Fix ownership and mode record of rundir

Previous change introduced mode change and group change of rundir
but it was not changed in files section, so fix that.

.gitignore

@@ -89,15 +89,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.19.3.tar.gz.asc
 /unbound-1.20.0.tar.gz
 /unbound-1.20.0.tar.gz.asc
-/unbound-1.21.0.tar.gz
-/unbound-1.21.0.tar.gz.asc
 /unbound-1.21.1.tar.gz
 /unbound-1.21.1.tar.gz.asc
-/unbound-1.22.0.tar.gz
-/unbound-1.22.0.tar.gz.asc
-/unbound-1.23.0.tar.gz
-/unbound-1.23.0.tar.gz.asc
-/unbound-1.23.1.tar.gz
-/unbound-1.23.1.tar.gz.asc
-/unbound-1.*.tar.gz
-/unbound-1.*.tar.gz.asc

Yorgos.asc

@@ -13,31 +13,31 @@ S9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS
 g3LssVS2bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQAB
 tCtZb3Jnb3MgVGhlc3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+iQJX
 BBMBCABBAhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAhkBFiEElI60IyLF0At5
-NA9dz/M0TZCHpJAFAmjWhkcFCRLfm+EACgkQz/M0TZCHpJANXhAAvTpKNl5+kU1d
-lcFrXx4pgi/knhe0y1Z+ENQWVDYTs9v+lMoyCRQuAt1Cir1LAGWfRBdTQh60I6Dc
-BDj+15pFJCv/dyZiQLPUgxLtIxkwIUSjELp8JevNHhGMNz7QWdG4SEpG2aF/D2Zz
-kvaoomPGjRyo/bkgR2la6eqrCOxYVP+FT7682yf0bCvSTs1kTrnwFY93s7O2RciI
-MS0XWcHPtoi96JxhzUIT+v0gSFuitZhRGPh9pyIcHmRER1yKugvMp6xF5UjNIcfL
-ScrNlGXgjc6EJiGXS5CHliIlxlAxs4J1T9JiGQZOAW/CPxe4IND34DhqwvQcJdtL
-8jt1b2xUcuFfYNa3SY671OnLt3EhwMsYDaSIXrPqW8R6XuaSxhb4sL/okHkb833b
-CgaWvjQZgRm1h0R2IY5C3kHotsLUd2fygrtVVvaLxGEoi9UBsKoLu2kHEJnV5HJO
-jfJMBBGgGFscfk3p1v4SAA30xPR7i6O2KDmFsVzL6xKbnFMMmayEVfWzGXmxB7lv
-ob6HrJIvVH6mx64OsAY0LQI6abQI3TTZn13+RNxuATQS+j0tqbZvVJtWFw41eqsU
-OqeNF9W323uvhJcjDyYquAREIivFXkzxa9y3rgQfB9OX9usD79aij4y/YLqZxafl
-InYUlMGygNOGXruFRZ7DD6zciK2Zu7W0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
+NA9dz/M0TZCHpJAFAmbz0CwFCRD85cYACgkQz/M0TZCHpJBVnhAAkcd79Twxj/tt
+C4q2Xpq75+Ew6YR9gLqYiV5vEd6fu0oyhuVoUlfTkjH4ALIoGIKaO9yAVUXsrGrs
+n1aJPo1Mw3q6mIwtQOxXz/W44LuFzcvZkHtCYX4YyLrUHXZPvl+r4eYkTOcyyQMU
+BmbuvWhufv8MBilvWltQLxfLlgihbfuIrxqjAYDhqCffpgUiZyCut2rrenIgeh1f
+DvC+GjZ3cfb1UsIpzm19yr4NCiTHkLkCOAAcAUFwWWeO/jfUsSvFQEHUnYNRREzI
+Lth9NlKwPtsOVi+wcNnWQtFQb11BMr407xBib7hLSIFiqvOiYgQABjZdWN+snCRP
+ZZSruigjE9ateOloJwmBqrSJLAywxvDE0ivqfSj51W5eJc/JLSXvjrOuW28dJCr8
+RV9PjC9X7zuTiFLzV8SVH71Z43Rix8n7AOp3wgRe3SygEyQXPj4qbm5HHVsx9GEA
+zn495L99dJ4wZgjkbEsGhzwUx7N9FHEGS/sz3LiEq+ZYckR6gzTMMrQJgbsS9lnK
+9xlXsp37uIYvx9W9JZXtS+AZhw0q3osMYBF68HPX8B9GBYlkQWmWSIMfzRYcD2n1
+5+XsfERK4mxcTWl2sCYpt8Sy3tADj9nQDabAlGUd/hlFS1dvDVQjGh6ER5S0nZjY
+nmRsLl8nOTKhb2xY+2p1sDjxxQYJJQe0K0dlb3JnZSBUaGVzc2Fsb25pa2VmcyA8
 Z2VvcmdlQG5sbmV0bGFicy5ubD6JAlQEEwEIAD4CGyMFCwkIBwIGFQgJCgsCBBYC
-AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCaNaGWAUJEt+b4QAKCRDP
-8zRNkIekkKovEACQkeEImQeer9jsY066WyIpvrhcy6xtWjeW8v1ZasRoi+DOFWeA
-18O5iD34UaIPPGFRu6PRdSMLdUqtelFgONVDnXEuqOGAptMcCI4wp4+NIFd00v0J
-9A9ur7xWt0Q0O1fMjFOMPa5oQK9dg1MCI0/RWRObOPf3cIr2NhgWwBuKTCluKyFc
-mnRQXwyxBGCBRvK5zKmA8BBlnHuPfunTAcduNSExUx3e0w5BD5lcG4YeyuR+IRcY
-HJPGU20f634dDSJGKJvGxjpaCxGQNca6s8Mpkq3lm/D3Ia4Vpw/HdiSawv/U71S/
-4F6lctMjvoS73Ao9DZ4iDPqkHJ73HidNp7n25SLnXKruZsnXitjYT8ueP7byeLPi
-7IvqoENXoXNqNfDuXfqri/WnHPYWbKIdj5WWFeaR3Ws+szw3Wql7mJ1cNFWbNCE7
-rGFPhSNyG3n6mlEBUKUYn8FuOF9PHwwWl86GHLI6O4xOIohESyrZrq2mJS61sSq6
-AAQ7cqx6UMNJdBcgB5Ry7qRUF6ZmowZZu3aWFF4dW+LwMvuaFjKzShsKzj8GCE0B
-pQDjy+IeWM2mBVneuCicWwvbSzVWx+Ow42QRvmH8Ja9PqoIYeJQUiMr1+aAG6kUK
-3VW4iugsu3/oFIlFrkYZy9YEfCOEMgqRKL/cuBJTZt0OPFRE/9O/M/FVmIkBHAQS
+AwECHgECF4AWIQSUjrQjIsXQC3k0D13P8zRNkIekkAUCZvPQPQUJEPzlxgAKCRDP
+8zRNkIekkFfCEACheY1yr2Z+LPjm/Nd2eA4CFFO7nUQHI+a6lYBd57txrRuIicuG
