import CS unbound-1.16.2-17.el9

SOURCES/module-setup.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/bash
+
+check() {
+    require_binaries unbound unbound-checkconf unbound-control || return 1
+    # the module will be only included if explicitly required either
+    # by configuration or another module
+    return 255
+}
+
+depends() {
+    # because of pid file we need sysusers to create unbound user
+    echo systemd systemd-sysusers
+    return 0
+}
+
+install() {
+    # We have to make unbound wanted by network-online target to make sure
+    # there is a synchronization point when other services are able
+    # to make queries
+    inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
+
+    # /etc and /var/lib do not have its variables
+    inst_multiple -o \
+    "$systemdsystemunitdir"/unbound.service \
+    /etc/unbound/conf.d/remote-control.conf \
+    /etc/unbound/openssl-sha1.conf \
+    /usr/share/unbound/fedora-defaults.conf \
+    /usr/share/unbound/conf.d/*.conf \
+    /etc/unbound/local.d/*.conf \
+    /etc/unbound/keys.d/*.key \
+    /etc/unbound/unbound.conf \
+    /etc/unbound/unbound_control.key \
+    /etc/unbound/unbound_control.pem \
+    /etc/unbound/unbound_server.key \
+    /etc/unbound/unbound_server.pem \
+    "$sysusers"/unbound.conf \
+    "$tmpfilesdir"/unbound.conf \
+    /var/lib/unbound/root.key \
+    unbound \
+    unbound-checkconf \
+    unbound-control
+
+    $SYSTEMCTL -q --root "$initdir" enable unbound.service
+}

SOURCES/tmpfiles-unbound.conf

@@ -1 +1 @@
-D /run/unbound 0755 unbound unbound -
+D /run/unbound 0775 unbound root -

SOURCES/unbound-1.16-control-t-flag.patch

@@ -0,0 +1,129 @@
+commit 6d1e61173bbf44dae458c361be63217f7e9e5599
+Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
+Date:   Thu Mar 28 09:58:03 2024 +0100
+
+    - Fix #1034: DoT forward-zone via unbound-control.
+
+diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c
+index 5d79eafd..cbce1198 100644
+--- a/unbound-1.16.2/daemon/remote.c
++++ b/unbound-1.16.2/daemon/remote.c
+@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
+ 
+ static int
+ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
+-	int* insecure, int* prime)
++	int* insecure, int* prime, int* tls)
+ {
+ 	char* zonename;
+ 	char* rest;
+@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
+ 				*insecure = 1;
+ 			else if(*args == 'p' && prime)
+ 				*prime = 1;
++			else if(*args == 't' && tls)
++				*tls = 1;
+ 			else {
+ 				(void)ssl_printf(ssl, "error: unknown option %s\n", args);
+ 				return 0;
+@@ -2144,11 +2146,13 @@ static void
+ do_forward_add(RES* ssl, struct worker* worker, char* args)
+ {
+ 	struct iter_forwards* fwd = worker->env.fwds;
+-	int insecure = 0;
++	int insecure = 0, tls = 0;
+ 	uint8_t* nm = NULL;
+ 	struct delegpt* dp = NULL;
+-	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
++	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
+ 		return;
++	if(tls)
++		dp->ssl_upstream = 1;
+ 	if(insecure && worker->env.anchors) {
+ 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+ 			nm)) {
+@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
+ 	struct iter_forwards* fwd = worker->env.fwds;
+ 	int insecure = 0;
+ 	uint8_t* nm = NULL;
+-	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
++	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
+ 		return;
+ 	if(insecure && worker->env.anchors)
+ 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+@@ -2189,11 +2193,13 @@ static void
