15 changed files with 904 additions and 973 deletions
--- a/SOURCES/module-setup.sh
+++ b/SOURCES/module-setup.sh
@ -0,0 +1,44 @@
 #!/usr/bin/bash
 check() {
    require_binaries unbound unbound-checkconf unbound-control || return 1
    # the module will be only included if explicitly required either
    # by configuration or another module
    return 255
 }
 depends() {
    # because of pid file we need sysusers to create unbound user
    echo systemd systemd-sysusers
    return 0
 }
 install() {
    # We have to make unbound wanted by network-online target to make sure
    # there is a synchronization point when other services are able
    # to make queries
    inst_simple "$moddir"/unbound-initrd.conf /etc/systemd/system/unbound.service.d/unbound-initrd.conf
    # /etc and /var/lib do not have its variables
    inst_multiple -o \
    "$systemdsystemunitdir"/unbound.service \
    /etc/unbound/conf.d/remote-control.conf \
    /etc/unbound/openssl-sha1.conf \
    /usr/share/unbound/fedora-defaults.conf \
    /usr/share/unbound/conf.d/*.conf \
    /etc/unbound/local.d/*.conf \
    /etc/unbound/keys.d/*.key \
    /etc/unbound/unbound.conf \
    /etc/unbound/unbound_control.key \
    /etc/unbound/unbound_control.pem \
    /etc/unbound/unbound_server.key \
    /etc/unbound/unbound_server.pem \
    "$sysusers"/unbound.conf \
    "$tmpfilesdir"/unbound.conf \
    /var/lib/unbound/root.key \
    unbound \
    unbound-checkconf \
    unbound-control
    $SYSTEMCTL -q --root "$initdir" enable unbound.service
 }
--- a/SOURCES/root.key
+++ b/SOURCES/root.key
@ -2,4 +2,5 @@
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
 trusted-keys {
 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
 };
--- a/SOURCES/tmpfiles-unbound.conf
+++ b/SOURCES/tmpfiles-unbound.conf
@ -1 +1 @@
-D /run/unbound 0755 unbound unbound -
+D /run/unbound 0775 unbound root -
--- a/SOURCES/unbound-1.15-source-compat.patch
+++ b/SOURCES/unbound-1.15-source-compat.patch
@ -1,85 +0,0 @@
 From fbde301c2706a5d0c9c3942fe84693f2b7a6b16c Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Sat, 7 May 2022 10:05:33 +0200
 Subject: [PATCH] Use reserved RCODE, fake source version
 Use RCODE value assigned for a private use. Previous value were possible
 returned value.
 Fake source version to be still 1.7.x. Hide real version into micro
 version component and export it also in a proper way with _REAL
 suffixes. Should workaround any source code detection to support correct
 callback format. Fixes compilation error in libreswan.
 Use preprocessed unbound.h to prevent failures
 Swig complains about wrong @ variable formats. Make it use preprocessed
 header instead of a template.
 ---
 libunbound/python/libunbound.i |  4 ++--
 libunbound/unbound.h           | 13 ++++++++++---
 services/mesh.h                |  2 +-
 3 files changed, 13 insertions(+), 6 deletions(-)
 diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
 index c9549bf90..f01e9111e 100644
 --- a/libunbound/python/libunbound.i
 +++ b/libunbound/python/libunbound.i
@@ -53,7 +53,7 @@
    #ifdef HAVE_ARPA_INET_H
    #include <arpa/inet.h>
    #endif
 -   #include "libunbound/unbound.h"
 +   #include "unbound.h"
 %}
 %pythoncode %{
@@ -855,7 +855,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
   //printf("resolve_stop()\n");
 %} 
 -%include "libunbound/unbound.h"
 +%include "unbound.h"
 %inline %{
   //SWIG will see the ub_ctx as a class
 diff --git a/libunbound/unbound.h b/libunbound/unbound.h
 index c822d3f89..82660bd51 100644
 --- a/libunbound/unbound.h
 +++ b/libunbound/unbound.h
@@ -102,9 +102,16 @@ extern "C" {
 #endif
 /** the version of this header file */
 -#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
 -#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
 -#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
 +/* Because of RHEL compat change, callback type remains at
 + * 1.7.3 version. To prevent source-level incompatibility,
 + * fake still old version. Export real version in _REAL
 + * suffix definitions. */
 +#define UNBOUND_VERSION_MAJOR 1
 +#define UNBOUND_VERSION_MINOR 7
 +#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MAJOR@@UNBOUND_VERSION_MINOR@@UNBOUND_VERSION_MICRO@
 +#define UNBOUND_VERSION_MAJOR_REAL @UNBOUND_VERSION_MAJOR@
 +#define UNBOUND_VERSION_MINOR_REAL @UNBOUND_VERSION_MINOR@
 +#define UNBOUND_VERSION_MICRO_REAL @UNBOUND_VERSION_MICRO@
 /**
  * The validation context is created to hold the resolver status,
 diff --git a/services/mesh.h b/services/mesh.h
 index 9c6f958ff..c0cbf355e 100644
 --- a/services/mesh.h
 +++ b/services/mesh.h
@@ -237,7 +237,7 @@ struct mesh_reply {
 /* RHEL 8 compatibility layer.
  * Special rcode to send was_ratelimited to callback without adding
  * extra parameter. It is ORed to the rcode parameter of the callback. */
 -#define LDNS_RCODE_RATELIMITED 0x100
 +#define LDNS_RCODE_RATELIMITED 0xf80
 #define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
 #define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
 -- 
 2.34.1
--- a/SOURCES/unbound-1.15-soversion2-compat.patch
+++ b/SOURCES/unbound-1.15-soversion2-compat.patch
@ -1,471 +0,0 @@
 From 605d66f0b6b8f7c308010f455058299d25c1d2ee Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 6 May 2022 16:36:39 +0200
 Subject: [PATCH] Rework ABI breaking change to compatible way
 Upstream commit 749d1b9ebc6fcb79824afd0471a1cfc12ca861b1 introduced
 was_ratelimited variable to every async callback. Such change led to ABI
 break and increase of soname of libunbound.
 Use rcode to pass that boolean inside rcode variable. Allows keeping
 original callback prototype, but does not lose data. Extra integer bit
 operations should be very small price. Much better than ABI break.
 Make current version compatible back to .2 version.
 ---
 unbound-1.16.2/configure.ac               |  2 +-
 unbound-1.16.2/daemon/worker.c            |  6 ++--
 unbound-1.16.2/libunbound/libworker.c     | 34 +++++++++++++++--------
 unbound-1.16.2/libunbound/unbound-event.h |  3 +-
 unbound-1.16.2/libunbound/unbound.h       | 13 +++++----
 unbound-1.16.2/libunbound/worker.h        |  6 ++--
 unbound-1.16.2/services/authzone.c        | 11 ++++----
 unbound-1.16.2/services/authzone.h        |  9 ++----
 unbound-1.16.2/services/mesh.c            | 17 ++++++++----
 unbound-1.16.2/services/mesh.h            |  9 +++++-
 unbound-1.16.2/smallapp/worker_cb.c       |  6 ++--
 unbound-1.16.2/validator/autotrust.c      |  2 +-
 unbound-1.16.2/validator/autotrust.h      |  2 +-
 13 files changed, 72 insertions(+), 48 deletions(-)
 diff --git a/unbound-1.16.2/configure.ac b/unbound-1.16.2/configure.ac
 index 224501b..71f066c 100644
 --- a/unbound-1.16.2/configure.ac
 +++ b/unbound-1.16.2/configure.ac
@@ -19,7 +19,7 @@ AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 LIBUNBOUND_CURRENT=9
 LIBUNBOUND_REVISION=18
 -LIBUNBOUND_AGE=1
 +LIBUNBOUND_AGE=7
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
 # 1.0.2 had 0:14:0
 diff --git a/unbound-1.16.2/daemon/worker.c b/unbound-1.16.2/daemon/worker.c
 index 010c4dc..2b87a41 100644
 --- a/unbound-1.16.2/daemon/worker.c
 +++ b/unbound-1.16.2/daemon/worker.c
@@ -2268,21 +2268,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
 -	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 +	char* ATTR_UNUSED(why_bogus))
 {
 	log_assert(0);
 }
 void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
 -	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 +	char* ATTR_UNUSED(why_bogus))
 {
 	log_assert(0);
 }
 void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
 -	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 +	char* ATTR_UNUSED(why_bogus))
 {
 	log_assert(0);
 }
 diff --git a/unbound-1.16.2/libunbound/libworker.c b/unbound-1.16.2/libunbound/libworker.c
 index 11bf5f9..6895119 100644
 --- a/unbound-1.16.2/libunbound/libworker.c
 +++ b/unbound-1.16.2/libunbound/libworker.c
@@ -549,9 +549,10 @@ libworker_enter_result(struct ub_result* res, sldns_buffer* buf,
 /** fillup fg results */
 static void
 libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf, 
 -	enum sec_status s, char* why_bogus, int was_ratelimited)
 +	enum sec_status s, char* why_bogus)
 {
 -	q->res->was_ratelimited = was_ratelimited;
 +	q->res->was_ratelimited = RCODE_IS_RATELIMITED(rcode);
 +	rcode = RCODE_NOT_RATELIMITED(rcode);
 	if(why_bogus)
 		q->res->why_bogus = strdup(why_bogus);
 	if(rcode != 0) {
@@ -575,13 +576,13 @@ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
 void
 libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
 -	char* why_bogus, int was_ratelimited)
 +	char* why_bogus)
 {
 	struct ctx_query* q = (struct ctx_query*)arg;
 	/* fg query is done; exit comm base */
 	comm_base_exit(q->w->base);
 -	libworker_fillup_fg(q, rcode, buf, s, why_bogus, was_ratelimited);
 +	libworker_fillup_fg(q, rcode, buf, s, why_bogus);
 }
 /** setup qinfo and edns */
@@ -634,7 +635,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
 		NULL, 0, NULL, 0, NULL)) {
 		regional_free_all(w->env->scratch);
 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
 -			w->back->udp_buff, sec_status_insecure, NULL, 0);
 +			w->back->udp_buff, sec_status_insecure, NULL);
 		libworker_delete(w);
 		free(qinfo.qname);
 		return UB_NOERROR;
@@ -643,7 +644,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
 		w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
 		regional_free_all(w->env->scratch);
 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
 -			w->back->udp_buff, sec_status_insecure, NULL, 0);
 +			w->back->udp_buff, sec_status_insecure, NULL);
 		libworker_delete(w);
 		free(qinfo.qname);
 		return UB_NOERROR;
@@ -665,7 +666,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
 void
 libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
 -	enum sec_status s, char* why_bogus, int was_ratelimited)
 +	enum sec_status s, char* why_bogus)
 {
 	struct ctx_query* q = (struct ctx_query*)arg;
 	ub_event_callback_type cb = q->cb_event;
@@ -688,7 +689,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
 		else if(s == sec_status_secure)
 			sec = 2;
 		(*cb)(cb_arg, rcode, (buf?(void*)sldns_buffer_begin(buf):NULL),
 -			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus, was_ratelimited);
 +			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus);
 	}
 }
@@ -715,7 +716,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
 		regional_free_all(w->env->scratch);
 		free(qinfo.qname);
 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
 -			w->back->udp_buff, sec_status_insecure, NULL, 0);
 +			w->back->udp_buff, sec_status_insecure, NULL);
 		return UB_NOERROR;
 	}
 	if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
@@ -723,7 +724,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
 		regional_free_all(w->env->scratch);
 		free(qinfo.qname);
 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
 -			w->back->udp_buff, sec_status_insecure, NULL, 0);
 +			w->back->udp_buff, sec_status_insecure, NULL);
 		return UB_NOERROR;
 	}
 	/* process new query */
@@ -788,12 +789,23 @@ add_bg_result(struct libworker* w, struct ctx_query* q, sldns_buffer* pkt,
 	}
 }
 +
 +void
 +libworker_bg_done_cb_compat(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
 +	char* why_bogus)
 +{
 +	rcode = RCODE_NOT_RATELIMITED(rcode);
 +	libworker_bg_done_cb(arg, rcode, buf, s, why_bogus);
 +}
 +
 void
 libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
 -	char* why_bogus, int was_ratelimited)
 +	char* why_bogus)
 {
 +	int was_ratelimited = RCODE_IS_RATELIMITED(rcode);
 	struct ctx_query* q = (struct ctx_query*)arg;
 +	rcode = RCODE_NOT_RATELIMITED(rcode);
 	if(q->cancelled || q->w->back->want_to_quit) {
 		if(q->w->is_bg_thread) {
 			/* delete it now */
 diff --git a/unbound-1.16.2/libunbound/unbound-event.h b/unbound-1.16.2/libunbound/unbound-event.h
 index a5d5c03..70aa4c8 100644
 --- a/unbound-1.16.2/libunbound/unbound-event.h
 +++ b/unbound-1.16.2/libunbound/unbound-event.h
@@ -170,7 +170,8 @@ struct ub_event {
 	struct ub_event_vmt* vmt;
 };
 -typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*, int);
 +/* Uses define LDNS_RCODE_RATELIMITED from services/mesh.h */
 +typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*);
 /**
  * Create a resolving and validation context.
