9 @@ remote-control:
- 	# unbound-control certificate file.
- 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-
-+# Stub and Forward zones
-+include: "@sysconfdir@/unbound/conf.d/*.conf"
+ 
+@@ -909,6 +942,8 @@ server:
+ 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
+ 	# cipher setting for TLSv1.3
+ 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
++	# Fedora/RHEL: use system-wide crypto policies
++	tls-ciphers: "PROFILE=SYSTEM"
+ 
+ 	# Pad responses to padded queries received over TLS
+ 	# pad-responses: yes
+@@ -1050,12 +1085,14 @@ server:
+ 	# cookie-secret-file: "/usr/local/etc/unbound_cookiesecrets.txt"
+ 
+ 	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
+-	# ede: no
++	# Fedora defaults to yes.
++	ede: yes
+ 
+ 	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
+ 	# Answer as EDNS0 option to expired responses.
+ 	# Note that the ede option above needs to be enabled for this to work.
+-	# ede-serve-expired: no
++	# Fedora defaults to yes.
++	ede-serve-expired: yes
+ 
+ 	# Specific options for ipsecmod. Unbound needs to be configured with
+ 	# --enable-ipsecmod for these to take effect.
+@@ -1063,12 +1100,14 @@ server:
+ 	# Enable or disable ipsecmod (it still needs to be defined in
+ 	# module-config above). Can be used when ipsecmod needs to be
+ 	# enabled/disabled via remote-control(below).
+-	# ipsecmod-enabled: yes
+-	#
++	# Fedora: module will be enabled on-demand by libreswan
++	ipsecmod-enabled: no
 +
+ 	# Path to executable external hook. It must be defined when ipsecmod is
+ 	# listed in module-config (above).
+ 	# ipsecmod-hook: "./my_executable"
+-	#
++	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
++
+ 	# When enabled Unbound will reply with SERVFAIL if the return value of
+ 	# the ipsecmod-hook is not 0.
+ 	# ipsecmod-strict: no
+@@ -1101,7 +1140,7 @@ server:
+ # o and give a python-script to run.
+ python:
+ 	# Script file to load
+-	# python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py"
++	# python-script: "/etc/unbound/ubmodule-tst.py"
+ 
+ # Dynamic library config section. To enable:
+ # o use --with-dynlibmodule to configure before compiling.
+@@ -1112,13 +1151,14 @@ python:
+ #   the module-config then you need one dynlib-file per instance.
+ dynlib:
+ 	# Script file to load
+-	# dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so"
++	# dynlib-file: "/etc/unbound/dynlib.so"
+ 
+ # Remote control config section.
+ remote-control:
+ 	# Enable remote control with unbound-control(8) here.
+ 	# set up the keys and certificates with unbound-control-setup.
+-	# control-enable: no
++	# Note: required for unbound-munin package
++	control-enable: yes
+ 
+ 	# what interfaces are listened to for remote control.
+ 	# give 0.0.0.0 and ::0 to listen to all interfaces.
+@@ -1126,6 +1166,7 @@ remote-control:
+ 	# are not used for that, so key and cert files need not be present.
+ 	# control-interface: 127.0.0.1
+ 	# control-interface: ::1
++	control-interface: "/run/unbound/control"
+ 
+ 	# port number for remote control operations.
+ 	# control-port: 8953
+@@ -1135,16 +1176,19 @@ remote-control:
+ 	# control-use-cert: "yes"
+ 
+ 	# Unbound server key file.
+-	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
++	server-key-file: "/etc/unbound/unbound_server.key"
+ 
+ 	# Unbound server certificate file.
+-	# server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem"
++	server-cert-file: "/etc/unbound/unbound_server.pem"
+ 
+ 	# unbound-control key file.
+-	# control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key"
++	control-key-file: "/etc/unbound/unbound_control.key"
+ 
+ 	# unbound-control certificate file.
+-	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
++	control-cert-file: "/etc/unbound/unbound_control.pem"
++
++# Stub and Forward zones
++include: /etc/unbound/conf.d/*.conf
+ 
  # Stub zones.
  # Create entries like below, to make all queries for 'example.com' and
- # 'example.org' go to the given list of nameservers. list zero or more
-@@ -1186,6 +1207,10 @@ remote-control:
+@@ -1166,6 +1210,10 @@ remote-control:
  #	name: "example.org"
  #	stub-host: ns.example.com.
  