+ do_stub_add(RES* ssl, struct worker* worker, char* args)
+ {
+ 	struct iter_forwards* fwd = worker->env.fwds;
+-	int insecure = 0, prime = 0;
++	int insecure = 0, prime = 0, tls = 0;
+ 	uint8_t* nm = NULL;
+ 	struct delegpt* dp = NULL;
+-	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
++	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
+ 		return;
++	if(tls)
++		dp->ssl_upstream = 1;
+ 	if(insecure && worker->env.anchors) {
+ 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+ 			nm)) {
+@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
+ 	struct iter_forwards* fwd = worker->env.fwds;
+ 	int insecure = 0;
+ 	uint8_t* nm = NULL;
+-	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
++	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
+ 		return;
+ 	if(insecure && worker->env.anchors)
+ 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
+diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in
+index 7823de3a..642b4c94 100644
+--- a/unbound-1.16.2/doc/unbound-control.8.in
++++ b/unbound-1.16.2/doc/unbound-control.8.in
+@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
+ .B insecure_remove \fIzone
+ Removes domain\-insecure for the given zone.
+ .TP
+-.B forward_add \fR[\fI+i\fR] \fIzone addr ...
++.B forward_add \fR[\fI+it\fR] \fIzone addr ...
+ Add a new forward zone to running Unbound.  With +i option also adds a
+ \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
+ a DNSSEC root trust anchor configured for other names).
+ The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
+ in unbound.conf.
++The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
+ .TP
+ .B forward_remove \fR[\fI+i\fR] \fIzone
+ Remove a forward zone from running Unbound.  The +i also removes a
+ \fIdomain\-insecure\fR for the zone.
+ .TP
+-.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
++.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
+ Add a new stub zone to running Unbound.  With +i option also adds a
+ \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
+ without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
+ names, like the \fIstub-zone\fR config in unbound.conf.
++The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
+ .TP
+ .B stub_remove \fR[\fI+i\fR] \fIzone
+ Remove a stub zone from running Unbound.  The +i also removes a
+diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c
+index c4f73006..57b0787d 100644
+--- a/unbound-1.16.2/smallapp/unbound-control.c
++++ b/unbound-1.16.2/smallapp/unbound-control.c
+@@ -150,12 +150,13 @@ usage(void)
+ 	printf("  list_local_data		list local-data RRs in use\n");
+ 	printf("  insecure_add zone 		add domain-insecure zone\n");
+ 	printf("  insecure_remove zone		remove domain-insecure zone\n");
+-	printf("  forward_add [+i] zone addr..	add forward-zone with servers\n");
++	printf("  forward_add [+it] zone addr..	add forward-zone with servers\n");
+ 	printf("  forward_remove [+i] zone	remove forward zone\n");
+-	printf("  stub_add [+ip] zone addr..	add stub-zone with servers\n");
++	printf("  stub_add [+ipt] zone addr..	add stub-zone with servers\n");
+ 	printf("  stub_remove [+i] zone		remove stub zone\n");
+ 	printf("		+i		also do dnssec insecure point\n");
+ 	printf("		+p		set stub to use priming\n");
++	printf("		+t		set to use tls upstream\n");
+ 	printf("  forward [off | addr ...]	without arg show forward setup\n");
+ 	printf("				or off to turn off root forwarding\n");
+ 	printf("				or give list of ip addresses\n");