+pGjOhnvcioRwICiKNLJD3YTU+WOd+sbO7BXH2sw2KdU9NK1ojKX/SQiTg6upfJsu
+gbgar2oPvR88B7oSiuonZnhEf72HfWKDSBXHpi6KC6S3JZ+o50NB3GBpwUL1lfKW
+ovymYbN6tYQfqw/+AP5jUUNpkclC0RbcW69rpvrHHqeQV1AVKkm/jNQpWLKYTGF7
+bbdLkgMh3rHp8gmF0/GuK+oyL7xD+TEXfr3iqlDIVuxbxDN8xTti1RrERU/MWQar
+qOSFZcr4t+nlwThJidDLF/u3h0Ymrjz92VTfCgELIwCKxGX7jAyLZHzuWAp+0Pr/
+yuHodbweGNcGVoXmIpK93/WZcfFlBcyQLECVcijmxd7Euk0xDk76RQpuuL5VOWqn
+aZcf2uNfppwKFZJjcXwK+EQbwN7+RFNvLrwoRn/1xM57T5AYBAgSvKb6h0G5KwW6
+tJfJdSu1MHfCZS1hH1Gr4+UG+VbLCVmQ9N/lUs0bcD7pK+bA1W0YnsIVuaQ+YZUh
+KrJoCUF0kVDtW9ETZkp0iVBm1Q9xgTGaxUTVmctOyAbdCLyHNra4fo1BAdGlu+IP
+qAcktaBUKFxWxRxf9O5kGihce9anK8CJ/TCnQ7wSvyYrlAoBoQaS78VzYYkBHAQS
 AQIABgUCV9kUOAAKCRAwkY2CdXJCIju1B/oCvf1kWYndNeLS6U2O6DtFAL2Ia5tY
 Zukcyqb1hkYcrBiMZbQN94gX5a+6Q4pdd2n241r1ZuSWdwUhRUbF4mvbZMVsavnk
 cvrRGviVIUXf71W0O/IsmQ9oN0Finhpf14Y4z/xqF8DpvJdkWc6X5g+RJuko6q2w
@@ -58,18 +58,18 @@ BmQpPk0ubYclwb07FcegaHSxxIqUo/kbyt1YV5mU+QVymZ+xyvIBrnW8hBuNWRvU
 TJaDBSgvxUtY0Ci+OWX38kffGGvhW3CM8V6skdVc8cp7Db7gxase4BxxtC5HZW9y
 Z2UgVGhlc3NhbG9uaWtlZnMgPGdlb3JnZUBvcGVubmV0bGFicy5jb20+iQJUBBMB
 CAA+AhsjBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEElI60IyLF0At5NA9dz/M0
-TZCHpJAFAmjWhlgFCRLfm+EACgkQz/M0TZCHpJCWag/+MJOLW1tBNPA9sBcjl9V4
-Cjc2TIR/r8RRGv5lstVXlXc5T4SR48UvQTxaUU+KJia5POsaAsw9yk7Zz4r7ul0D
-Vd9tzHCcwxl46e0Kwn2VGBMHThsWC7QDuK7b+4AlxeO4EDWRPPw4BCB7aTxJzA3N
-O4qpEF4TVeb97uyNQr2YaTGUzSI58vCgXgeOpH9ivomQi1nCxZbdrFh2yKJ+H4EH
-gI8+D9iSnJMI16RS1dE7Pa85IG+qPd3owAbOlc+tBsSvdbFdRufQZeiNGKfQno1E
-oygZt8svcuKpGAG1flzpPu5LE9oMsIDia9hcn4YFqr80F5bW1rUvFeC0rYp9/0ui
-6lo34PAhEieB8XzjbpDDEnlkziRoz2YNVJmZOWrCAMI1bUFI5/+YWuJTXCGF62dE
-dO7aBWoUkchkGGSGKbPW9KYdmqMdfOeuqZRBhKs8bgHIArJ+kvglhCJr/qNX5T8p
-oCHE5bnEwFxnH2Q6a2ffpMpOExGvPaoAWlym/ID/MMet0riZ2izFUdmjEkA0HUaa
-7h5x1dKMhHzYDXOW8Ksx9vE24gLrjfqfvIiYpErn+SVs0KUqkR0BRWLRYjyq/Bj/
-btTQXcDeYpQj4tL2cX3Eosqaoy5NDGCK4yqWOxENOJ/YcO5dTPJDNsHlc2JSdejz
-a4g8AHFlkpPn0tlflbuE7q6JARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
+TZCHpJAFAmbz0D0FCRD85cYACgkQz/M0TZCHpJBnFw/8CRLGJnNAP43mBniIP5R1
+/10i4xG5s1Ka/y5C3aRgZUNaGMPLF8VmrC26HTPNhmduhn3j9gnBuSHgRAJUWs2K
+o1q0A2/O5fFJvqPyEUl30gG8qkzFl5UGRUr7VNtBa6VpI7g78d3P4/H8THB0tYZ3
+GZv980QXwTE11aXjvPQu4e8sMOR1OVEEH+6hW1T0SvEKAMV1BHwuZAmC6HTfx5e7
+iGNWu/dwJsmwzqcAkuTTSqlmzZdIjZWJDL8pfnschkVilC3pEpEk5ExSkt/onOD2
+WCAKJUiPR6gRI2H6fE0PF8iG9isisvNhQ3MrWUIKS+1WOotoG7Bu7ob46viJKQuN
+9t7KBqjdftjJHjmVop3mfX0UUEDPjkZXK5R/aUspXi4IGdM+9JijqxveicQegOhM
+LcE8039Z0AaXn9IA0kQB05A4a+CEnoPL7qe+fIBJM5hZDrpMe4fAAGxiQzbRpdkZ
+CrXmT+CRkhc/BvUJ5yoE1q++9Fw9eyMbPOak6GLckCIPy+Mqi4z+ZXNCtcPs3Qbc
+/7AY8qyswRsD2t5bbe4g+fLEt9IsN3UvKFUKnQ88jcn9Zmps69msMDm9jEj/qo+j
+QCriLLu8E1ZwhedNVOQN89w4Zww/BUyEnL4hng8Tw+RTV8Jtq5EvAleW5sZsnTzA
+zn1ysZUyO/Pu7Br2jnGRAQyJARwEEgECAAYFAlfZFDwACgkQMJGNgnVyQiIHjAf/
 VrPMgIRjRTYi4cxOr5ewaim1hgJZO1oCJoMopwIvpZ2kAUqL/uPMT3wREe5bi79H
 jXYcaX+RbrV4ZdzaajDUFCj867KGErxqtRkANJ1eNLcQmVwGNoFeTQbgEOBfKq1t
 hRfMqHF3fxCPJp4z4U3kBPUpIQPERjgUdkH8fxZ34Omo1SLO1b0dVqsneezccBVv
@@ -89,18 +89,18 @@ Ix1q//q2VmxqjjT3Iv30hBRX02x2M8gsP/e49XWEll7stkMtbYhBU0sHQ2CqzLGh
 gJN3ecpi2sKWVqN8HUZOwJFj6f9ZX76YSM23wIugHfscMAVJUXvBrbd151WIshOf
 FFPo62sYGt+SEMXWeRcHjbQuWW9yZ29zIFRoZXNzYWxvbmlrZWZzIDx5b3Jnb3NA
 b3Blbm5ldGxhYnMuY29tPokCVAQTAQgAPgIbIwULCQgHAgYVCAkKCwIEFgIDAQIe
-AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJo1oZYBQkS35vhAAoJEM/zNE2Q
-h6SQjBkP/0IvctNT9T+DtGZyMiw/Jna9G3QhtW7exhlxzqqX3tFmZpaJj3VswyqA
-5hx5BdJEShC8qNEqrBCHxcCZgsLvR3GKc/0LTgP7+7VH/ugAScrlVeI8rB6V1jn5
-cnfY5fsfOQ8i0b/8C+CiEe0TW90VRHjYV6DWMdUfqQb3E/snl23RMFeTL0Qrrk8H