@@ -104,7 +462,7 @@ index 59090c6..3a86809 100644
  # Forward zones
  # Create entries like below, to make all queries for 'example.com' and
  # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1203,6 +1228,10 @@ remote-control:
+@@ -1183,6 +1231,10 @@ remote-control:
  # forward-zone:
  # 	name: "example.org"
  # 	forward-host: fwd.example.com
@@ -115,6 +473,75 @@ index 59090c6..3a86809 100644
  
  # Authority zones
  # The data for these zones is kept locally, from a file or downloaded.
+@@ -1193,27 +1245,28 @@ remote-control:
+ # download it), primary: fetches with AXFR and IXFR, or url to zonefile.
+ # With allow-notify: you can give additional (apart from primaries and urls)
+ # sources of notifies.
+-# auth-zone:
+-#	name: "."
+-#	primary: 170.247.170.2        # b.root-servers.net
+-#	primary: 192.33.4.12          # c.root-servers.net
+-#	primary: 199.7.91.13          # d.root-servers.net
+-#	primary: 192.5.5.241          # f.root-servers.net
+-#	primary: 192.112.36.4         # g.root-servers.net
+-#	primary: 193.0.14.129         # k.root-servers.net
+-#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+-#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+-#	primary: 2801:1b8:10::b       # b.root-servers.net
+-#	primary: 2001:500:2::c        # c.root-servers.net
+-#	primary: 2001:500:2d::d       # d.root-servers.net
+-#	primary: 2001:500:2f::f       # f.root-servers.net
+-#	primary: 2001:500:12::d0d     # g.root-servers.net
+-#	primary: 2001:7fd::1          # k.root-servers.net
+-#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+-#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+-#	fallback-enabled: yes
+-#	for-downstream: no
+-#	for-upstream: yes
++ auth-zone:
++	name: "."
++	primary: 170.247.170.2        # b.root-servers.net
++	primary: 192.33.4.12          # c.root-servers.net
++	primary: 199.7.91.13          # d.root-servers.net
++	primary: 192.5.5.241          # f.root-servers.net
++	primary: 192.112.36.4         # g.root-servers.net
++	primary: 193.0.14.129         # k.root-servers.net
++	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
++	primary: 192.0.32.132         # xfr.lax.dns.icann.org
++	primary: 2801:1b8:10::b       # b.root-servers.net
++	primary: 2001:500:2::c        # c.root-servers.net
++	primary: 2001:500:2d::d       # d.root-servers.net
++	primary: 2001:500:2f::f       # f.root-servers.net
++	primary: 2001:500:12::d0d     # g.root-servers.net
++	primary: 2001:7fd::1          # k.root-servers.net
++	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
++	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
++	fallback-enabled: yes
++	for-downstream: no
++	for-upstream: yes
++
+ # auth-zone:
+ #	name: "example.org"
+ #	for-downstream: yes
+@@ -1239,6 +1292,9 @@ remote-control:
+ #	name: "anotherview"
+ #	local-zone: "example.com" refuse
+ 
++# Fedora: DNSCrypt support not enabled since it requires linking to
++#         another crypto library
++#
+ # DNSCrypt
+ # To enable, use --enable-dnscrypt to configure before compiling.
+ # Caveats:
+@@ -1314,7 +1370,7 @@ remote-control:
+ # 	dnstap-enable: no
+ # 	# if set to yes frame streams will be used in bidirectional mode
+ # 	dnstap-bidirectional: yes
+-# 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
++# 	dnstap-socket-path: "/etc/unbound/dnstap.sock"
+ # 	# if "" use the unix socket in dnstap-socket-path, otherwise,
+ # 	# set it to "IPaddress[@port]" of the destination.
+ # 	dnstap-ip: ""
 -- 
-2.47.0
+2.46.0
 