SOURCES/unbound-as112-networks.conf

@@ -0,0 +1,118 @@
+# Allow forwarding of private ranges, which are marked forwardable by IANA
+# https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+# https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+# https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
+# RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
+#
+# Using this configuration file will simplify forwarding to potentially private ranges.
+# Enables forwarding of networks marked as forwardable at IANA special registry.
+# This is useful when upstream forwarder may be still inside private network. That is the case
+# when unbound works as a localhost DNS cache, not network wide resolver.
+
+server:
+	# RFC 8375: Special-Use Domain 'home.arpa.'
+	local-zone: "home.arpa." nodefault
+
+	# RFC 1918: Address Allocation for Private Internets
+	local-zone: "10.in-addr.arpa." nodefault
+	local-zone: "16.172.in-addr.arpa." nodefault
+	local-zone: "17.172.in-addr.arpa." nodefault
+	local-zone: "18.172.in-addr.arpa." nodefault
+	local-zone: "19.172.in-addr.arpa." nodefault
+	local-zone: "20.172.in-addr.arpa." nodefault
+	local-zone: "21.172.in-addr.arpa." nodefault
+	local-zone: "22.172.in-addr.arpa." nodefault
+	local-zone: "23.172.in-addr.arpa." nodefault
+	local-zone: "24.172.in-addr.arpa." nodefault
+	local-zone: "25.172.in-addr.arpa." nodefault
+	local-zone: "26.172.in-addr.arpa." nodefault
+	local-zone: "27.172.in-addr.arpa." nodefault
+	local-zone: "28.172.in-addr.arpa." nodefault
+	local-zone: "29.172.in-addr.arpa." nodefault
+	local-zone: "30.172.in-addr.arpa." nodefault
+	local-zone: "31.172.in-addr.arpa." nodefault
+	local-zone: "168.192.in-addr.arpa." nodefault
+	# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
+	local-zone: "64.100.in-addr.arpa." nodefault
+	local-zone: "65.100.in-addr.arpa." nodefault
+	local-zone: "66.100.in-addr.arpa." nodefault
+	local-zone: "67.100.in-addr.arpa." nodefault
+	local-zone: "68.100.in-addr.arpa." nodefault
+	local-zone: "69.100.in-addr.arpa." nodefault
+	local-zone: "70.100.in-addr.arpa." nodefault
+	local-zone: "71.100.in-addr.arpa." nodefault
+	local-zone: "72.100.in-addr.arpa." nodefault
+	local-zone: "73.100.in-addr.arpa." nodefault
+	local-zone: "74.100.in-addr.arpa." nodefault
+	local-zone: "75.100.in-addr.arpa." nodefault
+	local-zone: "76.100.in-addr.arpa." nodefault
+	local-zone: "77.100.in-addr.arpa." nodefault
+	local-zone: "78.100.in-addr.arpa." nodefault
+	local-zone: "79.100.in-addr.arpa." nodefault
+	local-zone: "80.100.in-addr.arpa." nodefault
+	local-zone: "81.100.in-addr.arpa." nodefault
+	local-zone: "82.100.in-addr.arpa." nodefault
+	local-zone: "83.100.in-addr.arpa." nodefault
+	local-zone: "84.100.in-addr.arpa." nodefault
+	local-zone: "85.100.in-addr.arpa." nodefault
+	local-zone: "86.100.in-addr.arpa." nodefault
+	local-zone: "87.100.in-addr.arpa." nodefault
+	local-zone: "88.100.in-addr.arpa." nodefault
+	local-zone: "89.100.in-addr.arpa." nodefault
+	local-zone: "90.100.in-addr.arpa." nodefault
+	local-zone: "91.100.in-addr.arpa." nodefault
+	local-zone: "92.100.in-addr.arpa." nodefault
+	local-zone: "93.100.in-addr.arpa." nodefault
+	local-zone: "94.100.in-addr.arpa." nodefault
+	local-zone: "95.100.in-addr.arpa." nodefault
+	local-zone: "96.100.in-addr.arpa." nodefault
+	local-zone: "97.100.in-addr.arpa." nodefault
+	local-zone: "98.100.in-addr.arpa." nodefault
+	local-zone: "99.100.in-addr.arpa." nodefault
+	local-zone: "100.100.in-addr.arpa." nodefault
+	local-zone: "101.100.in-addr.arpa." nodefault
+	local-zone: "102.100.in-addr.arpa." nodefault
+	local-zone: "103.100.in-addr.arpa." nodefault
+	local-zone: "104.100.in-addr.arpa." nodefault
+	local-zone: "105.100.in-addr.arpa." nodefault
+	local-zone: "106.100.in-addr.arpa." nodefault
+	local-zone: "107.100.in-addr.arpa." nodefault
+	local-zone: "108.100.in-addr.arpa." nodefault
+	local-zone: "109.100.in-addr.arpa." nodefault
+	local-zone: "110.100.in-addr.arpa." nodefault
+	local-zone: "111.100.in-addr.arpa." nodefault
+	local-zone: "112.100.in-addr.arpa." nodefault
+	local-zone: "113.100.in-addr.arpa." nodefault
+	local-zone: "114.100.in-addr.arpa." nodefault
+	local-zone: "115.100.in-addr.arpa." nodefault
+	local-zone: "116.100.in-addr.arpa." nodefault
+	local-zone: "117.100.in-addr.arpa." nodefault
+	local-zone: "118.100.in-addr.arpa." nodefault
+	local-zone: "119.100.in-addr.arpa." nodefault
+	local-zone: "120.100.in-addr.arpa." nodefault
+	local-zone: "121.100.in-addr.arpa." nodefault
+	local-zone: "122.100.in-addr.arpa." nodefault
+	local-zone: "123.100.in-addr.arpa." nodefault
+	local-zone: "124.100.in-addr.arpa." nodefault
+	local-zone: "125.100.in-addr.arpa." nodefault
+	local-zone: "126.100.in-addr.arpa." nodefault
+	local-zone: "127.100.in-addr.arpa." nodefault
+
+	# RFC 4193: Unique Local IPv6 Unicast Addresses
+	local-zone: "d.f.ip6.arpa." nodefault
+
+	# RFC 2606: Reserved Top Level DNS Names
+	local-zone:      "test." nodefault
+	domain-insecure: "test"
+	domain-insecure: "example"
+
+	# RFC 6762: Multicast DNS, Appendix G
+	domain-insecure: "local"
+	domain-insecure: "intranet"
+	domain-insecure: "private"
+	domain-insecure: "corp"
+	domain-insecure: "home"
+	domain-insecure: "lan"
+
+	# draft-davies-internal-tld
+	domain-insecure: "internal"