 diff --git a/unbound-1.16.2/libunbound/unbound.h b/unbound-1.16.2/libunbound/unbound.h
 index c779d18..f6d5c7c 100644
 --- a/unbound-1.16.2/libunbound/unbound.h
 +++ b/unbound-1.16.2/libunbound/unbound.h
@@ -203,18 +203,19 @@ struct ub_result {
 	 */
 	char* why_bogus;
 +	/**
 +	 * TTL for the result, in seconds.  If the security is bogus, then
 +	 * you also cannot trust this value.
 +	 */
 +	int ttl;
 +
 	/**
 	 * If the query or one of its subqueries was ratelimited.  Useful if
 	 * ratelimiting is enabled and answer to the client is SERVFAIL as a
 	 * result.
 +	 * RHEL8 Change, moved after ttl.
 	 */
 	int was_ratelimited;
 -
 -	/**
 -	 * TTL for the result, in seconds.  If the security is bogus, then
 -	 * you also cannot trust this value.
 -	 */
 -	int ttl;
 };
 /**
 diff --git a/unbound-1.16.2/libunbound/worker.h b/unbound-1.16.2/libunbound/worker.h
 index 0fa5bfa..8b64b4d 100644
 --- a/unbound-1.16.2/libunbound/worker.h
 +++ b/unbound-1.16.2/libunbound/worker.h
@@ -90,15 +90,15 @@ void libworker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
 /** mesh callback with fg results */
 void libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
 -	enum sec_status s, char* why_bogus, int was_ratelimited);
 +	enum sec_status s, char* why_bogus);
 /** mesh callback with bg results */
 void libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
 -	enum sec_status s, char* why_bogus, int was_ratelimited);
 +	enum sec_status s, char* why_bogus);
 /** mesh callback with event results */
 void libworker_event_done_cb(void* arg, int rcode, struct sldns_buffer* buf, 
 -	enum sec_status s, char* why_bogus, int was_ratelimited);
 +	enum sec_status s, char* why_bogus);
 /**
  * Worker signal handler function. User argument is the worker itself.
 diff --git a/unbound-1.16.2/services/authzone.c b/unbound-1.16.2/services/authzone.c
 index b9e0b11..c72949f 100644
 --- a/unbound-1.16.2/services/authzone.c
 +++ b/unbound-1.16.2/services/authzone.c
@@ -5656,8 +5656,7 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
 /** callback for task_transfer lookup of host name, of A or AAAA */
 void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 -	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
 -	int ATTR_UNUSED(was_ratelimited))
 +	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
 {
 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
 	struct module_env* env;
@@ -5669,6 +5668,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 		return; /* stop on quit */
 	}
 +	rcode = RCODE_NOT_RATELIMITED(rcode);
 	/* process result */
 	if(rcode == LDNS_RCODE_NOERROR) {
 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
@@ -6717,8 +6717,7 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
 /** callback for task_probe lookup of host name, of A or AAAA */
 void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 -	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
 -	int ATTR_UNUSED(was_ratelimited))
 +	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
 {
 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
 	struct module_env* env;
@@ -6730,6 +6729,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 		return; /* stop on quit */
 	}
 +	rcode = RCODE_NOT_RATELIMITED(rcode);
 	/* process result */
 	if(rcode == LDNS_RCODE_NOERROR) {
 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
@@ -8212,7 +8212,7 @@ auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
 /** callback for ZONEMD lookup of DNSKEY */
 void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 -	enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
 +	enum sec_status sec, char* why_bogus)
 {
 	struct auth_zone* z = (struct auth_zone*)arg;
 	struct module_env* env;
@@ -8234,6 +8234,7 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 	if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
 		typestr = "DS";
 	downprot = env->cfg->harden_algo_downgrade;
 +	rcode = RCODE_NOT_RATELIMITED(rcode);
 	/* process result */
 	if(sec == sec_status_bogus) {
 diff --git a/unbound-1.16.2/services/authzone.h b/unbound-1.16.2/services/authzone.h
 index 07614ed..b339fc1 100644
 --- a/unbound-1.16.2/services/authzone.h
 +++ b/unbound-1.16.2/services/authzone.h
@@ -690,12 +690,10 @@ void auth_xfer_probe_timer_callback(void* arg);
 void auth_xfer_transfer_timer_callback(void* arg);
 /** mesh callback for task_probe on lookup of host names */
 void auth_xfer_probe_lookup_callback(void* arg, int rcode,
 -	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
 -	int was_ratelimited);
 +	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
 /** mesh callback for task_transfer on lookup of host names */
 void auth_xfer_transfer_lookup_callback(void* arg, int rcode,
 -	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
 -	int was_ratelimited);
 +	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
 /*
  * Compares two 32-bit serial numbers as defined in RFC1982.  Returns
@@ -774,8 +772,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
 /** mesh callback for zonemd on lookup of dnskey */
 void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode,
 -	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
 -	int was_ratelimited);
 +	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
 /**
  * Check the ZONEMD records that need online DNSSEC chain lookups,
 diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
 index 30bcf7c..fc3c690 100644
 --- a/unbound-1.16.2/services/mesh.c
 +++ b/unbound-1.16.2/services/mesh.c
@@ -63,6 +63,7 @@
 #include "util/data/dname.h"
 #include "respip/respip.h"
 #include "services/listen_dnsport.h"
 +#include "libunbound/unbound-event.h"
 #ifdef CLIENT_SUBNET
 #include "edns-subnet/subnetmod.h"
@@ -1012,7 +1013,7 @@ mesh_state_cleanup(struct mesh_state* mstate)
 			mstate->cb_list = cb->next;
 			fptr_ok(fptr_whitelist_mesh_cb(cb->cb));
 			(*cb->cb)(cb->cb_arg, LDNS_RCODE_SERVFAIL, NULL,
 -				sec_status_unchecked, NULL, 0);
 +				sec_status_unchecked, NULL);
 			log_assert(mesh->num_reply_addrs > 0);
 			mesh->num_reply_addrs--;
 		}
@@ -1268,8 +1269,9 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 					r->edns.opt_list_inplace_cb_out = NULL;
 		}
 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
 -		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
 -			was_ratelimited);
 +		if (was_ratelimited)
 +			rcode |= LDNS_RCODE_RATELIMITED;
 +		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL);
 	} else {
 		size_t udp_size = r->edns.udp_size;
 		sldns_buffer_clear(r->buf);
@@ -1287,11 +1289,14 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
 		{
 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
 			(*r->cb)(r->cb_arg, LDNS_RCODE_SERVFAIL, r->buf,
 -				sec_status_unchecked, NULL, 0);
 +				sec_status_unchecked, NULL);
 		} else {
 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
 -			(*r->cb)(r->cb_arg, LDNS_RCODE_NOERROR, r->buf,
 -				rep->security, reason, was_ratelimited);
 +			rcode = LDNS_RCODE_NOERROR;
 +			if (was_ratelimited)
 +				rcode |= LDNS_RCODE_RATELIMITED;
 +			(*r->cb)(r->cb_arg, rcode, r->buf,
 +				rep->security, reason);
 		}
 	}
 	free(reason);
 diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
 index 3be9b63..5050d6c 100644
 --- a/unbound-1.16.2/services/mesh.h
 +++ b/unbound-1.16.2/services/mesh.h
@@ -234,13 +234,20 @@ struct mesh_reply {
 	struct http2_stream* h2_stream;
 };
 +/* RHEL 8 compatibility layer.
 + * Special rcode to send was_ratelimited to callback without adding
 + * extra parameter. It is ORed to the rcode parameter of the callback. */
 +#define LDNS_RCODE_RATELIMITED 0x100
 +#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
 +#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
 +
 /** 
  * Mesh result callback func.
  * called as func(cb_arg, rcode, buffer_with_reply, security, why_bogus,
  *		was_ratelimited);
  */
 typedef void (*mesh_cb_func_type)(void* cb_arg, int rcode, struct sldns_buffer*,
 -	enum sec_status, char* why_bogus, int was_ratelimited);
 +	enum sec_status, char* why_bogus);
 /**
  * Callback to result routine
 diff --git a/unbound-1.16.2/smallapp/worker_cb.c b/unbound-1.16.2/smallapp/worker_cb.c
 index c689817..c7b1653 100644
 --- a/unbound-1.16.2/smallapp/worker_cb.c
 +++ b/unbound-1.16.2/smallapp/worker_cb.c
@@ -159,21 +159,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
 void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
 -	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 +	char* ATTR_UNUSED(why_bogus))
 {
 	log_assert(0);
 }
 void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
 -	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 +	char* ATTR_UNUSED(why_bogus))
 {
 	log_assert(0);
 }
 void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
 -	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 +	char* ATTR_UNUSED(why_bogus))
 {
 	log_assert(0);
 }
 diff --git a/unbound-1.16.2/validator/autotrust.c b/unbound-1.16.2/validator/autotrust.c
 index 3cdf9ce..40b3e35 100644
 --- a/unbound-1.16.2/validator/autotrust.c
 +++ b/unbound-1.16.2/validator/autotrust.c
@@ -2331,7 +2331,7 @@ autr_debug_print(struct val_anchors* anchors)
 void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode), 
 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec),
 -	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
 +	char* ATTR_UNUSED(why_bogus))
 {
 	/* retry was set before the query was done,
 	 * re-querytime is set when query succeeded, but that may not
 diff --git a/unbound-1.16.2/validator/autotrust.h b/unbound-1.16.2/validator/autotrust.h
 index 057f2b6..c549798 100644
 --- a/unbound-1.16.2/validator/autotrust.h
 +++ b/unbound-1.16.2/validator/autotrust.h
@@ -206,6 +206,6 @@ void autr_debug_print(struct val_anchors* anchors);
 /** callback for query answer to 5011 probe */
 void probe_answer_cb(void* arg, int rcode, struct sldns_buffer* buf, 
 -	enum sec_status sec, char* errinf, int was_ratelimited);
 +	enum sec_status sec, char* errinf);
 #endif /* VALIDATOR_AUTOTRUST_H */
 -- 
 2.37.1
--- a/SOURCES/unbound-1.16-control-t-flag.patch
+++ b/SOURCES/unbound-1.16-control-t-flag.patch
@ -0,0 +1,129 @@
 commit 6d1e61173bbf44dae458c361be63217f7e9e5599
 Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
 Date:   Thu Mar 28 09:58:03 2024 +0100
    - Fix #1034: DoT forward-zone via unbound-control.
 diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c
 index 5d79eafd..cbce1198 100644
 --- a/unbound-1.16.2/daemon/remote.c
 +++ b/unbound-1.16.2/daemon/remote.c
@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
 static int
 parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 -	int* insecure, int* prime)
 +	int* insecure, int* prime, int* tls)
 {
 	char* zonename;
 	char* rest;
@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
 				*insecure = 1;
 			else if(*args == 'p' && prime)
 				*prime = 1;
 +			else if(*args == 't' && tls)
 +				*tls = 1;
 			else {
 				(void)ssl_printf(ssl, "error: unknown option %s\n", args);
 				return 0;
@@ -2144,11 +2146,13 @@ static void
 do_forward_add(RES* ssl, struct worker* worker, char* args)
 {
 	struct iter_forwards* fwd = worker->env.fwds;
 -	int insecure = 0;
 +	int insecure = 0, tls = 0;
 	uint8_t* nm = NULL;
 	struct delegpt* dp = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
 +	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
 		return;
 +	if(tls)
 +		dp->ssl_upstream = 1;
 	if(insecure && worker->env.anchors) {
 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 			nm)) {
@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
 	struct iter_forwards* fwd = worker->env.fwds;
 	int insecure = 0;
 	uint8_t* nm = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
 +	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
 		return;
 	if(insecure && worker->env.anchors)
 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
@@ -2189,11 +2193,13 @@ static void
 do_stub_add(RES* ssl, struct worker* worker, char* args)
 {
 	struct iter_forwards* fwd = worker->env.fwds;
 -	int insecure = 0, prime = 0;
 +	int insecure = 0, prime = 0, tls = 0;
 	uint8_t* nm = NULL;
 	struct delegpt* dp = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
 +	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
 		return;
 +	if(tls)
 +		dp->ssl_upstream = 1;
 	if(insecure && worker->env.anchors) {
 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 			nm)) {
@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
 	struct iter_forwards* fwd = worker->env.fwds;
 	int insecure = 0;
 	uint8_t* nm = NULL;
 -	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
 +	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
 		return;
 	if(insecure && worker->env.anchors)
 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
 diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in
 index 7823de3a..642b4c94 100644
 --- a/unbound-1.16.2/doc/unbound-control.8.in
 +++ b/unbound-1.16.2/doc/unbound-control.8.in
@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
 .B insecure_remove \fIzone
 Removes domain\-insecure for the given zone.
 .TP
 -.B forward_add \fR[\fI+i\fR] \fIzone addr ...
 +.B forward_add \fR[\fI+it\fR] \fIzone addr ...
 Add a new forward zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
 a DNSSEC root trust anchor configured for other names).
 The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
 in unbound.conf.
 +The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
 .TP
 .B forward_remove \fR[\fI+i\fR] \fIzone
 Remove a forward zone from running Unbound.  The +i also removes a
 \fIdomain\-insecure\fR for the zone.
 .TP
 -.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
 +.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
 Add a new stub zone to running Unbound.  With +i option also adds a
 \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
 without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
 names, like the \fIstub-zone\fR config in unbound.conf.
 +The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
 .TP
 .B stub_remove \fR[\fI+i\fR] \fIzone
 Remove a stub zone from running Unbound.  The +i also removes a
 diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c
 index c4f73006..57b0787d 100644
 --- a/unbound-1.16.2/smallapp/unbound-control.c
 +++ b/unbound-1.16.2/smallapp/unbound-control.c
@@ -150,12 +150,13 @@ usage(void)
 	printf("  list_local_data		list local-data RRs in use\n");
 	printf("  insecure_add zone 		add domain-insecure zone\n");
 	printf("  insecure_remove zone		remove domain-insecure zone\n");
 -	printf("  forward_add [+i] zone addr..	add forward-zone with servers\n");
 +	printf("  forward_add [+it] zone addr..	add forward-zone with servers\n");
 	printf("  forward_remove [+i] zone	remove forward zone\n");
 -	printf("  stub_add [+ip] zone addr..	add stub-zone with servers\n");
 +	printf("  stub_add [+ipt] zone addr..	add stub-zone with servers\n");
 	printf("  stub_remove [+i] zone		remove stub zone\n");
 	printf("		+i		also do dnssec insecure point\n");
 	printf("		+p		set stub to use priming\n");
 +	printf("		+t		set to use tls upstream\n");
 	printf("  forward [off | addr ...]	without arg show forward setup\n");
 	printf("				or off to turn off root forwarding\n");
 	printf("				or give list of ip addresses\n");
--- a/SOURCES/unbound-1.21-CVE-2024-8508.patch
+++ b/SOURCES/unbound-1.21-CVE-2024-8508.patch
@ -1,249 +0,0 @@
 From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
 From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
 Date: Thu, 3 Oct 2024 14:46:57 +0200
 Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
 denial of service.
 ---
 unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
 1 file changed, 46 insertions(+), 31 deletions(-)
 diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
 index fe21cfb..f9e95e6 100644
 --- a/unbound-1.16.2/util/data/msgencode.c
 +++ b/unbound-1.16.2/util/data/msgencode.c
@@ -62,6 +62,10 @@
 #define RETVAL_TRUNC	-4
 /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
 #define RETVAL_OK	0
 +/** Max compressions we are willing to perform; more than that will result
 + *  in semi-compressed messages, or truncated even on TCP for huge messages, to
 + *  avoid locking the CPU for long */
 +#define MAX_COMPRESSION_PER_MESSAGE 120
 /**
  * Data structure to help domain name compression in outgoing messages.
@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
 /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
 static int
 -compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
 -	struct regional* region, struct compress_tree_node** tree, 
 -	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
 +compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 +	struct regional* region, struct compress_tree_node** tree,
 +	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
 +	size_t* compress_count)
 {
 	struct compress_tree_node* p;
 	struct compress_tree_node** insertpt = NULL;
 	if(!*owner_ptr) {
 		/* compress first time dname */
 -		if((p = compress_tree_lookup(tree, key->rk.dname, 
 +		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +			(p = compress_tree_lookup(tree, key->rk.dname,
 			owner_labs, &insertpt))) {
 			if(p->labs == owner_labs) 
 				/* avoid ptr chains, since some software is
@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			if(!write_compressed_dname(pkt, key->rk.dname, 
 				owner_labs, p))
 				return RETVAL_TRUNC;
 +			(*compress_count)++;
 			/* check if typeclass+4 ttl + rdatalen is available */
 			if(sldns_buffer_remaining(pkt) < 4+4+2)
 				return RETVAL_TRUNC;
@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			if(owner_pos <= PTR_MAX_OFFSET)
 				*owner_ptr = htons(PTR_CREATE(owner_pos));
 		}
 -		if(!compress_tree_store(key->rk.dname, owner_labs, 
 +		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +			!compress_tree_store(key->rk.dname, owner_labs,
 			owner_pos, region, p, insertpt))
 			return RETVAL_OUTMEM;
 	} else {
@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 /** compress any domain name to the packet, return RETVAL_* */
 static int
 -compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
 -	struct regional* region, struct compress_tree_node** tree)
 +compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
 +	struct regional* region, struct compress_tree_node** tree,
 +	size_t* compress_count)
 {
 	struct compress_tree_node* p;
 	struct compress_tree_node** insertpt = NULL;
 	size_t pos = sldns_buffer_position(pkt);
 -	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
 +	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
 		if(!write_compressed_dname(pkt, dname, labs, p))
 			return RETVAL_TRUNC;
 +		(*compress_count)++;
 	} else {
 		if(!dname_buffer_write(pkt, dname))
 			return RETVAL_TRUNC;
 	}
 -	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
 +	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
 +		!compress_tree_store(dname, labs, pos, region, p, insertpt))
 		return RETVAL_OUTMEM;
 	return RETVAL_OK;
 }
@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
 /** compress domain names in rdata, return RETVAL_* */
 static int
 -compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
 -	struct regional* region, struct compress_tree_node** tree, 
 -	const sldns_rr_descriptor* desc)
 +compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
 +	struct regional* region, struct compress_tree_node** tree,
 +	const sldns_rr_descriptor* desc, size_t* compress_count)
 {
 	int labs, r, rdf = 0;
 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
 		switch(desc->_wireformat[rdf]) {
 		case LDNS_RDF_TYPE_DNAME:
 			labs = dname_count_size_labels(rdata, &dname_len);
 -			if((r=compress_any_dname(rdata, pkt, labs, region, 
 -				tree)) != RETVAL_OK)
 +			if((r=compress_any_dname(rdata, pkt, labs, region,
 +				tree, compress_count)) != RETVAL_OK)
 				return r;
 			rdata += dname_len;
 			todolen -= dname_len;
@@ -449,7 +461,8 @@ static int
 packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
 	uint16_t* num_rrs, time_t timenow, struct regional* region,
 	int do_data, int do_sig, struct compress_tree_node** tree,
 -	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
 +	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
 +	size_t* compress_count)
 {
 	size_t i, j, owner_pos;
 	int r, owner_labs;
@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 		for(i=0; i<data->count; i++) {
 			/* rrset roundrobin */
 			j = (i + rr_offset) % data->count;
 -			if((r=compress_owner(key, pkt, region, tree, 
 -				owner_pos, &owner_ptr, owner_labs))
 -				!= RETVAL_OK)
 +			if((r=compress_owner(key, pkt, region, tree,
 +				owner_pos, &owner_ptr, owner_labs,
 +				compress_count)) != RETVAL_OK)
 				return r;
 			sldns_buffer_write(pkt, &key->rk.type, 2);
 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
 			if(c) {
 				if((r=compress_rdata(pkt, data->rr_data[j],
 -					data->rr_len[j], region, tree, c))
 -					!= RETVAL_OK)
 +					data->rr_len[j], region, tree, c,
 +					compress_count)) != RETVAL_OK)
 					return r;
 			} else {
 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
 					return RETVAL_TRUNC;
 				sldns_buffer_write(pkt, &owner_ptr, 2);
 			} else {
 -				if((r=compress_any_dname(key->rk.dname, 
 -					pkt, owner_labs, region, tree))
 -					!= RETVAL_OK)
 +				if((r=compress_any_dname(key->rk.dname,
 +					pkt, owner_labs, region, tree,
 +					compress_count)) != RETVAL_OK)
 					return r;
 				if(sldns_buffer_remaining(pkt) < 
 					4+4+data->rr_len[i])
@@ -544,7 +557,8 @@ static int
 insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
 	struct regional* region, struct compress_tree_node** tree,
 -	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
 +	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
 +	size_t* compress_count)
 {
 	int r;
 	size_t i, setstart;
@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 1, 1, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				/* Bad, but if due to size must set TC bit */
 				/* trim off the rrset neatly. */
@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 1, 0, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				sldns_buffer_set_position(pkt, setstart);
 				return r;
@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 			setstart = sldns_buffer_position(pkt);
 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
 				pkt, num_rrs, timenow, region, 0, 1, tree,
 -				s, qtype, dnssec, rr_offset))
 +				s, qtype, dnssec, rr_offset, compress_count))
 				!= RETVAL_OK) {
 				sldns_buffer_set_position(pkt, setstart);
 				return r;
@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 	struct compress_tree_node* tree = 0;
 	int r;
 	size_t rr_offset;
 +	size_t compress_count=0;
 	sldns_buffer_clear(buffer);
 	if(udpsize < sldns_buffer_limit(buffer))
@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 		arep.rrsets = &qinfo->local_alias->rrset;
 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
 			timezero, region, &tree, LDNS_SECTION_ANSWER,
 -			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
 +			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 			if(r == RETVAL_TRUNC) {
 				/* create truncated message */
 				sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 	/* insert answer section */
 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
 -		dnssec, rr_offset)) != RETVAL_OK) {
 +		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 		if(r == RETVAL_TRUNC) {
 			/* create truncated message */
 			sldns_buffer_write_u16_at(buffer, 6, ancount);
@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
 			rep->an_numrrsets, timenow, region, &tree,
 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
 -			dnssec, rr_offset)) != RETVAL_OK) {
 +			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 			if(r == RETVAL_TRUNC) {
 				/* create truncated message */
 				sldns_buffer_write_u16_at(buffer, 8, nscount);
@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
 -				dnssec, rr_offset)) != RETVAL_OK) {
 +				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
 				if(r == RETVAL_TRUNC) {
 					/* no need to set TC bit, this is the additional */
 					sldns_buffer_write_u16_at(buffer, 10, arcount);