unbound-initrd.conf

@@ -1,5 +0,0 @@
-[Unit]
-Before=network-online.target
-
-[Install]
-WantedBy=network-online.target

unbound-local-root.conf

@@ -1,30 +0,0 @@
-# Authority zones
-# The data for these zones is kept locally, from a file or downloaded.
-# The data can be served to downstream clients, or used instead of the
-# upstream (which saves a lookup to the upstream).
-#
-# Download local root copy and answer TLD queries from it. Because
-# auth-zone has higher precedence, defined forward-zones to internal
-# only TLD will not work. Use stub-zone or disable this zone.
-# Good for a network-wide resolvers, worse for a localhost caching forwarder.
-auth-zone:
-	name: "."
-	primary: 170.247.170.2        # b.root-servers.net
-	primary: 192.33.4.12          # c.root-servers.net
-	primary: 199.7.91.13          # d.root-servers.net
-	primary: 192.5.5.241          # f.root-servers.net
-	primary: 192.112.36.4         # g.root-servers.net
-	primary: 193.0.14.129         # k.root-servers.net
-	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-	primary: 2801:1b8:10::b       # b.root-servers.net
-	primary: 2001:500:2::c        # c.root-servers.net
-	primary: 2001:500:2d::d       # d.root-servers.net
-	primary: 2001:500:2f::f       # f.root-servers.net
-	primary: 2001:500:12::d0d     # g.root-servers.net
-	primary: 2001:7fd::1          # k.root-servers.net
-	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
-	fallback-enabled: yes
-	for-downstream: no
-	for-upstream: yes

unbound.service

@@ -1,9 +1,6 @@
 [Unit]
 Description=Unbound recursive Domain Name Server
-After=network.target
-# Use ip-freebind: yes or add After=network-online.target, rhbz#2338429,
-# if interface: specifies exact address, not localhost nor wildcard
-#After=network-online.target
+After=network-online.target
 After=unbound-keygen.service
 Wants=unbound-keygen.service
 After=unbound-anchor.service
@@ -12,7 +9,7 @@ Before=nss-lookup.target
 Wants=nss-lookup.target
 
 [Service]
-Type=notify
+Type=simple
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS

unbound.spec

@@ -2,17 +2,9 @@
 %{?!with_python3:     %global with_python3     1}
 %{?!with_munin:       %global with_munin       1}
 %bcond_without dnstap
-%bcond_without systemd
+%bcond_with    systemd
 %bcond_without doh
-%if 0%{?fedora} >= 43 && !0%{?rhel}
-# Do not build with QUIC support in RHEL, until we have also client support.
-%bcond_without ngtcp2
-%endif
-%if 0%{?rhel} && ! 0%{?epel}
 %bcond_with redis
-%else
-%bcond_without redis
-%endif
 
 %global forgeurl0 https://github.com/NLnetLabs/unbound
 %global downloads https://nlnetlabs.nl/downloads
@@ -40,7 +32,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.24.2
+Version: 1.21.1
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -49,7 +41,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source3: unbound.munin
 Source4: unbound_munin_
-Source5: mkroot.sh
+Source5: root.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
@@ -62,40 +54,19 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-# https://nlnetlabs.nl/signing-keys/
-Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc
+# source: https://nlnetlabs.nl/people/
+Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source20: unbound.sysusers
-Source21: remote-control.conf
 Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
-Source23: unbound-as112-networks.conf
-Source24: unbound-local-root.conf
-Source25: openssl-sha1.conf
-Source26: remote-control-include.conf
-Source27: fedora-defaults.conf
-Source28: module-setup.sh
-Source29: unbound-initrd.conf
-Source30: tmpfiles-unbound-libs.conf
 