SOURCES/unbound-initrd.conf

@@ -0,0 +1,5 @@
+[Unit]
+Before=network-online.target
+
+[Install]
+WantedBy=network-online.target

SOURCES/unbound-local-root.conf

@@ -0,0 +1,30 @@
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream).
+#
+# Download local root copy and answer TLD queries from it. Because
+# auth-zone has higher precedence, defined forward-zones to internal
+# only TLD will not work. Use stub-zone or disable this zone.
+# Good for a network-wide resolvers, worse for a localhost caching forwarder.
+auth-zone:
+	name: "."
+	primary: 170.247.170.2        # b.root-servers.net
+	primary: 192.33.4.12          # c.root-servers.net
+	primary: 199.7.91.13          # d.root-servers.net
+	primary: 192.5.5.241          # f.root-servers.net
+	primary: 192.112.36.4         # g.root-servers.net
+	primary: 193.0.14.129         # k.root-servers.net
+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+	primary: 2801:1b8:10::b       # b.root-servers.net
+	primary: 2001:500:2::c        # c.root-servers.net
+	primary: 2001:500:2d::d       # d.root-servers.net
+	primary: 2001:500:2f::f       # f.root-servers.net
+	primary: 2001:500:12::d0d     # g.root-servers.net
+	primary: 2001:7fd::1          # k.root-servers.net
+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes

SOURCES/unbound.conf

@@ -1071,27 +1071,27 @@ include: /etc/unbound/conf.d/*.conf
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
 # With allow-notify: you can give additional (apart from masters) sources of
 # notifies.
-auth-zone:
-	name: "."
-	primary: 199.9.14.201         # b.root-servers.net
-	primary: 192.33.4.12          # c.root-servers.net
-	primary: 199.7.91.13          # d.root-servers.net
-	primary: 192.5.5.241          # f.root-servers.net
-	primary: 192.112.36.4         # g.root-servers.net
-	primary: 193.0.14.129         # k.root-servers.net
-	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-	primary: 2001:500:200::b      # b.root-servers.net
-	primary: 2001:500:2::c        # c.root-servers.net
-	primary: 2001:500:2d::d       # d.root-servers.net
-	primary: 2001:500:2f::f       # f.root-servers.net
-	primary: 2001:500:12::d0d     # g.root-servers.net
-	primary: 2001:7fd::1          # k.root-servers.net
-	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
-	fallback-enabled: yes
-	for-downstream: no
-	for-upstream: yes
+#auth-zone:
+#	name: "."
+#	primary: 199.9.14.201         # b.root-servers.net
+#	primary: 192.33.4.12          # c.root-servers.net
+#	primary: 199.7.91.13          # d.root-servers.net
+#	primary: 192.5.5.241          # f.root-servers.net
+#	primary: 192.112.36.4         # g.root-servers.net
+#	primary: 193.0.14.129         # k.root-servers.net
+#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+#	primary: 2001:500:200::b      # b.root-servers.net
+#	primary: 2001:500:2::c        # c.root-servers.net
+#	primary: 2001:500:2d::d       # d.root-servers.net
+#	primary: 2001:500:2f::f       # f.root-servers.net
+#	primary: 2001:500:12::d0d     # g.root-servers.net
+#	primary: 2001:7fd::1          # k.root-servers.net
+#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+#	fallback-enabled: yes
+#	for-downstream: no
+#	for-upstream: yes
 
 # auth-zone:
 #	name: "example.org"

SOURCES/unbound.service

@@ -8,10 +8,10 @@ Before=nss-lookup.target
 Wants=nss-lookup.target
 
 [Service]
-Type=simple
+Type=notify
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ] && [ ! -f /run/unbound/anchor-disable ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
 

SOURCES/unbound.sysusers

@@ -0,0 +1 @@
+u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin

SPECS/unbound.spec

@@ -2,7 +2,7 @@
 %{?!with_python3:     %global with_python3     1}
 %{?!with_munin:       %global with_munin       1}
 %bcond_without dnstap
-%bcond_with    systemd
+%bcond_without systemd
 %bcond_without doh
 