 -- 
 2.47.0
--- a/SOURCES/unbound-as112-networks.conf
+++ b/SOURCES/unbound-as112-networks.conf
@ -0,0 +1,118 @@
 # Allow forwarding of private ranges, which are marked forwardable by IANA
 # https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
 # https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
 # https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
 # RFC 6303: Locally Served DNS Zones (https://www.rfc-editor.org/rfc/rfc6303.html)
 #
 # Using this configuration file will simplify forwarding to potentially private ranges.
 # Enables forwarding of networks marked as forwardable at IANA special registry.
 # This is useful when upstream forwarder may be still inside private network. That is the case
 # when unbound works as a localhost DNS cache, not network wide resolver.
 server:
 	# RFC 8375: Special-Use Domain 'home.arpa.'
 	local-zone: "home.arpa." nodefault
 	# RFC 1918: Address Allocation for Private Internets
 	local-zone: "10.in-addr.arpa." nodefault
 	local-zone: "16.172.in-addr.arpa." nodefault
 	local-zone: "17.172.in-addr.arpa." nodefault
 	local-zone: "18.172.in-addr.arpa." nodefault
 	local-zone: "19.172.in-addr.arpa." nodefault
 	local-zone: "20.172.in-addr.arpa." nodefault
 	local-zone: "21.172.in-addr.arpa." nodefault
 	local-zone: "22.172.in-addr.arpa." nodefault
 	local-zone: "23.172.in-addr.arpa." nodefault
 	local-zone: "24.172.in-addr.arpa." nodefault
 	local-zone: "25.172.in-addr.arpa." nodefault
 	local-zone: "26.172.in-addr.arpa." nodefault
 	local-zone: "27.172.in-addr.arpa." nodefault
 	local-zone: "28.172.in-addr.arpa." nodefault
 	local-zone: "29.172.in-addr.arpa." nodefault
 	local-zone: "30.172.in-addr.arpa." nodefault
 	local-zone: "31.172.in-addr.arpa." nodefault
 	local-zone: "168.192.in-addr.arpa." nodefault
 	# RFC 6598: IANA-Reserved IPv4 Prefix for Shared Address Space
 	local-zone: "64.100.in-addr.arpa." nodefault
 	local-zone: "65.100.in-addr.arpa." nodefault
 	local-zone: "66.100.in-addr.arpa." nodefault
 	local-zone: "67.100.in-addr.arpa." nodefault
 	local-zone: "68.100.in-addr.arpa." nodefault
 	local-zone: "69.100.in-addr.arpa." nodefault
 	local-zone: "70.100.in-addr.arpa." nodefault
 	local-zone: "71.100.in-addr.arpa." nodefault
 	local-zone: "72.100.in-addr.arpa." nodefault
 	local-zone: "73.100.in-addr.arpa." nodefault
 	local-zone: "74.100.in-addr.arpa." nodefault
 	local-zone: "75.100.in-addr.arpa." nodefault
 	local-zone: "76.100.in-addr.arpa." nodefault
 	local-zone: "77.100.in-addr.arpa." nodefault
 	local-zone: "78.100.in-addr.arpa." nodefault
 	local-zone: "79.100.in-addr.arpa." nodefault
 	local-zone: "80.100.in-addr.arpa." nodefault
 	local-zone: "81.100.in-addr.arpa." nodefault
 	local-zone: "82.100.in-addr.arpa." nodefault
 	local-zone: "83.100.in-addr.arpa." nodefault
 	local-zone: "84.100.in-addr.arpa." nodefault
 	local-zone: "85.100.in-addr.arpa." nodefault
 	local-zone: "86.100.in-addr.arpa." nodefault
 	local-zone: "87.100.in-addr.arpa." nodefault
 	local-zone: "88.100.in-addr.arpa." nodefault
 	local-zone: "89.100.in-addr.arpa." nodefault
 	local-zone: "90.100.in-addr.arpa." nodefault
 	local-zone: "91.100.in-addr.arpa." nodefault
 	local-zone: "92.100.in-addr.arpa." nodefault
 	local-zone: "93.100.in-addr.arpa." nodefault
 	local-zone: "94.100.in-addr.arpa." nodefault
 	local-zone: "95.100.in-addr.arpa." nodefault
 	local-zone: "96.100.in-addr.arpa." nodefault
 	local-zone: "97.100.in-addr.arpa." nodefault
 	local-zone: "98.100.in-addr.arpa." nodefault
 	local-zone: "99.100.in-addr.arpa." nodefault
 	local-zone: "100.100.in-addr.arpa." nodefault
 	local-zone: "101.100.in-addr.arpa." nodefault
 	local-zone: "102.100.in-addr.arpa." nodefault
 	local-zone: "103.100.in-addr.arpa." nodefault
 	local-zone: "104.100.in-addr.arpa." nodefault
 	local-zone: "105.100.in-addr.arpa." nodefault
 	local-zone: "106.100.in-addr.arpa." nodefault
 	local-zone: "107.100.in-addr.arpa." nodefault
 	local-zone: "108.100.in-addr.arpa." nodefault
 	local-zone: "109.100.in-addr.arpa." nodefault
 	local-zone: "110.100.in-addr.arpa." nodefault
 	local-zone: "111.100.in-addr.arpa." nodefault
 	local-zone: "112.100.in-addr.arpa." nodefault
 	local-zone: "113.100.in-addr.arpa." nodefault
 	local-zone: "114.100.in-addr.arpa." nodefault
 	local-zone: "115.100.in-addr.arpa." nodefault
 	local-zone: "116.100.in-addr.arpa." nodefault
 	local-zone: "117.100.in-addr.arpa." nodefault
 	local-zone: "118.100.in-addr.arpa." nodefault
 	local-zone: "119.100.in-addr.arpa." nodefault
 	local-zone: "120.100.in-addr.arpa." nodefault
 	local-zone: "121.100.in-addr.arpa." nodefault
 	local-zone: "122.100.in-addr.arpa." nodefault
 	local-zone: "123.100.in-addr.arpa." nodefault
 	local-zone: "124.100.in-addr.arpa." nodefault
 	local-zone: "125.100.in-addr.arpa." nodefault
 	local-zone: "126.100.in-addr.arpa." nodefault
 	local-zone: "127.100.in-addr.arpa." nodefault
 	# RFC 4193: Unique Local IPv6 Unicast Addresses
 	local-zone: "d.f.ip6.arpa." nodefault
 	# RFC 2606: Reserved Top Level DNS Names
 	local-zone:      "test." nodefault
 	domain-insecure: "test"
 	domain-insecure: "example"
 	# RFC 6762: Multicast DNS, Appendix G
 	domain-insecure: "local"
 	domain-insecure: "intranet"
 	domain-insecure: "private"
 	domain-insecure: "corp"
 	domain-insecure: "home"
 	domain-insecure: "lan"
 	# draft-davies-internal-tld
 	domain-insecure: "internal"
--- a/SOURCES/unbound-initrd.conf
+++ b/SOURCES/unbound-initrd.conf
@ -0,0 +1,5 @@
 [Unit]
 Before=network-online.target
 [Install]
 WantedBy=network-online.target
--- a/SOURCES/unbound-local-root.conf
+++ b/SOURCES/unbound-local-root.conf
@ -0,0 +1,30 @@
 # Authority zones
 # The data for these zones is kept locally, from a file or downloaded.
 # The data can be served to downstream clients, or used instead of the
 # upstream (which saves a lookup to the upstream).
 #
 # Download local root copy and answer TLD queries from it. Because
 # auth-zone has higher precedence, defined forward-zones to internal
 # only TLD will not work. Use stub-zone or disable this zone.
 # Good for a network-wide resolvers, worse for a localhost caching forwarder.
 auth-zone:
 	name: "."
 	primary: 170.247.170.2        # b.root-servers.net
 	primary: 192.33.4.12          # c.root-servers.net
 	primary: 199.7.91.13          # d.root-servers.net
 	primary: 192.5.5.241          # f.root-servers.net
 	primary: 192.112.36.4         # g.root-servers.net
 	primary: 193.0.14.129         # k.root-servers.net
 	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
 	primary: 192.0.32.132         # xfr.lax.dns.icann.org
 	primary: 2801:1b8:10::b       # b.root-servers.net
 	primary: 2001:500:2::c        # c.root-servers.net
 	primary: 2001:500:2d::d       # d.root-servers.net
 	primary: 2001:500:2f::f       # f.root-servers.net
 	primary: 2001:500:12::d0d     # g.root-servers.net
 	primary: 2001:7fd::1          # k.root-servers.net
 	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
 	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
 	fallback-enabled: yes
 	for-downstream: no
 	for-upstream: yes
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@ -1071,27 +1071,27 @@ include: /etc/unbound/conf.d/*.conf
 # download it), master: fetches with AXFR and IXFR, or url to zonefile.
 # With allow-notify: you can give additional (apart from masters) sources of
 # notifies.
-auth-zone:
+#auth-zone:
-	name: "."
+#	name: "."
