.gitignore

@@ -1 +1,74 @@
-SOURCES/unbound-1.16.2.tar.gz
+unbound-1.1.1.tar.gz
+unbound-1.2.0.tar.gz
+unbound-1.2.1.tar.gz
+unbound-1.3.0.tar.gz
+unbound-1.3.2.tar.gz
+unbound-1.3.1.tar.gz
+unbound-1.3.3.tar.gz
+unbound-1.3.4.tar.gz
+unbound-1.4.1.tar.gz
+unbound-1.4.2.tar.gz
+unbound-1.4.3.tar.gz
+unbound-1.4.4.tar.gz
+unbound-1.4.5.tar.gz
+/unbound-1.4.8.tar.gz
+/unbound-1.4.9.tar.gz
+/unbound-1.4.10.tar.gz
+/unbound-1.4.11.tar.gz
+/unbound-1.4.12.tar.gz
+/unbound-1.4.13.tar.gz
+/unbound-1.4.14.tar.gz
+/unbound-1.4.15.tar.gz
+/unbound-1.4.16.tar.gz
+/unbound-1.4.17.tar.gz
+/unbound-1.4.18.tar.gz
+/unbound-1.4.19.tar.gz
+/unbound-1.4.20.tar.gz
+/unbound-1.4.21.tar.gz
+/unbound-1.4.22.tar.gz
+/unbound-1.5.0.tar.gz
+/unbound-1.5.1rc1.tar.gz
+/unbound-1.5.1.tar.gz
+/unbound-1.5.3.tar.gz
+/unbound-1.5.4.tar.gz
+/unbound-1.5.5.tar.gz
+/unbound-1.5.6.tar.gz
+/unbound-1.5.7.tar.gz
+/unbound-1.5.8.tar.gz
+/unbound-1.5.9.tar.gz
+/unbound-1.5.10.tar.gz
+/unbound-1.6.0.tar.gz
+/unbound-1.6.2.tar.gz
+/unbound-1.6.3.tar.gz
+/unbound-1.6.4rc2.tar.gz
+/unbound-1.6.4.tar.gz
+/unbound-1.6.6.tar.gz
+/unbound-1.6.7.tar.gz
+/unbound-1.6.8.tar.gz
+/unbound-1.7.0.tar.gz
+/unbound-1.7.1.tar.gz
+/unbound-1.7.2.tar.gz
+/unbound-1.7.3.tar.gz
+/unbound-1.8.0.tar.gz
+/unbound-1.8.1.tar.gz
+/unbound-1.8.2.tar.gz
+/unbound-1.8.3.tar.gz
+/unbound-1.9.4.tar.gz
+/unbound-1.9.6.tar.gz
+/unbound-1.10.0.tar.gz
+/unbound-1.10.0.tar.gz.asc
+/unbound-1.10.1.tar.gz
+/unbound-1.10.1.tar.gz.asc
+/unbound-1.12.0.tar.gz
+/unbound-1.12.0.tar.gz.asc
+/unbound-1.13.0.tar.gz
+/unbound-1.13.0.tar.gz.asc
+/unbound-1.13.1.tar.gz
+/unbound-1.13.1.tar.gz.asc
+/unbound-1.13.2.tar.gz
+/unbound-1.13.2.tar.gz.asc
+/unbound-1.15.0.tar.gz
+/unbound-1.15.0.tar.gz.asc
+/unbound-1.16.0.tar.gz
+/unbound-1.16.2.tar.gz
+/unbound-1.16.2.tar.gz.asc

.unbound.metadata

@@ -1 +1,2 @@
-9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz
+9aea0e923b9d6779b5bc360094e24a4017e2bb25 unbound-1.16.2.tar.gz
+3b8ef6eb285bfb6577b0f15ad83cfd5adb9f2159 unbound-1.16.2.tar.gz.asc