 %global _hardened_build 1
@@ -30,7 +30,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 8%{?extra_version:.%{extra_version}}%{?dist}
+Release: 17%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -53,11 +53,18 @@ Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source21: remote-control.conf
+Source22: unbound-local-root.conf
+Source23: module-setup.sh
+Source24: unbound-initrd.conf
+Source25: unbound.sysusers
+Source26: unbound-as112-networks.conf
 
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
 Patch1: unbound-1.16-CVE-2022-3204.patch
 # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
 Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
+# https://github.com/NLnetLabs/unbound/commit/6d1e61173
+Patch5: unbound-1.16-control-t-flag.patch
 
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@@ -127,7 +134,7 @@ The devel package contains the unbound library and the include files
 
 %package libs
 Summary: Libraries used by the unbound server and client applications
-Requires(pre): shadow-utils
+%{?sysusers_requires_compat}
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
@@ -161,6 +168,14 @@ Conflicts: python2-unbound < 1.9.3
 Python 3 modules and extensions for unbound
 %endif
 
+%package dracut
+Summary: Unbound dracut module
+Requires: dracut%{?_isa}
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description dracut
+Unbound dracut module allowing use of Unbound for name resolution
+in initramfs.
 
 %prep
 %if 0%{?fedora}
@@ -272,6 +287,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
 install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
+install -p -D -m 0644 %{SOURCE25} %{buildroot}%{_sysusersdir}/%{name}.conf
 %if %{with_munin}
 # Install munin plugin and its softlinks
 install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
@@ -298,6 +314,9 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
 install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
 
+# local root zone fetch to separated configuration file
+install -p -m 0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/unbound/
+
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
 
@@ -319,16 +338,22 @@ install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
+ln -s ../unbound-local-root.conf %{buildroot}%{_sysconfdir}/unbound/conf.d/unbound-local-root.conf
+
+mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
+install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/conf.d/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
 
+# install dracut module
+mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
+
+install -p -m 0755 %{SOURCE23} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
+install -p -m 0644 %{SOURCE24} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 
 %pre libs
-getent group unbound >/dev/null || groupadd -r unbound
-getent passwd unbound >/dev/null || \
-useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
--c "Unbound DNS resolver" unbound
+%sysusers_create_compat %{SOURCE25}
 
 %post
 %systemd_post unbound.service
@@ -380,14 +405,17 @@ popd
 %doc doc/CREDITS doc/FEATURES
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-keygen.service
-%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
+%attr(0775,unbound,root) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound-local-root.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
-%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/example.com.conf
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/remote-control.conf
+%verify(not mtime) %config(missingok, noreplace) %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
@@ -404,6 +432,7 @@ popd
 %{_mandir}/man5/*
 %exclude %{_mandir}/man8/unbound-anchor*
 %{_mandir}/man8/*
+%{_datadir}/%{name}/
 
 %if 0%{with_python2}
 %files -n python2-unbound
@@ -439,6 +468,7 @@ popd
 %doc doc/README
 %license doc/LICENSE
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
+%{_sysusersdir}/%{name}.conf
 %{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
 %{_mandir}/man8/unbound-anchor*
@@ -452,7 +482,46 @@ popd
 # just left for backwards compat with user changed unbound.conf files - format is different!
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
+%files dracut
+%{_prefix}/lib/dracut/modules.d/99unbound
+
 %changelog
+* Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-17
+- Add as112 networks config file
+- Resolves: RHEL-78696
+
+* Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-16
+- Add possibility to disable unbound-anchor by file presence
+- Resolves: RHEL-78694
+
+* Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-15
+- Add sysusers support needed to propagate user to initramfs
+- Resolves: RHEL-77789
+
+* Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-14
+- Change service type to notify
+- Resolves: RHEL-77790
+
+* Wed Feb 05 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-13
+- Add noreplace to root zone config link
+- Resolves: RHEL-77788
+
+* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-12
+- Backport +t flag to forward_add and stub_add control commands
+- Resolves: RHEL-77791
+
+* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-11
+- Enabled libsystemd and change unbound service type to notify-reload
+- Resolves: RHEL-77790
+
+* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-10
+- Add dracut module
+- Resolves: RHEL-77789
+
+* Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-9
+- Move automatic root zone fetching to drop-in
+- Resolves: RHEL-77788
+
 * Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
 - Ensure group access correction reaches also updated configs (CVE-2024-1488)