-Lo3MTko7TeKRYOV/g/qQkb9CFQZNyzgIjD7uZi8or8qFJ/uZTnlBq5/NRDB5Z3ew
-7WXc3QrRUXmbbDzdnIeCtu5vmuk+hc69gbOst9nWf3y2qlK7BjZqT+PqKZa/fa/i
-5pZpv1hB8DrA2WTIpN7iXhCvABXSEoUOJaLkRSJVDqzvuaeqOEPrk1aJSMWoio/w
-8RRa1L7k6m81Dc0dqYbBOSI4MCNm8ZawQI2L4qRs5QORg4nRnAevFgkzhJKFYF2N
-jzX/2xlAuOym126DODC9qJSJZR7uTOJXh0yqknfkPgDXjchpzq+Q+CM+jYo6AGas
-/XPAuRQCQaLSYr9UPL7Fn62//ysZQAyAkJQR1u7UwAd6/UTTMVZpUJsLQyMyikF7
-UT4K7MWrvkZxMRPhGan0P2pRe36M9BBjYRTp0TIr+UjUT8iBfjdrttI9DQlkcEeQ
-rKhcE31KqjwJMdiuzbpqqXaEss9AFuJng3Owewt4wAft3eu1U7PWuQINBFfYHeYB
+AQIXgBYhBJSOtCMixdALeTQPXc/zNE2Qh6SQBQJm89A9BQkQ/OXGAAoJEM/zNE2Q
+h6SQOf4QAIp5fEn+vVOqDuLrv8Li61UDVPE3v5b9ocPR7OMENeFpRH7K2p8xFkAM
+f6JeS2ehbIjyUS8iGc+mZOalvZynJdOiHtys5r4lZanm1Rl+mWXb+nHGE/Oi4gQ3
+aEF/AwolbKi9oNXAiCtA3hmaI6FYWtAh5XOnyMG140dhlXMWzvN1ZAWXWioS33Fp
+n9Z7xOsyG2Bmky69JjUQPD119noD4pEFtCipciiACVNdHGfI8QDT/8pMAxv/Q7tW
++7gyFztT1XvKONWyCfHjf1x60JQNPPM31x3xUVRz/sK+GyLq6VLiydvSZeUX3CzM
+4bHixKKkSyvsX+bc9K/iLrXwZFhRdrRbpVQFpsdxv48mN5WsDlpN17KgMCyNiMDV
+0VagYjZC5AurOo2mmS7PKAYGILaq3YwQ3nXYiuWfdXVW6EXtw/vdFOjFU6ppbaA3
+1+xyMDOLSGLr7f+gdZvlEc+5MX1F3mHpmuKN7clUju/HEOdVq1Bbla7BplPgqCaH
+ZYCg/VHNt7ue7MYeEgTJ8OGgUDRNPa3PdU3YHRCuwJH1UzinD39K8R9/g9qiGJbC
+87//1FGZp9lhIE5tja6F5pJ5GwJK9zC0iGj2NrwBvTKhuyF6W3ZQc2voYQn+gIq4
+sfbned7qpvpjLcMgIv/y82iVm2EtKtKYl982aA9S53pHqjV27kieuQINBFfYHeYB
 EAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+RO43dotGH9eFnVwE4/ftcK1SN42ih
 lF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8saPqJP6zTUmPqp/GSzS6Y
 rhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ckeXyl77/lHVhW
@@ -112,17 +112,17 @@ GFxr4xBiyMX1JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf
 hmQBxPvXxI2ERmKRomo6lrMaDMzIjD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+
 LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e7wNYE4a/fb8xYM4j7p6qYtnNZPb8
 sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibrYwARAQABiQI8BBgBCAAm
-AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmjWhoAFCRLfnBoACgkQz/M0TZCH
-pJA4sA/7BZrP4nwWF1eQVliMWJ1KKG+sHizK4c+ZiB67aFJw4pLDCL5o6unOWH8V
-ocr1pWC/BMmLG4K77O2qadhUH7mzXm/ddZ/DVF3xHTvTmG1W1bLd6zj3k6qOFYq8
-yPS2QNTa3+3oNbtZQ+RpvhCAmv2Dc1GMPNP2hKR/Ju9r9NwGWBEDQBtiMZ7872QJ
-yR3IFyfQGRvj+GBbEBvJwCFmaRb3eDorhaNhM0b0c/RbIueEWD40nkCUtmM4Zrc1
-0HLod8Li8C4j8sIqIdfTKo1RiJUUg86q1K3pGA86hoOzeaihZekcm6wMwGlhXymb
-Ng41yB/ZTedl9wk+XEEcD6HZMCXyfh55hBdWG06aEhMIALjOCj2VkRnDLmOKLgDZ
-kg7OOQxDfKACCCvk72HZG3qKtaN9oNH1oeaVwc3ytWR8y2hQJcCxmoQsLn+Xvkgc
-aYRNklPW2z8817J3fmvvwS0o6sOWRHLb0XAc+NZg4lEQOgwVFrE0XIAgkXHLQbuQ
-GRpRzRncHX95RXMzGb1+8kpWEcM7gazgUA3omoAumwNEqmeBX1TmEtDop1k5RFCS
-UWbv+A2s2GSAb05MHY0InIhMxzJXEa5+dJDPSvZnbiGRGhQitEe4eIlmPcNA1lB+
-ADFE2UTzcpRTo5cOKfrXyZXr6JCEl2+tB3o5m0v7FRdr6+zIS5g=
-=Ubkv
+AhsMFiEElI60IyLF0At5NA9dz/M0TZCHpJAFAmbz0dUFCRD8528ACgkQz/M0TZCH
+pJA7hg/7Bh0jb7nrp2EuU4BWK55VG+3zbrye/NdDy6eo3sVVOOO1r+jBMoJK3m1A
+GWUx40ogZjRn8GMtJfxkL6wsep2P775smm7x1TH6s2dgreTj9J66gitKEgxF0tjo
+JztmGJ8YKSGE4wKi37KvvSqCm1ecA8akBzJVo0B8/GtXpg+y/q3/KSY1ujW7Ihu3
+60JXT1FRXOiYfrzUKIBm8/UVnv7guPudaJf0eU4btoy4Ywzn1UXyi8BdxPIQrQDR
+tt69ffcjX8BIEloK7FURLre/LhbVxlssdWYIEFQhIlb+nghZlUbWHf0Ue3L0SFFS
+xV5otzQL2WjJKtCnTpSopSUmwYyT7wyAL1RokOemXL47WOfiLjiGuS+K/4lT7VHS
+fdLsYinS0LYr5dmhc05s//kLyQ0OSKNh3SNAN+lM/klLE/pFwM4mo56C+seNEvCm
+sT53VPOOwp6JwsLKSqm8pu1fbVjT6laMc9BPi6KUjN/f7ZahCXNXOrA2uLnTlxw/
+ns1sOXSWZDWciZeL3kJeUQER5YZ59hzLYWAiJ+5KblWRlBMXb71FUp0Mh9V3dA5O
+BX3IlcF54qE50chGzLnfQf1YLuh13xxxc2WsdMZjiCj8CVDMkD6ekShfQK8nyQsK
+SJgdXcnw1CxcAVvsROtecUiD+DWrJcYExjSZ+zcI4+aRhp7uNt8=
+=iknu
 -----END PGP PUBLIC KEY BLOCK-----