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
-# https://github.com/NLnetLabs/unbound/pull/1331
-Patch2:   unbound-1.24-swig-function.patch
-# https://github.com/NLnetLabs/unbound/pull/1381
-Patch3:   unbound-1.24-quic-on-demand-only.patch
 
 BuildRequires: gcc, make
-BuildRequires: openssl-devel
+BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
 BuildRequires: pkgconfig
-
-# Required for configure regeneration
-BuildRequires: automake autoconf libtool
-BuildRequires: autoconf-archive
-# Regenerate config parser too
-BuildRequires: bison flex byacc
-BuildRequires: dns-root-data
-
-%if 0%{?fedora} || 0%{?rhel} >= 9
+%if 0%{?fedora}
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
@@ -121,9 +92,9 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
 %endif
-%if %{with ngtcp2}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif
+# Required for SVN versions
+# BuildRequires: bison
+# BuildRequires: automake autoconf libtool
 
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -165,7 +136,7 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
 Recommends: %{name}-anchor
-Requires: dns-root-data
+%{?sysusers_requires_compat}
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@@ -215,20 +186,10 @@ Conflicts: python2-unbound < 1.9.3
 Python 3 modules and extensions for unbound
 %endif
 
-%package dracut
-Summary: Unbound dracut module
-Requires: dracut%{?_isa}
-Requires: %{name}%{?_isa} = %{version}-%{release}
-
-%description dracut
-Unbound dracut module allowing use of Unbound for name resolution
-in initramfs.
 
 %prep
-%if 0%{?fedora} || 0%{?rhel} >= 9
-# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key
-%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \
-%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
+%if 0%{?fedora}
+%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}
 
@@ -242,6 +203,9 @@ in initramfs.
 
 # patches go here
 %autopatch -p1
+# only for snapshots
+# autoreconf -iv
+
 
 %if 0%{?rhel} > 8
   # SHA-1 breaks some tests. Disable just some tests because of that.
@@ -257,13 +221,15 @@ in initramfs.
 %endif
 
 %build
+# This is needed to rebuild the configure script to support Python 3.x
+# autoreconf -iv
+
 # ./configure script common arguments
 %global configure_args --with-libevent --with-pthreads --with-ssl \\\
             --disable-rpath --disable-static \\\
             --enable-relro-now --enable-pie \\\
             --enable-subnet --enable-ipsecmod \\\
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
-            --with-share-dir=%{_datadir}/%{name} \\\
             --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
@@ -272,14 +238,6 @@ in initramfs.
             --with-dynlibmodule \\\
 #
 
-# always regenerate configure
-rm -f config.h.in aclocal.m4 configure ltmain.sh
-rm -f {ax_pthread,ax_swig_python}.m4
-cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 .
-# ensure bison is used to generate fresh parser
-rm -f util/configparser.{c,h} util/configlexer.c
-
-autoreconf -fiv
 
 %configure  \
 %if 0%{?python_primary:1}
@@ -294,12 +252,12 @@ autoreconf -fiv
 %if %{with doh}
             --with-libnghttp2 \
 %endif
+%if 0%{?rhel}
+            --disable-sha1 \
+%endif
 %if %{with redis}
             --with-libhiredis \
             --enable-cachedb \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -315,9 +273,6 @@ pushd %{dir_secondary}
 %endif
 %if %{with systemd}
             --enable-systemd \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -338,7 +293,7 @@ popd
 
 %make_install unbound-event-install
 install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
-install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
+install -p -m 0755 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
 
 install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
 install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
@@ -360,20 +315,22 @@ done
 %endif
 
