diff --git a/.gitignore b/.gitignore
index c388427..5009aba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,4 @@ unbound-1.4.5.tar.gz
 /unbound-1.4.18.tar.gz
 /unbound-1.4.19.tar.gz
 /unbound-1.4.20.tar.gz
+/unbound-1.4.21.tar.gz
diff --git a/sources b/sources
index 9435d03..e084414 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-1f2d0b490fd7928a708a326beda21948  unbound-1.4.20.tar.gz
+0aa8db06ea784bf7879060bd1f6551c8  unbound-1.4.21.tar.gz
diff --git a/unbound.conf b/unbound.conf
index d00f21e..ce36ad1 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -20,7 +20,7 @@ server:
 
 	# enable cumulative statistics, without clearing them after printing.
 	# Needed for munin plugin
-	statistics-cumulative: no
+	statistics-cumulative: yes
 
 	# enable extended statistics (query types, answer codes, status)
 	# printed from unbound-control. default off, because of speed.
@@ -72,6 +72,7 @@ server:
 
 	# permit unbound to use this port number or port range for
 	# making outgoing queries, using an outgoing interface.
+	# Only ephemeral ports are allowed by SElinux
 	outgoing-port-permit: 32768-65535
 
 	# deny unbound the use this of port number or port range for
@@ -99,6 +100,11 @@ server:
 	# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
 	# edns-buffer-size: 4096
 
+	# Maximum UDP response size (not applied to TCP response).
+	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
+	# 3072 causes +dnssec any isc.org queries to need TC=1. Helps mitigating DDOS
+	max-udp-size: 3072
+
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
@@ -226,6 +232,9 @@ server:
 	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
 	log-time-ascii: yes
 
+	# print one line with time, IP, name, type, class for every query.
+	# log-queries: no
+
 	# the pid file. Can be an absolute path outside of chroot/work dir.
 	pidfile: "/var/run/unbound/unbound.pid"
 
diff --git a/unbound.spec b/unbound.spec
index 1c240e2..e614e48 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -10,8 +10,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.4.20
-Release: 19%{?dist}
+Version: 1.4.21
+Release: 1%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -32,9 +32,6 @@ Source13: root.anchor
 Source14: unbound.sysconfig
 Source15: unbound.cron
 Source16: unbound-munin.README
-Patch1: unbound-1.4.20-roundrobin.patch
-Patch2: unbound-1.4.20-streamtcp-manpage.patch
-Patch3: unbound-1.4.20-coverity_scan.patch
 
 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13
@@ -108,9 +105,6 @@ Python modules and extensions for unbound
 
 %prep
 %setup -q 
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
@@ -283,6 +277,13 @@ exit 0
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 
 %changelog
+* Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1
+- Updated to 1.4.21, 
+- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
+- Removed patched merged in by upstream
+- Enable statistics-cumulative for munin-plugin
+- Updated unbound.conf
+
 * Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-19
 - Fix errors found by static analysis of source