fedora-defaults.conf

@@ -98,9 +98,6 @@ server:
 	# Harden against unseemly large queries.
 	harden-large-queries: yes
 
-	# Harden against unverified (outside-zone, including sibling zone) glue rrsets
-	harden-unverified-glue: yes
-
 	# Default off, because the lookups burden the server.  Experimental
 	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
 	harden-referral-path: yes

mkroot.sh

@@ -1,17 +0,0 @@
-#!/bin/sh
-
-SOURCE="/usr/share/dns-root-data/root.key"
-DEST="${1:-root.key}"
-
-mk_key() {
-echo "# Generated from $SOURCE"
-echo "# Use /var/lib/unbound/root.key instead."
-echo "trusted-keys {"
-while read DOMAIN CLS TYPE FLAGS PROTO ALG KEYDATA COMMENT KEYTAG; do
-echo "$DOMAIN $CLS $TYPE $FLAGS $PROTO $ALG \"$KEYDATA\" # $KEYTAG"
-done < "$SOURCE"
-echo "};"
-}
-
-mk_key > "$DEST"
-touch -r "$SOURCE" "$DEST"

nlnetlabs2026-g2.asc

@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBGc7H5IBDADOZfJwZ6zZ/4JbbR2hef4261/zh7YpdjUREUs0dMQSbf+x7sAE
-50JgvLQWlvA8sDHzbUMQ9cAYZBGGE6iHb50KboeEfuiP5BdiLe8XWKlo1EIh+Idz
-0+e1binxwvXV1/9ACm/UHPRuWjkG7vrP+mVRuhfKglO6xSDxV1cwjYTRtvRtQx8D
-+kTdZzprvtzkU7OIWeczKFJRhVHzNDHYFG9SuxvDA9cbVm1KPVJEkRBwoSBPeB0z
-Z3LSib2uT6Lc/ghAijOwIpR+zNYKOYxRhzoFArrLa0Fs4nq6//LA42/aVjSienEJ
-SR5CVUbZy14WuUsYCkV+ZoORVRYZOcjtPG7FUKDXKzY9/iNhEAZ3OMK7Np2Xq/YO
-gaOiUDFXLHU1n2UVH1rwkMiS2o4EMqvO7gINmnL/ccpI2wj2QrQ+JZ9y1Xky7dQM
-LIIbtp40e0kGocgyba484rW17xlvXRxb1Pjn93JygD6WcraLLNh9jq87hW/J37qi
-S4DL+GUe10H8SeEAEQEAAbQ6TkxuZXQgTGFicyByZWxlYXNlcyBzaWduaW5nIGtl
-eSBHMiA8cmVsZWFzZXNAbmxuZXRsYWJzLm5sPokBzgQTAQoAOBYhBCMQGGkMTZA+
-9BkUaqFEMj3qrN9FBQJnOx+SAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
-EKFEMj3qrN9FZigL/0aVsJ48oe7vko1Mwg9DucFoCL8CESAarA40in1Bauq7p/pT
-l5UcNnFPLO8HBAHWGWtDI63pEhNzHacPzSI94GKS4TUMGzCV1H/c0KnxB7wAO55b
-HEQOZJ+kFRBFXWxbXORtp86NZuyCvVoSA4QAcnCf4m5ZEBb72H2cmy8xP+/HLkbS
-rpr5pyoUWtCYM8FxnjM3bClXSGOlWNl9cSXLqyyVjxvc7cOAS8ytL/zoVStoBmi/
-OwQbeJfAiqDMnipBJNzOHlfniKXE0FGDozKCHWP88ifs8A8OUNtJng7cNq7EQf9K
-vTvbJCcF4akUUcXnx4gv9Z1ZQ93Jg5X7h+0MP7Ut4z9hKSIAOowru7GXGEt256Ja
-eE1nSviDcqUtZpyqCLjpCDFGPMwSPzSwlPXjJVlVxPkDvPuNt2LUIEd8BR8Wo7z+
-NA5uM/zTHkQXEdUgCcl/rHy6moHYV3Q+YbMb17zU37a5vLb+wQ74doaiYo3b8KoV
-K6vVKMmB0qru6ERJ3g==
-=4R8U
------END PGP PUBLIC KEY BLOCK-----

openssl-sha1.conf

@@ -1,8 +0,0 @@
-# OpenSSL configuration file to allow SHA1 validation,
-# regardless of crypto-policy selected.
-# Use it by adding into /etc/sysconfig/unbound:
-# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf
-.include = /etc/ssl/openssl.cnf
-
-[evp_properties]
-rh-allow-sha1-signatures = yes

plans/all.fmf

@@ -1,7 +1,7 @@
 summary: Test plan with all Fedora tests
 discover:
        how: fmf
-       url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+       url: https://src.fedoraproject.org/tests/unbound.git
 execute:
        how: tmt
 

plans/tier1-public.fmf

@@ -1,7 +1,7 @@
 summary: Public (Fedora) Tier1 beakerlib tests
 discover:
     how: fmf
-    url: https://gitlab.com/redhat/centos-stream/tests/unbound.git
+    url: https://src.fedoraproject.org/tests/unbound.git
     filter: 'tier: 1'
 execute:
     how: tmt

root.anchor

@@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
 .       172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}

root.key

@@ -0,0 +1,6 @@
+; // The root key in bind format. This can be read by most tools, including
+; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+trusted-keys {
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
+
+};

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
-SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21
+SHA512 (unbound-1.21.1.tar.gz) = 82be3faf5e4f9531342008105f5ab2ecc22a56faab1ef5c86420d85ef48443e5dac3455dbc654178a927e34ca4067c7655443f91a250b87945a63e9ba5f74ba7
+SHA512 (unbound-1.21.1.tar.gz.asc) = 5bb3961c210aefb20f91eb96f7d3980324e30cb2307c6c1187f016cacafcade7adcd95855faedfebc2c91464fd6c095511322364357c5b72525fc8e61c0ad248

tmpfiles-unbound-libs.conf

@@ -1,2 +0,0 @@
-d /var/lib/unbound          0755  unbound unbound -
-L /var/lib/unbound/root.key -     -       -       -   ../../../etc/unbound/dnssec-root.key