 # install streamtcp man page
-install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
 
 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
-install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf
+install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 
 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
-sh %{SOURCE5} root.key
-install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/
-ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key"
-ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key"
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
+# make initial key static
+pushd %{buildroot}%{_sharedstatedir}/unbound
+  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
+  ln -s "$KEYPATH" root.key
+popd
 
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@@ -392,27 +349,16 @@ mkdir -p %{buildroot}%{_rundir}/unbound
 # Install directories for easier config file drop in
 
 mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
-install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
-install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
-install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
-install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf
-install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf
-
-mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
-install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/
-install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/
-install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/
-install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/
+install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
+install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
 
-# install dracut module
-mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
-
-install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
-install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 
+%pre libs
+%sysusers_create_compat %{SOURCE20}
 
 %post
 %systemd_post unbound.service
@@ -440,19 +386,18 @@ fi
 %postun anchor
 %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
-%triggerun -- unbound < 1.23.1-4
-if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then
-   # change permissions of existing key just once, where it were generated with wrong perms
-   %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || :
-fi
-
-
 %check
-export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf"
+#pushd pythonmod
+#make test
+#popd
+
 make check
 
 %if 0%{?python_secondary:1}
 pushd %{dir_secondary}
+#pushd pythonmod
+#make test
+#popd
 make check
 popd
 %endif
@@ -462,10 +407,9 @@ popd
 %doc doc/CREDITS doc/FEATURES
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-keygen.service
-%attr(0775,unbound,root) %dir %{_rundir}/%{name}
+%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
@@ -475,12 +419,11 @@ popd
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
-%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
+%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
 %{_sbindir}/unbound
 %{_sbindir}/unbound-checkconf
 %{_sbindir}/unbound-control
 %{_sbindir}/unbound-control-setup
-%{_datadir}/%{name}/
 %{_mandir}/man5/*
 %exclude %{_mandir}/man8/unbound-anchor*
 %{_mandir}/man8/*
@@ -522,11 +465,10 @@ popd
 %{_sysusersdir}/%{name}.conf
 %{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key
+%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key
-%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
 
 %files anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
@@ -543,8 +485,5 @@ popd
 %{_sbindir}/unbound-streamtcp
 %{_mandir}/man1/unbound-*
 
-%files dracut
-%{_prefix}/lib/dracut/modules.d/99unbound
-
 %changelog
 %autochangelog

unbound.sysconfig

@@ -5,6 +5,3 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"
 
 # for extra debug, add "-v -v" or change verbosity: in unbound.conf
 UNBOUND_OPTIONS=""
-
-# Uncoment to validate SHA1 in any crypto policy
-# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf

wouter.nlnetlabs.nl.key

@@ -0,0 +1,123 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
+SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
+1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
+TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
+l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
+qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
+Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
+x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
+WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
+/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
+hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
+zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
+ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
+HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
+XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
+8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
+Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
+UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
+MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
+/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
+Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
+SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
+oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
+Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
+AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
+bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
+4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
+ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
+L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
+DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
+e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
+T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
+/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
+bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
+OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
+ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
+AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
+bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
+2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
+Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
+Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
+4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
+zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
+5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
+46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
+GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
+JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
+lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
+iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
+AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
+bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
+4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
+bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
+GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
+vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
+/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
+aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
+7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
+sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
+vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
+r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
+lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
+q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
+Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
+jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
+Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
+7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
+Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
+i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
+ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
+H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
+AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
+V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
+gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
+DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
+PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
+ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
+xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
+UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
+2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
+oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
+2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
+Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
+bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
+RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
+XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
+rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
+eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
+Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
+g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
+kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
+YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
+c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
+k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
+AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
+HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
+VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
+Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
+0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
+yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
+ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
+G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
+RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
+1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
+7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
+CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
+LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
+bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
+EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
+8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
+ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
+ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
+s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
+HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
+9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
+p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
+5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
+=Oqje
+-----END PGP PUBLIC KEY BLOCK-----