SOURCES/remote-control.conf

@@ -1,9 +0,0 @@
-# Remote control config section update.
-# Previous defaults allowed any process to change settings, CVE-2024-1488
-remote-control:
-    # set to an absolute path to use a unix local name pipe, certificates
-    # are not used for that, so key and cert files need not be present.
-    control-interface: "/run/unbound/control"
-
-    # For local sockets this option is ignored, and TLS is not used.
-    control-use-cert: "yes"

SOURCES/unbound-1.15-source-compat.patch

@@ -1,85 +0,0 @@
-From fbde301c2706a5d0c9c3942fe84693f2b7a6b16c Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Sat, 7 May 2022 10:05:33 +0200
-Subject: [PATCH] Use reserved RCODE, fake source version
-
-Use RCODE value assigned for a private use. Previous value were possible
-returned value.
-
-Fake source version to be still 1.7.x. Hide real version into micro
-version component and export it also in a proper way with _REAL
-suffixes. Should workaround any source code detection to support correct
-callback format. Fixes compilation error in libreswan.
-
-Use preprocessed unbound.h to prevent failures
-
-Swig complains about wrong @ variable formats. Make it use preprocessed
-header instead of a template.
----
- libunbound/python/libunbound.i |  4 ++--
- libunbound/unbound.h           | 13 ++++++++++---
- services/mesh.h                |  2 +-
- 3 files changed, 13 insertions(+), 6 deletions(-)
-
-diff --git a/libunbound/python/libunbound.i b/libunbound/python/libunbound.i
-index c9549bf90..f01e9111e 100644
---- a/libunbound/python/libunbound.i
-+++ b/libunbound/python/libunbound.i
-@@ -53,7 +53,7 @@
-    #ifdef HAVE_ARPA_INET_H
-    #include <arpa/inet.h>
-    #endif
--   #include "libunbound/unbound.h"
-+   #include "unbound.h"
- %}
- 
- %pythoncode %{
-@@ -855,7 +855,7 @@ Result: ['74.125.43.147', '74.125.43.99', '74.125.43.103', '74.125.43.104']
-   //printf("resolve_stop()\n");
- %} 
- 
--%include "libunbound/unbound.h"
-+%include "unbound.h"
- 
- %inline %{
-   //SWIG will see the ub_ctx as a class
-diff --git a/libunbound/unbound.h b/libunbound/unbound.h
-index c822d3f89..82660bd51 100644
---- a/libunbound/unbound.h
-+++ b/libunbound/unbound.h
-@@ -102,9 +102,16 @@ extern "C" {
- #endif
- 
- /** the version of this header file */
--#define UNBOUND_VERSION_MAJOR @UNBOUND_VERSION_MAJOR@
--#define UNBOUND_VERSION_MINOR @UNBOUND_VERSION_MINOR@
--#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MICRO@
-+/* Because of RHEL compat change, callback type remains at
-+ * 1.7.3 version. To prevent source-level incompatibility,
-+ * fake still old version. Export real version in _REAL
-+ * suffix definitions. */
-+#define UNBOUND_VERSION_MAJOR 1
-+#define UNBOUND_VERSION_MINOR 7
-+#define UNBOUND_VERSION_MICRO @UNBOUND_VERSION_MAJOR@@UNBOUND_VERSION_MINOR@@UNBOUND_VERSION_MICRO@
-+#define UNBOUND_VERSION_MAJOR_REAL @UNBOUND_VERSION_MAJOR@
-+#define UNBOUND_VERSION_MINOR_REAL @UNBOUND_VERSION_MINOR@
-+#define UNBOUND_VERSION_MICRO_REAL @UNBOUND_VERSION_MICRO@
- 
- /**
-  * The validation context is created to hold the resolver status,
-diff --git a/services/mesh.h b/services/mesh.h
-index 9c6f958ff..c0cbf355e 100644
---- a/services/mesh.h
-+++ b/services/mesh.h
-@@ -237,7 +237,7 @@ struct mesh_reply {
- /* RHEL 8 compatibility layer.
-  * Special rcode to send was_ratelimited to callback without adding
-  * extra parameter. It is ORed to the rcode parameter of the callback. */
--#define LDNS_RCODE_RATELIMITED 0x100
-+#define LDNS_RCODE_RATELIMITED 0xf80
- #define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
- #define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
- 
--- 
-2.34.1
-