unbound-1.24-quic-on-demand-only.patch

@@ -1,171 +0,0 @@
-From 1dfe06278c1446558b5043d7c57cd901e7d96829 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Mon, 24 Nov 2025 13:44:14 +0100
-Subject: [PATCH] Do not initialize quic_table unless it is enabled
-
-Fedora in FIPS mode might fail to initialize ngtcp2 library, because
-some ciphers desired are not available.
-
-Make it possible to skip initialization by setting explicitly quic_port
-to 0. Unless we have some listeners for port 853 configured, skip its
-initialization as well.
-
-Related: https://pagure.io/freeipa/issue/9877
----
- daemon/daemon.c           | 14 +++++++++-----
- services/listen_dnsport.c | 14 +++++++++++---
- util/configparser.y       | 15 +++++++++------
- util/netevent.c           |  3 +++
- 4 files changed, 32 insertions(+), 14 deletions(-)
-
-diff --git a/daemon/daemon.c b/daemon/daemon.c
-index f882bb9ad..a9cc25c67 100644
---- a/daemon/daemon.c
-+++ b/daemon/daemon.c
-@@ -558,9 +558,11 @@ daemon_create_workers(struct daemon* daemon)
- 	verbose(VERB_ALGO, "total of %d outgoing ports available", numport);
- 
- #ifdef HAVE_NGTCP2
--	daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
--	if(!daemon->doq_table)
--		fatal_exit("could not create doq_table: out of memory");
-+	if (cfg_has_quic(daemon->cfg)) {
-+		daemon->doq_table = doq_table_create(daemon->cfg, daemon->rand);
-+		if(!daemon->doq_table)
-+			fatal_exit("could not create doq_table: out of memory");
-+	}
- #endif
- 	
- 	daemon->num = (daemon->cfg->num_threads?daemon->cfg->num_threads:1);
-@@ -917,8 +919,10 @@ daemon_cleanup(struct daemon* daemon)
- 	daemon->dnscenv = NULL;
- #endif
- #ifdef HAVE_NGTCP2
--	doq_table_delete(daemon->doq_table);
--	daemon->doq_table = NULL;
-+	if (daemon->doq_table) {
-+		doq_table_delete(daemon->doq_table);
-+		daemon->doq_table = NULL;
-+	}
- #endif
- 	daemon->cfg = NULL;
- }
-diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
-index f7fcca194..ab8f1ba72 100644
---- a/services/listen_dnsport.c
-+++ b/services/listen_dnsport.c
-@@ -1564,7 +1564,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
- 			cp = comm_point_create_udp(base, ports->fd,
- 				front->udp_buff, ports->pp2_enabled, cb,
- 				cb_arg, ports->socket);
--		} else if(ports->ftype == listen_type_doq) {
-+		} else if(ports->ftype == listen_type_doq && doq_table) {
- #ifndef HAVE_NGTCP2
- 			log_warn("Unbound is not compiled with "
- 				"ngtcp2. This is required to use DNS "
-@@ -3275,7 +3275,11 @@ nghttp2_session_callbacks* http2_req_callbacks_create(void)
- struct doq_table*
- doq_table_create(struct config_file* cfg, struct ub_randstate* rnd)
- {
--	struct doq_table* table = calloc(1, sizeof(*table));
-+	struct doq_table* table;
-+
-+	if (!cfg->quic_port)
-+		return NULL;
-+	table = calloc(1, sizeof(*table));
- 	if(!table)
- 		return NULL;
- #ifdef USE_NGTCP2_CRYPTO_OSSL
-@@ -3354,7 +3358,7 @@ conn_tree_del(rbnode_type* node, void* arg)
- {
- 	struct doq_table* table = (struct doq_table*)arg;
- 	struct doq_conn* conn;
--	if(!node)
-+	if(!node || !table)
- 		return;
- 	conn = (struct doq_conn*)node->key;
- 	if(conn->timer.timer_in_list) {
-@@ -3413,6 +3417,7 @@ doq_timer_find_time(struct doq_table* table, struct timeval* tv)
- {
- 	struct doq_timer key;
- 	struct rbnode_type* node;
-+	log_assert(table != NULL);
- 	memset(&key, 0, sizeof(key));
- 	key.time.tv_sec = tv->tv_sec;
- 	key.time.tv_usec = tv->tv_usec;
-@@ -4922,6 +4927,7 @@ doq_conid_find(struct doq_table* table, const uint8_t* data, size_t datalen)
- 	key.node.key = &key;
- 	key.cid = (void*)data;
- 	key.cidlen = datalen;
-+	log_assert(table != NULL);
- 	node = rbtree_search(table->conid_tree, &key);
- 	if(node)
- 		return (struct doq_conid*)node->key;
-@@ -5662,6 +5668,8 @@ doq_table_quic_size_available(struct doq_table* table,
- 	struct config_file* cfg, size_t mem)
- {
- 	size_t cur;
-+	if (!table)
-+		return 0;
- 	lock_basic_lock(&table->size_lock);
- 	cur = table->current_size;
- 	lock_basic_unlock(&table->size_lock);
-diff --git a/util/configparser.y b/util/configparser.y
-index bf9c196fc..f159b8cec 100644
---- a/util/configparser.y
-+++ b/util/configparser.y
-@@ -1235,14 +1235,17 @@ server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
- server_quic_port: VAR_QUIC_PORT STRING_ARG
- 	{
- 		OUTYY(("P(server_quic_port:%s)\n", $2));
-+		if(atoi($2) == 0 && strcmp($2,"0")!=0)
-+			yyerror("port number expected");
-+		else {
-+			cfg_parser->cfg->quic_port = atoi($2);
- #ifndef HAVE_NGTCP2
--		log_warn("%s:%d: Unbound is not compiled with "
--			"ngtcp2. This is required to use DNS "
--			"over QUIC.", cfg_parser->filename, cfg_parser->line);
-+			if (cfg_parser->cfg->quic_port != 0)
-+				log_warn("%s:%d: Unbound is not compiled with "
-+					"ngtcp2. This is required to use DNS "
-+					"over QUIC.", cfg_parser->filename, cfg_parser->line);
- #endif
--		if(atoi($2) == 0)
--			yyerror("port number expected");
--		else cfg_parser->cfg->quic_port = atoi($2);
-+		}
- 		free($2);
- 	};
- server_quic_size: VAR_QUIC_SIZE STRING_ARG
-diff --git a/util/netevent.c b/util/netevent.c
-index aedcb5e07..93db16675 100644
---- a/util/netevent.c
-+++ b/util/netevent.c
-@@ -2723,6 +2723,7 @@ doq_server_socket_create(struct doq_table* table, struct ub_randstate* rnd,
- {
- 	size_t doq_buffer_size = 4096; /* bytes buffer size, for one packet. */
- 	struct doq_server_socket* doq_socket;
-+	log_assert(doq_table != NULL);
- 	doq_socket = calloc(1, sizeof(*doq_socket));
- 	if(!doq_socket) {
- 		return NULL;
-@@ -2804,6 +2805,7 @@ doq_lookup_repinfo(struct doq_table* table, struct comm_reply* repinfo)
- {
- 	struct doq_conn* conn;
- 	struct doq_conn_key key;
-+	log_assert(table != NULL);
- 	doq_conn_key_from_repinfo(&key, repinfo);
- 	lock_rw_rdlock(&table->lock);
- 	conn = doq_conn_find(table, &key.paddr.addr,
-@@ -5880,6 +5882,7 @@ comm_point_create_doq(struct comm_base *base, int fd, sldns_buffer* buffer,
- 	struct config_file* cfg)
- {
- #ifdef HAVE_NGTCP2
-+	log_assert(table != NULL);
- 	struct comm_point* c = (struct comm_point*)calloc(1,
- 		sizeof(struct comm_point));
- 	short evbits;
--- 
-2.52.0
-