-	primary: 199.9.14.201         # b.root-servers.net
+#	primary: 199.9.14.201         # b.root-servers.net
-	primary: 192.33.4.12          # c.root-servers.net
+#	primary: 192.33.4.12          # c.root-servers.net
-	primary: 199.7.91.13          # d.root-servers.net
+#	primary: 199.7.91.13          # d.root-servers.net
-	primary: 192.5.5.241          # f.root-servers.net
+#	primary: 192.5.5.241          # f.root-servers.net
-	primary: 192.112.36.4         # g.root-servers.net
+#	primary: 192.112.36.4         # g.root-servers.net
-	primary: 193.0.14.129         # k.root-servers.net
+#	primary: 193.0.14.129         # k.root-servers.net
-	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+#	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
-	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+#	primary: 192.0.32.132         # xfr.lax.dns.icann.org
-	primary: 2001:500:200::b      # b.root-servers.net
+#	primary: 2001:500:200::b      # b.root-servers.net
-	primary: 2001:500:2::c        # c.root-servers.net
+#	primary: 2001:500:2::c        # c.root-servers.net
-	primary: 2001:500:2d::d       # d.root-servers.net
+#	primary: 2001:500:2d::d       # d.root-servers.net
-	primary: 2001:500:2f::f       # f.root-servers.net
+#	primary: 2001:500:2f::f       # f.root-servers.net
-	primary: 2001:500:12::d0d     # g.root-servers.net
+#	primary: 2001:500:12::d0d     # g.root-servers.net
-	primary: 2001:7fd::1          # k.root-servers.net
+#	primary: 2001:7fd::1          # k.root-servers.net
-	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+#	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+#	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
-	fallback-enabled: yes
+#	fallback-enabled: yes
-	for-downstream: no
+#	for-downstream: no
-	for-upstream: yes
+#	for-upstream: yes
 # auth-zone:
 #	name: "example.org"
--- a/SOURCES/unbound.service
+++ b/SOURCES/unbound.service
@ -8,10 +8,10 @@ Before=nss-lookup.target
 Wants=nss-lookup.target
 [Service]
-Type=simple
+Type=notify
 EnvironmentFile=-/etc/sysconfig/unbound
 ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ] && [ ! -f /run/unbound/anchor-disable ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi'
 ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
 ExecReload=/usr/sbin/unbound-control reload
--- a/SOURCES/unbound.sysusers
+++ b/SOURCES/unbound.sysusers
@ -0,0 +1 @@
 u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin
--- a/SOURCES/wouter.nlnetlabs.nl.key
+++ b/SOURCES/wouter.nlnetlabs.nl.key
@ -0,0 +1,212 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" >
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <title>Public Key Server -- Get "0x9f6f1c2d7e045f8d "</title>
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <style type="text/css">
 /*<![CDATA[*/
 .uid { color: green; text-decoration: underline; }
 .warn { color: red; font-weight: bold; }
 /*]]>*/
 </style></head><body><h1>Public Key Server -- Get "0x9f6f1c2d7e045f8d "</h1>
 <pre>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: SKS 1.1.6
 Comment: Hostname: sks.pod02.fleetstreetops.com
 mQINBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xESH45ncnI
 SUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs61pTcPU2PnH7Rsr2q
 p6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0xTQh95M8o6AFo6UKWApBpgsvE
 Zr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8
 AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyEqn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub
 4Awsby3DH5YpPhi4N2vj2pAXVpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjD
 ilNDBiKiDdgtrLYGx+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T
 8E2NQqmFWjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
 /DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hedhvb6mAkv
 SFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQABtCdXLkMuQS4gV2lq
 bmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD6IRgQQEQIABgUCThRSKQAKCRD5yv3rOc/E
 3iiwAJ0SIjqFSwBm7sEZf2nn4JhkWKoG0gCfTD0g9RhtJFZa+0rdtMGUpYtDA1aIRgQQEQIA
 BgUCT/FYZQAKCRDidkIqx06dxeI6AJ9JZvcA78yRPDAMS+TklrNhFbEixgCgwiltuquOD4Qw
 vTS+NZr1ECUit8+IRgQTEQIABgUCTa///wAKCRCQMuo3A6Gk+Ot2AKCi4IvI/AT2kSzy0pWH
 Zfrpl93zlACZAaBqkUKcA1jxk8HtqDYtuCRhSfiIRgQTEQIABgUCTb7dfwAKCRCL5TxDRLCU
 K/4yAJ9Zgx/YRiu/X+KLDTQoYXTxNNbCHACfcBLrfl5uABiyOzBC+/R5rXnoRaqIRgQTEQIA
 BgUCV+zVuQAKCRAjc9NHiaFq+OY4AKC6GV6dlBdvo4bEaJpWPHh9WShqIwCgjJi+haVoUR52
 ovPF0zsXx6/um+GITAQTEQIADAUCTbAJsgWDCWX06gAKCRC039xrdgkihyx4AJ9iuMMszOpC
 jRYkVjTgmDyVmAA5uACg7qmMbKb03FbTFdd5VG5/6RTiPtSJARwEEAECAAYFAlTvL9UACgkQ
 lumWUDlMmaxLZgf/WeQK3FqemgsgcNCfkPuE9XpSdyJhQ+n1Yb6tAK4osry7H3lFBQIKTpmX
 SxauZDazYt6G4BYWsA0ARBwZVOaEaIbFRHFWs3/SLynNf9ZGBw8FumIMlEw3+tUdZck6u7pU
 q1OFeL1HWRLEC/njyLe7zAFHHWwMUIL9ZAZGiknADbqiiyF/JTcv4cpfNhdRAFzRriUJ2zYf
 0r6vKnf8pjc9QfDricAq/WzfANycfaSqx5GEBokxZY3lq/oLe4dGpZmrGecvBMtmTRHAG0Ln
 sNwXVujej3sU0vfhkZ1A0lnKoZCOTwGTPkL3dkOwbUdoYiYakTjM8NKav/TxNDxdaG/QbYkB
 HAQQAQgABgUCVnyBkgAKCRAIbcKm1AudBFrsB/9oKXW7oiQ7eJJ036fsfM5UODQGoXc1XO0R
 TEV/8pBRSDhqOVwRUsPqgtU6p2UWJbwxgB7MmPt3Z4cXs+ff1jkTzn/iefMyB7W6NogotrTt
 Nlj8x30Y9dVJB4KSHnQW2Gsf/OmZM9cDBAuyK3j3yLWkn65FRKVoH/4sYil1Tm/ogEC8vdvX
 RpwsCaZG8HOLDphjjU0JErE1jWk2L+P0TeGCmbrsfhORxTaCROjvcJ0fQsdX7kcA262iRrU0
 xDlBBYZA9wyGfd4wf+zIt7LcVBjNNvIUdUC3Uf0prYJawaG2/YV6R7eY4ooJxTutadugLmZp
 fBRiITflLZssO3YAW9RxiQEcBBMBCgAGBQJU7y/ZAAoJEMFDUWYtzEe6MyQIALSGlZ4X0LJw
 6zNoHGVxC0P911NBtDRO2/Hfg38UMT8KjQ1jOynm1KZm67viNOVGRGWar23PNppofpViZSlQ
 xUXUyLXVajcV9klg7RV7GC/3P2dvrCjELHXJ6w8qrcUKDighjbdctHXiQ9W5nU1IWPTLdg+z
 cvTbSVybvLwcbu5kzUzlYvesetJjSWnU9PXswed2cN9sqN3ikrWlYv4qHp6RwrLBN/VjZQov
 AxXN68PHxLz8GNxZTO9Aa4j4CheejXPVHDhqqw/K0XI86hnvZX7kwy4KBq/o4Kl+fstaOM6T
 571D2fljTVztmsKZBhiuKm1t8/Ltoifch+bpFx5AZkaJAhwEEAECAAYFAk2+3aIACgkQi0GC
 sRlrLScyHw//accdcVbHGYLwS0imk5SMEJX2bdu87uXqseeMU5OhnYip4ySQ727VihGYkhmL
 c/o1dIEznvFudWc/fMEi0x3R5J53Qbt3XQEUjOgZUoeomQJCItoJsDRoItvgdUvj3o6hVWhu
 +8PL6oC2J/JAHvfsMKiaTBHrUcNdgovLPGo5bcZCJwOxqPLYPLW2fCkanY9EhbyVAsFIiuH4
 +8tSDnqrgZFATyDqhqAYP96CanJrSalB6l/2r10q3V/OxcyCwys5w54FExhQAhpwThpbpFcK
 kBrM647ak7x8dZha4C/RltwkFn6jFp2sNUSEa0USTOTyDw7WkqgZZOWvauQ+fKgSOJwWU+MR
 cs11bNEGtwBu+wPheeyAlITu7A9PIrMZTmmJKy124I7ZvfXF3NZrHVm2KanLaWqHrso8tYg4
 9C7ptSCEZlgLHaeOl1wOOLbH6OneB3mQqf2u0elWYv64sbEqmFwd0C4rFeT7VSFSDLc1AsZB
 zc4WveDPnjzMXE2KLIwP+/x+betpntuYKYzYov0fryS79fjwu5JGh0gfEDITSta+tPRAYqKf
 mCt/jpeZxUQBfI6SW6LyP2Go8uYlbplV5IJuZ04c2Pr/9G/e3vh4O/kJmDZo4EX9op9TKJpg
 w/shReVuUAP9E24rD0oEyiWnHu/ZsgMtaVKQc2SsIghSG8eJAhwEEAEKAAYFAlTvL+sACgkQ
 V0EnLQMH4n8IuA//cZqhGvBiSNpRkSjjZWu5BY7fhMOdshiVPkEZmILRytnXnxVcu+PuuIk0
 kXfgt/jcS762dBZK3UOVAAsGsLfkisLN18UGWKhokNUWybSmdmhTb6Ns5tJbZfnFTaSjA3Gk
 Z+R/U8O1tNHTmqBfYHTSq8utpIi1JEJRf5itUYytP75nt0rnjpYTFEbvKgukgZldLDk581Zc
 x4Y6pj1ILrxtqF369yBtYIEkHFcYDuXsApTIXY1G4V5mq4t9QCk07E2ZKZ2aJjaCA7VeD+vR
 8Z50oyu4kuc1RdFnP8TfQUAr/tYIFinuzKSqELu9b+JSPO3qawXaq9Y+X42XWkeQSeu7SNl2
 xqe1uVhHd8qduf8U438fUOBeY+gpae9e2IPbErU+itmd+m+WlHp8FUH2pS6VlXXhBrBPEZ3+
 8ph9wUtSAenFVyT1leu21pMuP2nNpD2nTsNlYcX9gA/vkA7bQyOtaEOC+8zNHtZYhx4u/nmI
 +yZ4Cc95CmfwTE0/fRX+T+jK2x5ZGRZMudygnKRbnod+OgnNVBWIykGSzULKgLY9i5PlxCA2
 a7FUoLpIOW4OJSgo6WNsBc3j48RjqNm3cUcLco1kDcoGaQ43dGyLVGMlB332u6m2W+g+AwGm
 vhJQh3yy5XYvRXRzfiHvWUok8ess1/0qSRua22JY14KBxJF80EeJAhwEEwECAAYFAk2wI04A
 CgkQ5fj4IS93pJjaOw/8DG4fn6z4LYmY3MsLNu2Efg9YflaWPkD+z0iLPGUHhrzObIIMfGL0
 kpqYJSbvYqYUSIR8AjQGwRrJVidBqOX9bK7ZVPPvsX61hjt6e0T0O2Q6JuDMCfseiseLBo/a
 6DJu2P7LfDNGaath0WMonOxnqs+kRG8SVyTqmbnyC0AwthgYB57CIyNuz3MPkQr7pJNmyWFv
 kUYs7Z2Awq0hyD9M1KAV8igqFGYjrZAJoSv1nX6OzGRCSFmxqKwmCd7OtHLpqdNHos5CLhrj
 ouLJwiNt8gv7w06owYFxEsctAGqjVjvvtD0L19Skp3jgLAro6x53UFUtxm+Z/8YLLh+lNHJx
 JMDQu5CpSn3zLwRkF/cYgINOa1CS1yceynlbRGxrIb2vSfmnZeNZ2cTwedM/+9C044DfIB1y
 9FmmZBaXOaA4ITjvcEf2FpFn9MdF+zN8N8AN5m1y/qftFqgG0P40AQ0hQAhk+F8JxD7wVh65
 jcj62f287L1h8EDo/NE1JH8dAb9dUlJQeohAkiIMurDYLYRop9u+ogtUtRpMKXTwgNUanIq7
 oTYpNunbI1NUXc9Fdi9Z8OYZagHlo4v6T3fqvaRbGElncoF6faz7les2zh2S8etACX7mNsxV
 c6kXIpdHqoHKGShdxtb+PhRirbIxdCzlFstk5c9zpsCJCr/yu+pCL6KJAiIEEAECAAwFAk2w
 CcoFgwll9NIACgkQVGoRHjtqqmQGaRAAuHuKIupTerS7qrEIkyOvECN06fg+U/caYv3Qpue0
 4ZC2aIk4oK/7wsuhEsMLCL3J1JFYCCmbc0QfYBtzIM5lu9SX7/1R8/+VnCvYvME8tKdMdQAM
 BWq4ZG5Bi9rH8j+450mjgmPRC0s8tmmfp62gB9zBAd/poVZQOVSUV43HE3n6Vkxj0ediGEmw
 GakB2pPtAY7HAaLxRdXidwjNTzpAz7JPinoZgpz/MYseuxSSyhIqqREYn/ynX1+YQhu1l4X6