SOURCES/unbound-1.15-soversion2-compat.patch

@@ -1,471 +0,0 @@
-From 605d66f0b6b8f7c308010f455058299d25c1d2ee Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Fri, 6 May 2022 16:36:39 +0200
-Subject: [PATCH] Rework ABI breaking change to compatible way
-
-Upstream commit 749d1b9ebc6fcb79824afd0471a1cfc12ca861b1 introduced
-was_ratelimited variable to every async callback. Such change led to ABI
-break and increase of soname of libunbound.
-
-Use rcode to pass that boolean inside rcode variable. Allows keeping
-original callback prototype, but does not lose data. Extra integer bit
-operations should be very small price. Much better than ABI break.
-
-Make current version compatible back to .2 version.
----
- unbound-1.16.2/configure.ac               |  2 +-
- unbound-1.16.2/daemon/worker.c            |  6 ++--
- unbound-1.16.2/libunbound/libworker.c     | 34 +++++++++++++++--------
- unbound-1.16.2/libunbound/unbound-event.h |  3 +-
- unbound-1.16.2/libunbound/unbound.h       | 13 +++++----
- unbound-1.16.2/libunbound/worker.h        |  6 ++--
- unbound-1.16.2/services/authzone.c        | 11 ++++----
- unbound-1.16.2/services/authzone.h        |  9 ++----
- unbound-1.16.2/services/mesh.c            | 17 ++++++++----
- unbound-1.16.2/services/mesh.h            |  9 +++++-
- unbound-1.16.2/smallapp/worker_cb.c       |  6 ++--
- unbound-1.16.2/validator/autotrust.c      |  2 +-
- unbound-1.16.2/validator/autotrust.h      |  2 +-
- 13 files changed, 72 insertions(+), 48 deletions(-)
-
-diff --git a/unbound-1.16.2/configure.ac b/unbound-1.16.2/configure.ac
-index 224501b..71f066c 100644
---- a/unbound-1.16.2/configure.ac
-+++ b/unbound-1.16.2/configure.ac
-@@ -19,7 +19,7 @@ AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
- 
- LIBUNBOUND_CURRENT=9
- LIBUNBOUND_REVISION=18
--LIBUNBOUND_AGE=1
-+LIBUNBOUND_AGE=7
- # 1.0.0 had 0:12:0
- # 1.0.1 had 0:13:0
- # 1.0.2 had 0:14:0
-diff --git a/unbound-1.16.2/daemon/worker.c b/unbound-1.16.2/daemon/worker.c
-index 010c4dc..2b87a41 100644
---- a/unbound-1.16.2/daemon/worker.c
-+++ b/unbound-1.16.2/daemon/worker.c
-@@ -2268,21 +2268,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
- 
- void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
- 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
--	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
-+	char* ATTR_UNUSED(why_bogus))
- {
- 	log_assert(0);
- }
- 
- void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
- 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
--	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
-+	char* ATTR_UNUSED(why_bogus))
- {
- 	log_assert(0);
- }
- 
- void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode),
- 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
--	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
-+	char* ATTR_UNUSED(why_bogus))
- {
- 	log_assert(0);
- }
-diff --git a/unbound-1.16.2/libunbound/libworker.c b/unbound-1.16.2/libunbound/libworker.c
-index 11bf5f9..6895119 100644
---- a/unbound-1.16.2/libunbound/libworker.c
-+++ b/unbound-1.16.2/libunbound/libworker.c
-@@ -549,9 +549,10 @@ libworker_enter_result(struct ub_result* res, sldns_buffer* buf,
- /** fillup fg results */
- static void
- libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf, 
--	enum sec_status s, char* why_bogus, int was_ratelimited)
-+	enum sec_status s, char* why_bogus)
- {
--	q->res->was_ratelimited = was_ratelimited;