unbound-1.24-swig-function.patch

@@ -1,26 +0,0 @@
-From 0fc825def2f812af70189a01b0fe66e1c5050aec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 24 Oct 2025 20:20:50 +0200
-Subject: [PATCH] Use $action instead of $function in python SWIG interface
-
-$function is not supported since SWIG 4.4.0.
----
- libunbound/python/libunbound.i | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
-index dc12514..4576844 100644
---- a/libunbound/python/libunbound.i
-+++ b/libunbound/python/libunbound.i
-@@ -853,7 +853,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
- %{ 
-   //printf("resolve_start(%lX)\n",(long unsigned int)arg1);
-   Py_BEGIN_ALLOW_THREADS 
--  $function 
-+  $action 
-   Py_END_ALLOW_THREADS 
-   //printf("resolve_stop()\n");
- %} 
--- 
-2.51.0
-

unbound-fedora-config.patch

@@ -1,6 +1,6 @@
-From 6e2d042505a006ab5fd703631661e68d1cdc66df Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
-Date: Fri, 15 Nov 2024 13:25:34 +0100
+From 41c489180eeecba97641f747ee6a43aa2c6d4299 Mon Sep 17 00:00:00 2001
+From: Tomas Korbar <tkorbar@redhat.com>
+Date: Thu, 6 Feb 2025 16:01:21 +0100
 Subject: [PATCH] Customize unbound.conf for Fedora defaults
 
 Set some Fedora/RHEL specific changes to example configuration file. By
@@ -11,19 +11,9 @@ update external copy in source RPM.
  1 file changed, 31 insertions(+), 2 deletions(-)
 
 diff --git a/doc/example.conf.in b/doc/example.conf.in
-index 59090c6..3a86809 100644
+index dc2aa1c..a656bd7 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
-@@ -8,6 +8,9 @@
- # Use this anywhere in the file to include other text into this file.
- #include: "otherfile.conf"
-
-+# Default Fedora settings
-+include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
-+
- # Use this anywhere in the file to include other text, that explicitly starts a
- # clause, into this file. Text after this directive needs to start a clause.
- #include-toplevel: "otherfile.conf"
 @@ -51,11 +51,19 @@ server:
  	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
  	# specify every interface[@port] on a new 'interface:' labelled line.
@@ -44,7 +34,7 @@ index 59090c6..3a86809 100644
  
  	# enable this feature to copy the source address of queries to reply.
  	# Socket options are not supported on all platforms. experimental.
-@@ -285,6 +293,8 @@ server:
+@@ -276,6 +284,8 @@ server:
  	# nat64-prefix: 64:ff9b::0/96
  
  	# Enable UDP, "yes" or "no".
@@ -53,7 +43,7 @@ index 59090c6..3a86809 100644
  	# do-udp: yes
  
  	# Enable TCP, "yes" or "no".
-@@ -320,6 +330,9 @@ server:
+@@ -311,6 +321,9 @@ server:
  	# can be dropped. Default is 0, disabled. In seconds, such as 3.
  	# sock-queue-timeout: 0
  
@@ -63,7 +53,7 @@ index 59090c6..3a86809 100644
  	# Use systemd socket activation for UDP, TCP, and control sockets.
  	# use-systemd: no
  
-@@ -906,6 +919,8 @@ server:
+@@ -890,6 +903,8 @@ server:
  	# you need to do the reverse notation yourself.
  	# local-data-ptr: "192.0.2.3 www.example.com"
  
@@ -72,7 +62,7 @@ index 59090c6..3a86809 100644
  	# tag a localzone with a list of tag names (in "" with spaces between)
  	# local-zone-tag: "example.com" "tag2 tag3"
  
-@@ -916,8 +931,8 @@ server:
+@@ -900,8 +915,8 @@ server:
  	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
  	# Give the certificate to use and private key.
  	# default is "" (disabled).  requires restart to take effect.
@@ -82,18 +72,21 @@ index 59090c6..3a86809 100644
 +	# tls-service-pem: "/etc/unbound/unbound_server.pem"
  	# tls-port: 853
  	# https-port: 443
- 	# quic-port: 853
-@@ -1166,6 +1181,9 @@ remote-control:
+ 
+@@ -1146,6 +1161,12 @@ remote-control:
  	# unbound-control certificate file.
  	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
-
+ 
++# Default Fedora settings
++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
++
 +# Stub and Forward zones
 +include: "@sysconfdir@/unbound/conf.d/*.conf"
 +
  # Stub zones.
  # Create entries like below, to make all queries for 'example.com' and
  # 'example.org' go to the given list of nameservers. list zero or more
-@@ -1186,6 +1207,10 @@ remote-control:
+@@ -1166,6 +1187,10 @@ remote-control:
  #	name: "example.org"
  #	stub-host: ns.example.com.
  
@@ -104,7 +97,7 @@ index 59090c6..3a86809 100644
  # Forward zones
  # Create entries like below, to make all queries for 'example.com' and
  # 'example.org' go to the given list of servers. These servers have to handle
-@@ -1203,6 +1228,10 @@ remote-control:
+@@ -1183,6 +1208,10 @@ remote-control:
  # forward-zone:
  # 	name: "example.org"
  # 	forward-host: fwd.example.com
@@ -116,5 +109,5 @@ index 59090c6..3a86809 100644
  # Authority zones
  # The data for these zones is kept locally, from a file or downloaded.
 -- 
-2.47.0
+2.48.1
 

unbound.spec

@@ -4,15 +4,7 @@
 %bcond_without dnstap
 %bcond_without systemd
 %bcond_without doh
-%if 0%{?fedora} >= 43 && !0%{?rhel}
-# Do not build with QUIC support in RHEL, until we have also client support.
-%bcond_without ngtcp2
-%endif
-%if 0%{?rhel} && ! 0%{?epel}
 %bcond_with redis
-%else
-%bcond_without redis
-%endif
 
 %global forgeurl0 https://github.com/NLnetLabs/unbound
 %global downloads https://nlnetlabs.nl/downloads
@@ -40,7 +32,7 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.24.2
+Version: 1.21.1
 Release: %autorelease %{?extra_version:-e %{extra_version}}
 License: BSD-3-Clause
 Url: https://nlnetlabs.nl/projects/unbound/
@@ -49,7 +41,7 @@ Source: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source3: unbound.munin
 Source4: unbound_munin_
-Source5: mkroot.sh
+Source5: root.key
 Source7: unbound-keygen.service
 Source8: tmpfiles-unbound.conf
 Source9: example.com.key
@@ -62,26 +54,20 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: %{downloads}/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-# https://nlnetlabs.nl/signing-keys/
-Source19: https://nlnetlabs.nl/downloads/keys/releases-g2.asc#/nlnetlabs2026-g2.asc
+# source: https://nlnetlabs.nl/people/
+Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source20: unbound.sysusers
 Source21: remote-control.conf
 Source22: https://nlnetlabs.nl/downloads/keys/Yorgos.asc
 Source23: unbound-as112-networks.conf
 Source24: unbound-local-root.conf
-Source25: openssl-sha1.conf
-Source26: remote-control-include.conf
-Source27: fedora-defaults.conf
-Source28: module-setup.sh
-Source29: unbound-initrd.conf
-Source30: tmpfiles-unbound-libs.conf
+Source25: remote-control-include.conf
+Source26: fedora-defaults.conf
+Source27: module-setup.sh
+Source28: unbound-initrd.conf
 