 rpIsVWawMv93PhO42Y3Ny6SvC/hnZ1J+Y359quClHTQ/ogrbZrbhlKtpJNeNOCBKUzgIuT3/
 PSy1XheYQR2m8SbOmOMpgInr16i3ijsYBKI6qdoxB//YCkFCJmxfCUqRGPe6sAW2n9ow4VmE
 rAUDEqYTPDzkRA5zBY6C6cMugoClY8LidDwKHGXjbPMLz+CnWIVsC8BedjQcfPkuQs/P4QtQ
 +UYwt6UiFywYe4Na9JfJsYDwkUaKgZadva/JFxGkm7ApMpeMBuZUDIl9qptKipdmRrMnBx9l
 fvBqrrXYKPEzVMW0FpX9D5F1L4k5u3x4B0VDZ9WPJgkSKFQIMatDxFsyJNWZmh/0dODC/LKF
 mZZCk3B34rr91He99MzKNrrq3vZSlbMKoCQYjDGQDWVXCplwjq1zCt/JSZUJYVhwbcyJAiIE
 EQECAAwFAlRgbtMFgwK1j8kACgkQBhyEc3tNEByR3A/+MKwW1tgIspbnE8WEGjdNJtXUHQUv
 UJHFTuoBNKZA/uAYxe7FLoSKQI8lH5PgJrLnu8lq0Z7h4BObnx7F4NrB1ixTtMGgRXD1amVY
 Gw6STlXH6Fhr/0RvBTg/wbdm/nFFdaEEhclMNHY/mW69bcqGjHjcnk6nOmlVrYegWRGjGgTI
 JBqHUhoX2+VixkMrBDSESBpHHQHlwsOlT9T0v3pCVHQz9I/WygQpn0bjgWEISyZkWbLcmJVZ
 yYYmWU9WWw8n16qFChdO6BTEjChuzVupLS5LoBgxCJkh9gl4F6VGRg2kVvsQoxE0CKbM+4qy
 qAAK2jrgQZRg4ihC2WmOpr9X0mrjO38Bz/tmZL389ZBzj9S3VO8otgBRgDbJvNHm8EjWdQHj
 SOE2x5/F2T69g8IK3S/vkkKrySsjSlD/NJpWwldkUh1RtO7wFO2Zk+2+vr55joOjKApXKQgO
 7PKw2awkL91UWWHAvJ3tTq/16FUypnY9RHM9rHtU8XDLCp4iEzE7rzIywEwX4fUAut4CRf8m
 u3czrhdPh+oQyOyQHZJMdX0mCKZREPgKo2ca5iAFtzOzrgD5OTCD/Pz4+99+gLEMOML1bWQ4
 R43L4YyrB1UIQUAvVmLDhn19bUcIS+wZ3kKI0et24wqjkaIsLSSounGBPxB4jOLhG0BBojzV
 dvqUElOJAiIEEwECAAwFAk2wAP4Fgwll/Z4ACgkQrImYjct//fHn8Q/+JdXKAXtSq5ReGTDR
 F3PcpsQK9q0LGvdyNPZ91oSkGl2UpcRhQ2KqTY0RJa7CZdk/3jG9G8aRuAmC6O5MhcsVU36j
 zBTanDgiSqFEpJCLXWWkPbwWIXdL3/FVm/1iYkDNqOZkWsYxU6BixgrDJoKcIZctt2igZqqa
 qdJYJ8tdbEXfW67rx+cu+DTXuZIuBwFETNix8zL7XpCQZAOG79IvBNaSaJr0x90tn+6rlLrk
 w6+NCXFjzm9aDNGyyWTs7s4kLfDR1LbBGpJNL+kmWmF9hkQTFHDxwNmHPyhjZcHVXaRfdl86
 ahClxBT6hitmurAGDIjjqy0d3Rs41Q3rcm9AZUWH4YbtRn2hXC/VCzsDvZvsjFB258mj4oDl
 jcgeuoY4uJEK8EJa9RJ6z3+UATcDaZTmlWhmb3UhG6suhz4hjmC4Y+JcovSVvq9AJksLJA74
 m6TxExiKzCGwy9xw1gcgJlFD4iVarfV4+jv5YGuPipPwz1ho6+P4uUOOtLFVHesSQ7S0W8eX
 rMdbu1Plw+m+fad/Asb8SoUm4ckfCwgoDMZsrGHBLhMa9D7AW/4z478DWqM6aZnZlpK4pNk+
 /jyW8cPDfjRePFKC/zH2Vm679JGgT13qQUJF1fja4KOSEi0lIKegPCRVJ1h0MseVgd2Qa9vX
 2VJwbZkrnoBa6VZH8dqJAj4EEwECACgCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW
 76tkBQkNAhVIAAoJEJ9vHC1+BF+N2tYQAIxArTFi1m0C8sv/wIJwKL3Y6LWu1dEZadHLslfT
 bSF+2ZaWIyrg/QXcIkpUuGBn+V2nw46qZ8N+bAsxVJoJDzpRuqfs5+t/wq7xIZC4gzFjY4MH
 3uGi5jhucMdozYKqLomQE34bW2B3Co3+Rx5wXa2reqXaTt5f3X74D4XkCki7WyKXMk8vhnxb
 oxU50qu3MQzu3rWFGWxukQ+Pva9tUFnWGZOIgvhVbB3FBhqbEGg56d6yTIMMb6IwIjc/UYbc
 RCST70B5y3+If26u4TSbGfZoo3xx+6hH3dw8X+jMLFLki3ABWc17f1ZE7UZPbNhoWBibSV/1
 zNylGxHM1sbD3fyVneI9SJl77JsqAsqRWa+uQzn2WMdP31KsLXhVfGBDBKziBLet3Ntj20+m
 zrZnWr7EJV9PHUhjk/ie3n3HBBXQjD6lX1L+ZVw6c9eXVQpvS2051gkSuurdGkX8PaD80O0v
 Q5aohrwu+sGXJBiZY8q8rDvq+3hsnc1TfWNJzSjD+PsQ5WM6y3zqzrb3Oa2dsmNZWvos7LkQ
 NQ+6yaoe/W3hnhEyN/w6sl01sUmhFdm/wVtbg3Nd4a0x/yTq8p56Ol0wfj54u6hkbt1yFTUl
 xx+Cp/BanLSiOZvn12slxpCBULom/D2XROYY80iwThSshahxoWC/h04q8cDaFycwMzyuiQI+
 BBMBAgAoBQJNr/0cAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCfbxwt
 fgRfjd8qEACMp3672f/ETQL/ZS3EnNj1937xu6ESRCUsvbjMiGzLW/2tQVQnoV40fBoRyeQ/
 2d40VgUCsNayy7zqm7gRpKSjEddNGVReM//HuglrUwDhctvH9SUMNvJIpTeyur456NtUtSSd
 VyQHaBXYnMm9Ultq/imKHen40shdJW+9aHfrHZ0hPTv8XQqssrunF/gMHw3LiemPIjlrvAnl
 gM+NS0dUAVEJAm/9PJlXwhLvgo/jN9Y4zw2RMlAMNtfb6+EBXtKN7fjLL9AFGb3EZFuvvKj+
 ZTuiOcHv991gS2R+9JYRb2LaGzOxzjAo4XkWYLks70ahBE3044mtblYt2M9qjOAhXSSGRehK
 +/cinAd42Krrpba55R3V2fyGbB1UZOiX4qhZM/btU/T5LzKEOOdmlKJhk4PcUHIZyqXtRPKL
 CoC7pWmPos0xKmfKR/x1lif2E9d/5/KcSvRGwv/EpFYclzXoTkgBg2Wq/rY1QaH4M0vK/hg8
 r/qQU0po4rSK1V2TboYoC6daO077OJIypXBZy4Xwxyfsm+ScomXdNW1b2qp30YQAql31paAt
 LrJUW3oKGMCVIF9ATq7Drhxh9knxo3f0JwNG3BFzNpKdQ6dYKrXBHeUIrZuuO2M/pXlpIa5j
 JrU8Krpl6AHL4M7YSRVD3AM7oV2TX6kCTDhkcQBlSND/e4kCVQQTAQIAPwIbIwYLCQgHAwIG
 FQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCWaU4BQUJEZjVaQAK
 CRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL2IK/Zencv7DZGRfFrzijROFtHbe//H8o2Zhl
 yiaFSA/dT1ehjsukkR0oFkYadA+qUi06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY
 8DP57bA+N2pdCcGu7gUtYzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpG
 N79otVWO6ebM4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t
 7EotzxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW5/EI
 QmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN46c1y3prjZRp
 QUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCtGpDIfag6fV6V97Pd3zfh
 Tf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/JnCCceB4NxRRxsgkRYHwdnXN9FnO
 PSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/KlxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7m
 t7HQ2bCLXAPgfZjy7n79WiCQVHg7iYnNikiNWR5TR7JcvdkxOdiA/4kCVQQTAQgAPwIbIwYL
 CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJ
 GaQN2QAKCRCfbxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y
 17Bx4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2bWok
 W0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJGJALRtZzjtzs
 JqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59vcqLRZgkrJrObw0sEv3Y
 FOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao+Qnhdi161W0YKCW4JAmOoQ4bQ0wf
 E9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67
 e5e3JfUb0vNKssyZojao4h1MF5nvaPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsF
 wRDcCnSEKnksgM0321m17RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/v
 x5uxyqSHPuGAsXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVo
 CfDvvizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p7kCDQRNr/0c
 ARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeRlJ83O8dFG7UB
 VuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqjq4pKDmO1c9J7h5d+auOV
 fzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7deZcgt8v7VcLK9jv+P8QJHTIyDzJd+
 JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaMjwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyA
 FomDQ93/wkHZ9IEChTxdZnfvsd//Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3H
 VxwB8/owJ+FZDsTNBbJd7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyT
 RlwGUBJkzQFWQa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV
 6FfLi09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDYehfO
 o/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOVH1OBTKNdBjc+
 X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAYkCJQQYAQIADwIbDAUCVu+raQUJ
 DQIVTQAKCRCfbxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5
 NGB4RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtUXC5/
 JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0CurUeb4WTVpw4d
 rBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4IxeY3/CGBfQfSQHylK7ifm
 PWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3BY6+P8Ch5gddOYaY18wpedarswnpO
 LQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27eg35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kk
 fqDn2ouCtM8/kqLX1v0+NkBxlhZUkTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZ
 xdl3QuyxMktExWzk9Q5DYqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXu
 QL9SWObF+sIFc9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7
 CLUTk7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JIkCJQQYAQIA
 DwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3udV67KmVmytwGM
 fzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQzgOZhGP5Y0OREf4kSzfb7
 tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmWDK/Eh/eNVeNd+3yyDEzl2p7a0yUh
 I8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVtPfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEi
 IrR3PbZ9tV6+F5LzCUJJP5nepz6CShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8n
 OfTzdHhXXEogGvRfcxatxeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEn
 EHoo8rPETkXwUK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7
 ZobL2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gGoltX
 WokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB2Igll2ZT3Avr
 BQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9NTpaq1vtAZOwc0kl3uGNK
 18PnV4kCPAQYAQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJ
 EJ9vHC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+VoRt
 B+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgLYc6ac5PEHF1q
 ZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG0Z+wQvPSiu+Q00XpENT8
 HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4yoC+Nd6iPQpnc+5xs7NDnq2dFuST
 p7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeIN
 yJO8A5KS3ceP+eo3SLR8T0hPzu9gZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy
 2HSXUq2fs5rH0uszFGesG7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY
 +xlVULjEfCWyRVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9Yo
 u1Fi1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa7Hzd
 8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQiQI8BBgBCAAmAhsMFiEE
 7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28cLX4EX43TQA/+JV8ReMRJ
 Cn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJObQcqw7s50FJuLUbxdvbcuGIaoTu7
 dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N
 0y58eoDC4sGmBKuN2EW2MoWahlXw8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSF
 lYWVhr0zGAi5rnswlFGrECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZ
 cBlddGhmSVVJZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVR
 ep0/s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7ddHaBt
 g/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ9pGORJ+P2Jr2
 pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2yp4CShmWoZwN0V3aGYMe/
 rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA5bNxwTWe8skwOKsxXnP9RC974k0X
 kPS+VwgmVgNN1ewS/0oHvmEP71Q=
 =ZSkT
 -----END PGP PUBLIC KEY BLOCK-----
 </pre>
 </body></html>
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@ -1,43 +1,39 @@
 %{?!with_python2:     %global with_python2     0}
 %{?!with_python3:     %global with_python3     1}
 %{?!with_munin:       %global with_munin       1}
 %bcond_without dnstap
 %bcond_without systemd
 %bcond_without doh
 %global _hardened_build 1
-#global extra_version rc1
+#%%global extra_version rc1
 %if 0%{with_python2}
 %global python_primary %{__python2}
-%endif # with_python2
+%endif
 %if 0%{with_python3}
 %global python_primary %{__python3}
-%endif # with_python3
+%endif
 %if 0%{?rhel}
 %global with_munin   0
 %if 0%{?with_python2} && 0%{?rhel} <= 6
 # needed just for EPEL
 %{!?__python2: %global __python2 /usr/bin/python2}
 %{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
 %{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %endif # with_python2 && rhel <= 6
 %if 0%{?rhel} <= 7
 %global with_python3 0
 %else
 %global with_python2 0
-%endif # rhel <= 7
+%endif
-%endif # rhel
+%endif
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 5.8%{?extra_version:.%{extra_version}}%{?dist}
+Release: 17%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
-Url: https://www.unbound.net/
+Url: https://nlnetlabs.nl/projects/unbound/
-Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
+Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source2: unbound.conf
 Source3: unbound.munin
@ -55,36 +51,52 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
 Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 Source21: remote-control.conf
 Source22: unbound-local-root.conf
 Source23: module-setup.sh
 Source24: unbound-initrd.conf
 Source25: unbound.sysusers
 Source26: unbound-as112-networks.conf
 # Reverts ABI change done in version 1.8.0 (bz#2027735)
 # Makes possible backward binary compatibility with a new features
 Patch1:   unbound-1.15-soversion2-compat.patch
 Patch2:   unbound-1.15-source-compat.patch
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
-Patch3:   unbound-1.16-CVE-2022-3204.patch
+Patch1: unbound-1.16-CVE-2022-3204.patch
 # https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
 Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
-# https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
+# https://github.com/NLnetLabs/unbound/commit/6d1e61173
-Patch5: unbound-1.21-CVE-2024-8508.patch
+Patch5: unbound-1.16-control-t-flag.patch
 BuildRequires: gdb
 BuildRequires: gcc, make
-BuildRequires: byacc, flex, openssl-devel
+BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
 BuildRequires: pkgconfig
 %if 0%{?fedora}
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
 BuildRequires: python2-devel swig
-%endif # with_python
+%endif
 %if 0%{with_python3}
 BuildRequires: python3-devel swig
-%endif # with_python3
+%endif
 %if %{with dnstap}
 BuildRequires: fstrm-devel protobuf-c-devel
 %endif
 %if %{with systemd}
 BuildRequires: systemd-devel
 %endif
 %if %{with doh}
 BuildRequires: libnghttp2-devel
 %endif
 %if 0%{?fedora} >= 30
 BuildRequires: systemd-rpm-macros
 %else
 BuildRequires: systemd
-# Required for SVN versions
+%endif
 # Required for SVN versions or modified configure.ac
 BuildRequires: bison
 BuildRequires: automake autoconf libtool
 %{?systemd_requires}
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 # unbound-keygen.service requires it, bug #2116790
@ -122,8 +134,11 @@ The devel package contains the unbound library and the include files
 %package libs
 Summary: Libraries used by the unbound server and client applications
-%{?systemd_requires}
+%{?sysusers_requires_compat}
-Requires(pre): shadow-utils
+%if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Obsoletes: python2-unbound < 1.9.3
 %endif
 %description libs
 Contains libraries used by the unbound server and client applications
@ -138,19 +153,34 @@ Obsoletes: unbound-python < %{version}-%{release}
 %description -n python2-unbound
 Python 2 modules and extensions for unbound
-%endif # with_python
+%endif
 %if 0%{with_python3}
 %package -n python3-unbound
 Summary: Python 3 modules and extensions for unbound
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %if ! 0%{with_python2}
 # Make explicit conflict with no longer provided python package
 Conflicts: python2-unbound < 1.9.3
 %endif
 %description -n python3-unbound
 Python 3 modules and extensions for unbound
-%endif # with_python3
+%endif
 %package dracut
 Summary: Unbound dracut module
 Requires: dracut%{?_isa}
 Requires: %{name}%{?_isa} = %{version}-%{release}
 %description dracut
 Unbound dracut module allowing use of Unbound for name resolution
 in initramfs.
 %prep
 %if 0%{?fedora}
 %gpgverify -k 19 -s 18 -d 0
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}
 %if 0%{with_python2} && 0%{with_python3}
@ -160,18 +190,16 @@ Python 3 modules and extensions for unbound
 %global python_secondary %{__python2}
 %else
 %global dir_primary %{pkgname}
-%endif # with_python2 && with_python3
+%endif
-%setup -qcn %{pkgname}
+%autosetup -c -N -n %{pkgname}
 pushd %{pkgname}
 # patches go here
 %autopatch -p2
-%patch1 -p2 -b .solib2-compat
+# only for snapshots
-%patch2 -p1 -b .srccompat
+autoreconf -iv
 %patch3 -p2 -b .CVE-2022-3204
 %patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
 %patch5 -p2 -b .CVE-2024-8508
 # copy common doc files - after here, since it may be patched
 cp -pr doc pythonmod libunbound ../
@ -183,30 +211,39 @@ cp -a %{dir_primary} %{dir_secondary}
 %endif
 %build
 # This is needed to rebuild the configure script to support Python 3.x
 # autoreconf -iv
 # ./configure script common arguments
 %global configure_args --with-libevent --with-pthreads --with-ssl \\\
            --disable-rpath --disable-static \\\
            --enable-relro-now --enable-pie \\\
            --enable-subnet --enable-ipsecmod \\\
            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
-            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
+            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
            --enable-sha2 --disable-gost --enable-ecdsa \\\
            --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
-            --enable-linux-ip-local-port-range
+            --enable-linux-ip-local-port-range --disable-sha1
 pushd %{dir_primary}
 # configure.ac is modified, force refresh
 autoreconf -fiv
 %configure  \
 %if 0%{?python_primary:1}
            --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
-%endif # python_primary
+%endif
 %if %{with dnstap}
            --enable-dnstap \
 %endif
 %if %{with systemd}
            --enable-systemd \
 %endif
 %if %{with doh}
            --with-libnghttp2 \
 %endif
            %{configure_args}
-%{__make} %{?_smp_mflags}
+%make_build
-%{__make} %{?_smp_mflags} streamtcp
+%make_build streamtcp
 popd
@ -214,11 +251,17 @@ popd
 pushd %{dir_secondary}
 %configure  \
            --with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
 %if %{with dnstap}
            --enable-dnstap \
 %endif
 %if %{with systemd}
            --enable-systemd \
 %endif
            %{configure_args}
-%{__make} %{?_smp_mflags}
+%make_build
 popd
-%endif # python_secondary
+%endif
 %install
@ -227,12 +270,12 @@ install -p -m 0644 %{SOURCE16} .