 # Downstream configuration changes
 Patch1:   unbound-fedora-config.patch
-# https://github.com/NLnetLabs/unbound/pull/1331
-Patch2:   unbound-1.24-swig-function.patch
-# https://github.com/NLnetLabs/unbound/pull/1381
-Patch3:   unbound-1.24-quic-on-demand-only.patch
 
 BuildRequires: gcc, make
 BuildRequires: openssl-devel
@@ -93,9 +79,8 @@ BuildRequires: automake autoconf libtool
 BuildRequires: autoconf-archive
 # Regenerate config parser too
 BuildRequires: bison flex byacc
-BuildRequires: dns-root-data
 
-%if 0%{?fedora} || 0%{?rhel} >= 9
+%if 0%{?fedora}
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
@@ -121,9 +106,6 @@ BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
 %endif
-%if %{with ngtcp2}
-BuildRequires: ngtcp2-crypto-ossl-devel
-%endif
 
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -165,7 +147,7 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
 Recommends: %{name}-anchor
-Requires: dns-root-data
+%{?sysusers_requires_compat}
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@@ -225,10 +207,8 @@ Unbound dracut module allowing use of Unbound for name resolution
 in initramfs.
 
 %prep
-%if 0%{?fedora} || 0%{?rhel} >= 9
-# TODO: Remove Yorgos.asc and extra verification once releases start to be signed by new g2 key
-%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}' || \
-%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
+%if 0%{?fedora}
+%{gpgverify} --keyring='%{SOURCE22}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}
 
@@ -294,12 +274,12 @@ autoreconf -fiv
 %if %{with doh}
             --with-libnghttp2 \
 %endif
+%if 0%{?rhel}
+            --disable-sha1 \
+%endif
 %if %{with redis}
             --with-libhiredis \
             --enable-cachedb \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -315,9 +295,6 @@ pushd %{dir_secondary}
 %endif
 %if %{with systemd}
             --enable-systemd \
-%endif
-%if %{with ngtcp2}
-            --with-libngtcp2 \
 %endif
             %{configure_args}
 
@@ -360,20 +337,22 @@ done
 %endif
 
 # install streamtcp man page
-install -p -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
-install -p -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
 
 # Install tmpfiles.d config
 install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
-install -p -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
-install -p -m 0644 %{SOURCE30} %{buildroot}%{_tmpfilesdir}/unbound-libs.conf
+install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 
 # install root - we keep a copy of the root key in old location,
 # in case user has changed the configuration and we wouldn't update it there
-sh %{SOURCE5} root.key
-install -m 0644 root.key %{buildroot}%{_sysconfdir}/unbound/
-ln -sr "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key" "%{buildroot}%{_sharedstatedir}/unbound/root.key"
-ln -sr "%{buildroot}%{_datadir}/dns-root-data/root.key" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key"
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
+install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
+# make initial key static
+pushd %{buildroot}%{_sharedstatedir}/unbound
+  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
+  ln -s "$KEYPATH" root.key
+popd
 
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
@@ -395,14 +374,14 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
-install -p -m 0644 %{SOURCE26} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf
-install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf
+install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+install -p -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/unbound/conf.d/remote-control.conf
 
 mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_datadir}/%{name}/conf.d/
 install -p -m 0644 %{SOURCE23} %{buildroot}%{_datadir}/%{name}/conf.d/
 install -p -m 0644 %{SOURCE24} %{buildroot}%{_datadir}/%{name}/conf.d/
-install -p -m 0644 %{SOURCE27} %{buildroot}%{_datadir}/%{name}/
+install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@@ -410,9 +389,11 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control
 # install dracut module
 mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 
-install -p -m 0755 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
-install -p -m 0644 %{SOURCE29} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
+install -p -m 0755 %{SOURCE27} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
+install -p -m 0644 %{SOURCE28} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 
+%pre libs
+%sysusers_create_compat %{SOURCE20}
 
 %post
 %systemd_post unbound.service
@@ -440,19 +421,18 @@ fi
 %postun anchor
 %systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer
 
-%triggerun -- unbound < 1.23.1-4
-if [ "$(stat -c '%%a %%G' %{_sysconfdir}/%{name}/unbound_control.key 2>/dev/null)" = '600 unbound' ]; then
-   # change permissions of existing key just once, where it were generated with wrong perms
-   %{_bindir}/chmod g+r "%{_sysconfdir}/%{name}/unbound_control.key" || :
-fi
-
-
 %check
-export OPENSSL_CONF="%{buildroot}%{_sysconfdir}/unbound/openssl-sha1.conf"
+#pushd pythonmod
+#make test
+#popd
+
 make check
 
 %if 0%{?python_secondary:1}
 pushd %{dir_secondary}
+#pushd pythonmod
+#make test
+#popd
 make check
 popd
 %endif
@@ -465,7 +445,6 @@ popd
 %attr(0775,unbound,root) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/openssl-sha1.conf
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
@@ -475,7 +454,7 @@ popd
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
-%ghost %attr(0600,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
+%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
 %{_sbindir}/unbound
 %{_sbindir}/unbound-checkconf
 %{_sbindir}/unbound-control
@@ -522,11 +501,10 @@ popd
 %{_sysusersdir}/%{name}.conf
 %{_libdir}/libunbound.so.8*
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
-%config %verify(not link owner group size mtime mode md5) %{_sharedstatedir}/%{name}/root.key
+%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dnssec-root.key
-%attr(0644,root,root) %{_tmpfilesdir}/unbound-libs.conf
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key
 
 %files anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}

unbound.sysconfig

@@ -5,6 +5,3 @@ UNBOUND_ANCHOR_OPTIONS="-f /etc/resolv.conf -R"
 
 # for extra debug, add "-v -v" or change verbosity: in unbound.conf
 UNBOUND_OPTIONS=""
-
-# Uncoment to validate SHA1 in any crypto policy
-# OPENSSL_CONF=/etc/unbound/openssl-sha1.conf

wouter.nlnetlabs.nl.key

@@ -0,0 +1,123 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xE
+SH45ncnISUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs6
+1pTcPU2PnH7Rsr2qp6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0x
+TQh95M8o6AFo6UKWApBpgsvEZr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3
+l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyE
+qn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub4Awsby3DH5YpPhi4N2vj2pAX
+Vpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjDilNDBiKiDdgtrLYG
+x+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T8E2NQqmF
+WjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
+/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hed
+hvb6mAkvSFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQAB
+zSdXLkMuQS4gV2lqbmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD7CwX4EEwEC
+ACgFAk2v/RwCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJ9v
+HC1+BF+N3yoQAIynfrvZ/8RNAv9lLcSc2PX3fvG7oRJEJSy9uMyIbMtb/a1BVCeh
+XjR8GhHJ5D/Z3jRWBQKw1rLLvOqbuBGkpKMR100ZVF4z/8e6CWtTAOFy28f1JQw2
+8kilN7K6vjno21S1JJ1XJAdoFdicyb1SW2r+KYod6fjSyF0lb71od+sdnSE9O/xd
+Cqyyu6cX+AwfDcuJ6Y8iOWu8CeWAz41LR1QBUQkCb/08mVfCEu+Cj+M31jjPDZEy
+UAw219vr4QFe0o3t+Msv0AUZvcRkW6+8qP5lO6I5we/33WBLZH70lhFvYtobM7HO
+MCjheRZguSzvRqEETfTjia1uVi3Yz2qM4CFdJIZF6Er79yKcB3jYquultrnlHdXZ
+/IZsHVRk6JfiqFkz9u1T9PkvMoQ452aUomGTg9xQchnKpe1E8osKgLulaY+izTEq
+Z8pH/HWWJ/YT13/n8pxK9EbC/8SkVhyXNehOSAGDZar+tjVBofgzS8r+GDyv+pBT
+SmjitIrVXZNuhigLp1o7Tvs4kjKlcFnLhfDHJ+yb5JyiZd01bVvaqnfRhACqXfWl
+oC0uslRbegoYwJUgX0BOrsOuHGH2SfGjd/QnA0bcEXM2kp1Dp1gqtcEd5Qitm647
+Yz+leWkhrmMmtTwqumXoAcvgzthJFUPcAzuhXZNfqQJMOGRxAGVI0P97wsF+BBMB
+AgAoAhsjBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCVu+rZAUJDQIVSAAKCRCf
+bxwtfgRfjdrWEACMQK0xYtZtAvLL/8CCcCi92Oi1rtXRGWnRy7JX020hftmWliMq
+4P0F3CJKVLhgZ/ldp8OOqmfDfmwLMVSaCQ86Ubqn7Ofrf8Ku8SGQuIMxY2ODB97h
+ouY4bnDHaM2Cqi6JkBN+G1tgdwqN/kcecF2tq3ql2k7eX91++A+F5ApIu1silzJP
+L4Z8W6MVOdKrtzEM7t61hRlsbpEPj72vbVBZ1hmTiIL4VWwdxQYamxBoOeneskyD
+DG+iMCI3P1GG3EQkk+9Aect/iH9uruE0mxn2aKN8cfuoR93cPF/ozCxS5ItwAVnN
+e39WRO1GT2zYaFgYm0lf9czcpRsRzNbGw938lZ3iPUiZe+ybKgLKkVmvrkM59ljH
+T99SrC14VXxgQwSs4gS3rdzbY9tPps62Z1q+xCVfTx1IY5P4nt59xwQV0Iw+pV9S
+/mVcOnPXl1UKb0ttOdYJErrq3RpF/D2g/NDtL0OWqIa8LvrBlyQYmWPKvKw76vt4
+bJ3NU31jSc0ow/j7EOVjOst86s629zmtnbJjWVr6LOy5EDUPusmqHv1t4Z4RMjf8
+OrJdNbFJoRXZv8FbW4NzXeGtMf8k6vKeejpdMH4+eLuoZG7dchU1JccfgqfwWpy0
+ojmb59drJcaQgVC6Jvw9l0TmGPNIsE4UrIWocaFgv4dOKvHA2hcnMDM8rsLBlQQT
+AQIAPwIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46f
+bxwtfgRfjQUCWaU4BQUJEZjVaQAKCRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL
+2IK/Zencv7DZGRfFrzijROFtHbe//H8o2ZhlyiaFSA/dT1ehjsukkR0oFkYadA+q
+Ui06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY8DP57bA+N2pdCcGu7gUt
+Yzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpGN79otVWO6ebM
+4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t7Eot
+zxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW
+5/EIQmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN
+46c1y3prjZRpQUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCt
+GpDIfag6fV6V97Pd3zfhTf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/
+JnCCceB4NxRRxsgkRYHwdnXN9FnOPSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/K
+lxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7mt7HQ2bCLXAPgfZjy7n79WiCQVHg7
+iYnNikiNWR5TR7JcvdkxOdiA/8LBlQQTAQgAPwIbIwYLCQgHAwIGFQgCCQoLBBYC
+AwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJGaQN2QAKCRCf
+bxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y17Bx
+4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2
+bWokW0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJ
+GJALRtZzjtzsJqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59
+vcqLRZgkrJrObw0sEv3YFOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao
++Qnhdi161W0YKCW4JAmOoQ4bQ0wfE9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ
+/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67e5e3JfUb0vNKssyZojao4h1MF5nv
+aPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsFwRDcCnSEKnksgM0321m1
+7RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/vx5uxyqSHPuGA
+sXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVoCfDv
+vizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p87BTQRN
+r/0cARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeR
+lJ83O8dFG7UBVuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqj
+q4pKDmO1c9J7h5d+auOVfzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7de
+Zcgt8v7VcLK9jv+P8QJHTIyDzJd+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaM
+jwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyAFomDQ93/wkHZ9IEChTxdZnfvsd//
+Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3HVxwB8/owJ+FZDsTNBbJd
+7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyTRlwGUBJkzQFW
+Qa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV6FfL
+i09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDY
+ehfOo/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOV
+H1OBTKNdBjc+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAcLBZQQY
+AQIADwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3ud
+V67KmVmytwGMfzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQz
+gOZhGP5Y0OREf4kSzfb7tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmW
+DK/Eh/eNVeNd+3yyDEzl2p7a0yUhI8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVt
+PfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEiIrR3PbZ9tV6+F5LzCUJJP5nepz6C
+ShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8nOfTzdHhXXEogGvRfcxat
+xeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEnEHoo8rPETkXw
+UK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7ZobL
+2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gG
+oltXWokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB
+2Igll2ZT3AvrBQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9N
+Tpaq1vtAZOwc0kl3uGNK18PnV8LBZQQYAQIADwIbDAUCVu+raQUJDQIVTQAKCRCf
+bxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5NGB4
+RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtU
+XC5/JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0Cu
+rUeb4WTVpw4drBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4Ix
+eY3/CGBfQfSQHylK7ifmPWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3B
+Y6+P8Ch5gddOYaY18wpedarswnpOLQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27e
+g35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kkfqDn2ouCtM8/kqLX1v0+NkBxlhZU
+kTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZxdl3QuyxMktExWzk9Q5D
+YqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXuQL9SWObF+sIF
+c9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7CLUT
+k7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JMLBfAQY
+AQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJEJ9v
+HC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+
+VoRtB+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgL
+Yc6ac5PEHF1qZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG
+0Z+wQvPSiu+Q00XpENT8HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4
+yoC+Nd6iPQpnc+5xs7NDnq2dFuSTp7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+
+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeINyJO8A5KS3ceP+eo3SLR8T0hPzu9g
+ZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy2HSXUq2fs5rH0uszFGes
+G7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY+xlVULjEfCWy
+RVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9You1Fi
+1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa
+7Hzd8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQwsF8BBgB
+CAAmAhsMFiEE7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28c
+LX4EX43TQA/+JV8ReMRJCn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJO
+bQcqw7s50FJuLUbxdvbcuGIaoTu7dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645
+EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N0y58eoDC4sGmBKuN2EW2MoWahlXw
+8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSFlYWVhr0zGAi5rnswlFGr
+ECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZcBlddGhmSVVJ
+ZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVRep0/
+s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7dd
+HaBtg/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ
+9pGORJ+P2Jr2pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2y
+p4CShmWoZwN0V3aGYMe/rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA
+5bNxwTWe8skwOKsxXnP9RC974k0XkPS+VwgmVgNN1ewS/0oHvmEP71Q=
+=Oqje
+-----END PGP PUBLIC KEY BLOCK-----