 %if 0%{?python_secondary:1}
 # install first secondary build. It will be overwritten by primary
 pushd %{dir_secondary}
-%{__make} DESTDIR=%{buildroot} unbound-event-install install
+%make_install unbound-event-install
 popd
-%endif # python_secondary
+%endif
 pushd %{dir_primary}
-%{__make} DESTDIR=%{buildroot} unbound-event-install install
+%make_install unbound-event-install
 install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
 popd
@ -244,6 +287,7 @@ install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
 install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
 install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
 install -p -D -m 0644 %{SOURCE25} %{buildroot}%{_sysusersdir}/%{name}.conf
 %if %{with_munin}
 # Install munin plugin and its softlinks
 install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
@ -270,19 +314,22 @@ install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
 install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
 install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
 # local root zone fetch to separated configuration file
 install -p -m 0644 %{SOURCE22} %{buildroot}%{_sysconfdir}/unbound/
 # remove static library from install (fedora packaging guidelines)
 rm %{buildroot}%{_libdir}/*.la
 %if 0%{with_python2}
 rm %{buildroot}%{python2_sitearch}/*.la
-%endif # with_python
+%endif
 %if 0%{with_python3}
 rm %{buildroot}%{python3_sitearch}/*.la
-%endif # with_python3
+%endif
-mkdir -p %{buildroot}%{_localstatedir}/run/unbound
+mkdir -p %{buildroot}%{_rundir}/unbound
 # Install directories for easier config file drop in
@ -291,23 +338,28 @@ install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
 install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 ln -s ../unbound-local-root.conf %{buildroot}%{_sysconfdir}/unbound/conf.d/unbound-local-root.conf
 mkdir -p %{buildroot}%{_datadir}/%{name}/conf.d
 install -p -m 0644 %{SOURCE26} %{buildroot}%{_datadir}/%{name}/conf.d/
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
 # install dracut module
 mkdir -p %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0755 %{SOURCE23} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 install -p -m 0644 %{SOURCE24} %{buildroot}%{_prefix}/lib/dracut/modules.d/99unbound
 %pre libs
-getent group unbound >/dev/null || groupadd -r unbound
+%sysusers_create_compat %{SOURCE25}
 getent passwd unbound >/dev/null || \
 useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 -c "Unbound DNS resolver" unbound
 %post
 %systemd_post unbound.service
 %systemd_post unbound-keygen.service
 %post libs
 %{?ldconfig}
 %systemd_post unbound-anchor.timer
 # start the timer only if installing the package to prevent starting it, if it was stopped on purpose
 if [ "$1" -eq 1 ]; then
@ -327,20 +379,8 @@ fi
 %systemd_postun unbound-keygen.service
 %postun libs
 %{?ldconfig}
 %systemd_postun_with_restart unbound-anchor.timer
 %triggerun -- unbound < 1.4.12-4
 # Save the current service runlevel info
 # User must manually run systemd-sysv-convert --apply unbound
 # to migrate them to systemd targets
 /usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
 # Run these because the SysV package being removed won't do them
 /sbin/chkconfig --del unbound >/dev/null 2>&1 || :
 /bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 %check
 pushd %{dir_primary}
 #pushd pythonmod
@ -358,21 +398,24 @@ pushd %{dir_secondary}
 #popd
 make check
 popd
-%endif # python_secondary
+%endif
 %files
 %doc doc/CREDITS doc/FEATURES
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-keygen.service
-%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
+%attr(0775,unbound,root) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound-local-root.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
-%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
+%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/example.com.conf
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/remote-control.conf
 %verify(not mtime) %config(missingok, noreplace) %{_sysconfdir}/%{name}/conf.d/unbound-local-root.conf
 %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
 %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
 %ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
@ -389,6 +432,7 @@ popd
 %{_mandir}/man5/*
 %exclude %{_mandir}/man8/unbound-anchor*
 %{_mandir}/man8/*
 %{_datadir}/%{name}/
 %if 0%{with_python2}
 %files -n python2-unbound
@ -424,114 +468,258 @@ popd
 %doc doc/README
 %license doc/LICENSE
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
 %{_sysusersdir}/%{name}.conf
 %{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
 %{_mandir}/man8/unbound-anchor*
-%{_sysconfdir}/%{name}/icannbundle.pem
+# icannbundle and root.key(s) should be replaced from package
 # intentionally not using noreplace
 %config %{_sysconfdir}/%{name}/icannbundle.pem
 %{_unitdir}/unbound-anchor.timer
 %{_unitdir}/unbound-anchor.service
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
-# modification of root.key is maintained by unbound-achor.service and is intentional, so let rpm know
+
-%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
+%files dracut
 %{_prefix}/lib/dracut/modules.d/99unbound
 %changelog
-* Tue Nov 12 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.8
+* Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-17
- Prevent unbounded name compression (CVE-2024-8508)
+- Add as112 networks config file
 - Resolves: RHEL-78696
-* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.7
+* Mon Feb 10 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-16
- Rebuild to propagate to CentOS Stream (RHEL-25500)
+- Add possibility to disable unbound-anchor by file presence
 - Resolves: RHEL-78694
-* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
+* Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-15
 - Add sysusers support needed to propagate user to initramfs
 - Resolves: RHEL-77789
 * Sun Feb 09 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-14
 - Change service type to notify
 - Resolves: RHEL-77790
 * Wed Feb 05 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-13
 - Add noreplace to root zone config link
 - Resolves: RHEL-77788
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-12
 - Backport +t flag to forward_add and stub_add control commands
 - Resolves: RHEL-77791
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-11
 - Enabled libsystemd and change unbound service type to notify-reload
 - Resolves: RHEL-77790
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-10
 - Add dracut module
 - Resolves: RHEL-77789
 * Tue Feb 04 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-9
 - Move automatic root zone fetching to drop-in
 - Resolves: RHEL-77788
 * Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-8
 - Ensure group access correction reaches also updated configs (CVE-2024-1488)
-* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
+* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-7
 - Ensure only unbound group can change configuration (CVE-2024-1488)
-* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
+* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-6
 - Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
 - Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
- Resolves: RHEL-25428
+- Resolves: RHEL-25671
- Resolves: RHEL-25423
+- Resolves: RHEL-25643
 * Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
 - Stop creating wrong devel manual pages (#2135322)
 * Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-4
 - Apply correctly previous change (CVE-2022-3204)
 * Tue Oct 11 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-3
 - Fix NRDelegation attack leading to uncontrolled resource consumption
  (CVE-2022-3204)
 * Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
- Require openssl tool for unbound-keygen (#2018806)
+- Require openssl tool for unbound-keygen (#2116802)
 * Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
- Update to 1.16.2 (#2027735)
+- Update to 1.16.2 (#2087120)
-* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
+* Fri Jul 08 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-3
- Restart keygen service before every unbound start (#1959468)
+- Disable ED25519 and ED448 in FIPS mode (#2079548)
-* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
+* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
- Upgrade to 9.16.0 (#2027735)
+- Restart keygen service before every unbound start (#2094336)
 - Update to recent version with compatibility with RHEL8 (#2027735)
 - Ensure also source level compatibility with previous version
-* Thu May 19 2022 Richard Lescak <rlescak@gmail.com> - 1.7.3-18
+* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
- Change file mode before owner when configuring remote control unix socket to avoid AVC denials
+- Update to 1.16.0 (#2087120)
 - Resolves: rhbz#2038251
-* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-17
+* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
 - Update to 1.15.0 (#2030608)
 - Update icannbundle.pem
 * Mon May 02 2022 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
 - Resolves: rhbz#1992985 unbound-1.13.2 is available
 - Use system-wide crypto policies
 * Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-15
 - Export unbound-devel to CRB repository (#2056116)
 * Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-14
 - Stop creating wrong devel manual pages (#2071943)
 * Thu Mar 31 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-13
 - Disable SHA-1 support (#2070495)
 * Fri Feb 11 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-12
 - Fixed error in the patch
 - Resolves: rhbz#1977401
 * Thu Feb 10 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-11
 - regional_alloc() failure handled
 - Resolves: rhbz#1977401
 * Thu Feb 10 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-10
 - RESOURCE_LEAK fixed
 - Resolves: rhbz#1977400
 * Tue Aug 10 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-9
 - Don't use delted OpenSSL macroses
 - Resolves: rhbz#1991005
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-8
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-7
 - Rebuilt for RHEL 9 BETA for openssl 3.0
  Related: rhbz#1971065
 * Tue Jun 08 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-6
 - Changelog date fixed
 - Rebuild for new gating.yaml
 - Resolves: rhbz#1951923
 * Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-5
 - Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
- Resolves: rhbz#1830625
+- Resolves: rhbz#1952814
-* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-16
+* Tue Apr 20 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-4
 - Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
  environment variable equals to "yes"
- Resolves: rhbz#1922448
+- Resolves: rhbz#1951923
-* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-15
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-2
- Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 - Resolves: rhbz#1714175
 - Use system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting
 - Resolves: rhbz#1842837
 - Enable additional logging in unbound
 - Resolves: rhbz#1850460
 - security hardening from x41 report
 - Resolves: rhbz#1859933
 - symbolic link traversal when writing PID file
 - Resolves: rhbz#1899058
-* Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
+* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
+- Resolves rhbz#1860887 unbound-1.13.1 is available
- Resolves: rhbz#1839178 (CVE-2020-12662)
+- Fixup unbound.conf
-* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
- Fix two previous patches and add missing patch lines to %%prep
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 - Fix amplifying an incoming query into a large number of queries directed to a target
 - Resolves: rhbz#1839178 (CVE-2020-12662)
-* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
+* Thu Dec 10 2020 Petr Menšík <pemensik@redhat.com> - 1.13.0-1
- Remove KSK-2010 from configuration files
+- Update to 1.13.0
 - Resolves: rhbz#1665502
 - Replace legacy directory /var/run/ with /run
 - Resolves: rhbz#1766463
 - Resolves: rhbz#1805978
 - Fix memory leak when DNS over TLS forwarding is configured
 - Resolves: rhbz#1819870
-* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
+* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
- Resolves bz1818761. unbound crash fixed.
+- Update to 1.12.0 (#1860887)
-* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
+* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
- Secure ipsec mode (#1772061)
+- Move command line tools to utils subpackage
 - CVE-2019-18934
-* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-9
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
- Use pthread_mutex_t locks when dealing with I/O operations (#1775708)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-3
 - Use make macros
 - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 * Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.10.1-2
 - Rebuilt for Python 3.9
 * Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
 - Resolves: rhbz#1837279 unbound-1.10.1 is available
 - Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
 - Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
 - Updated unbound.conf for new options in 1.10.1
 * Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
 - Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.
 * Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.10.0-2
 - Resolves: rhbz#1824536 unbound crash
 * Thu Mar 19 2020 Petr Menšík <pemensik@redhat.com> - 1.10.0-1
 - Update to 1.10.0 (#1805199)
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Fri Dec 13 2019 Paul Wouters <pwouters@redhat.com> - 1.9.6-1
 - Resolves: rhbz#1758107 unbound-1.9.5 is available
 - Resolves: CVE-2019-18934
 * Fri Nov 01 2019 Paul Wouters <pwouters@redhat.com> - 1.9.4-1
 - Fix build on rhel/centos systems
 - Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query
 * Thu Sep 26 2019 Petr Menšík <pihhan@gmail.com> - 1.9.3-2
 - Obsolete no longer provided python2 subpackage (#1749400)
 * Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
 - Updated to 1.9.3
 - Resolves: rhbz#1672578 unbound-1.9.2 is available
 - Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
 - Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
 * Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
 - Subpackage python2-unbound has been removed
  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
 * Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-7
 - Rebuilt for Python 3.8
 * Mon Aug  5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.8.3-6
 - Drop install-time requirements on systemd (#1723777)
 * Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jan 11 2019 Paul Wouters <pwouters@redhat.com> - 1.8.3-3
 - Remove KSK-2010 from configs - it has been revoked
 * Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-2
 - Another dns64 fixup
 * Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-1
 - Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes
 * Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-2
 - Fix dns64 allocation in wrong region for returned internal queries.
 * Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
 - Updated to 1.8.2.
 - Enabled deny ANY query support and edns-tcp-keepalive
 - Set serve-stale timeout to 4h
 - Updated unbound.conf for latest options
 * Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
 - Allow group by default to unbound-control (#1640259)
 * Mon Oct 08 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-1
 - Update to 1.8.1
 * Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
 - Skip ipv6 forwarders without ipv6 support (#1633874)
 * Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
 - Rebase to 1.8.0
 * Tue Aug 14 2018 Paul Wouters <pwouters@redhat.com> - 1.7.3-9
 - Fix for restarting unbound service after deleting key/pem files for remote control
 * Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
 - Release memory in unbound-host
@ -560,8 +748,16 @@ popd
 * Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.2-3
 - Remove last python2 dependency from python3 build
-* Mon Jun 25 2018 Tomas Hozza <thozza@redhat.com> - 1.7.0-6
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.2-2
- Disable Python2 support
+- Rebuilt for Python 3.7
 * Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
 - Resolves rhbz#1589807 unbound-1.7.2 is available
 - Add patch to fix stub/forward zone not returning ServFail when TTL expires
 - Enabled the new root-key-sentinel option
 * Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
 - Update to 1.7.1 (#1574495)
 * Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
 - Require gcc and make on build
`@ -1 +1 @@`
	`D /run/unbound 0755 unbound unbound -`	`D /run/unbound 0775 unbound root -`
		`@ -0,0 +1 @@`
							`u unbound - "Unbound DNS resolver" /var/lib/unbound /sbin/nologin`