-+	q->res->was_ratelimited = RCODE_IS_RATELIMITED(rcode);
-+	rcode = RCODE_NOT_RATELIMITED(rcode);
- 	if(why_bogus)
- 		q->res->why_bogus = strdup(why_bogus);
- 	if(rcode != 0) {
-@@ -575,13 +576,13 @@ libworker_fillup_fg(struct ctx_query* q, int rcode, sldns_buffer* buf,
- 
- void
- libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
--	char* why_bogus, int was_ratelimited)
-+	char* why_bogus)
- {
- 	struct ctx_query* q = (struct ctx_query*)arg;
- 	/* fg query is done; exit comm base */
- 	comm_base_exit(q->w->base);
- 
--	libworker_fillup_fg(q, rcode, buf, s, why_bogus, was_ratelimited);
-+	libworker_fillup_fg(q, rcode, buf, s, why_bogus);
- }
- 
- /** setup qinfo and edns */
-@@ -634,7 +635,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
- 		NULL, 0, NULL, 0, NULL)) {
- 		regional_free_all(w->env->scratch);
- 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
--			w->back->udp_buff, sec_status_insecure, NULL, 0);
-+			w->back->udp_buff, sec_status_insecure, NULL);
- 		libworker_delete(w);
- 		free(qinfo.qname);
- 		return UB_NOERROR;
-@@ -643,7 +644,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
- 		w->env, &qinfo, &edns, NULL, w->back->udp_buff, w->env->scratch)) {
- 		regional_free_all(w->env->scratch);
- 		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
--			w->back->udp_buff, sec_status_insecure, NULL, 0);
-+			w->back->udp_buff, sec_status_insecure, NULL);
- 		libworker_delete(w);
- 		free(qinfo.qname);
- 		return UB_NOERROR;
-@@ -665,7 +666,7 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
- 
- void
- libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
--	enum sec_status s, char* why_bogus, int was_ratelimited)
-+	enum sec_status s, char* why_bogus)
- {
- 	struct ctx_query* q = (struct ctx_query*)arg;
- 	ub_event_callback_type cb = q->cb_event;
-@@ -688,7 +689,7 @@ libworker_event_done_cb(void* arg, int rcode, sldns_buffer* buf,
- 		else if(s == sec_status_secure)
- 			sec = 2;
- 		(*cb)(cb_arg, rcode, (buf?(void*)sldns_buffer_begin(buf):NULL),
--			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus, was_ratelimited);
-+			(buf?(int)sldns_buffer_limit(buf):0), sec, why_bogus);
- 	}
- }
- 
-@@ -715,7 +716,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
- 		regional_free_all(w->env->scratch);
- 		free(qinfo.qname);
- 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
--			w->back->udp_buff, sec_status_insecure, NULL, 0);
-+			w->back->udp_buff, sec_status_insecure, NULL);
- 		return UB_NOERROR;
- 	}
- 	if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
-@@ -723,7 +724,7 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
- 		regional_free_all(w->env->scratch);
- 		free(qinfo.qname);
- 		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
--			w->back->udp_buff, sec_status_insecure, NULL, 0);
-+			w->back->udp_buff, sec_status_insecure, NULL);
- 		return UB_NOERROR;
- 	}
- 	/* process new query */
-@@ -788,12 +789,23 @@ add_bg_result(struct libworker* w, struct ctx_query* q, sldns_buffer* pkt,
- 	}
- }
- 
-+
-+void
-+libworker_bg_done_cb_compat(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
-+	char* why_bogus)
-+{
-+	rcode = RCODE_NOT_RATELIMITED(rcode);
-+	libworker_bg_done_cb(arg, rcode, buf, s, why_bogus);
-+}
-+
- void
- libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, enum sec_status s,
--	char* why_bogus, int was_ratelimited)
-+	char* why_bogus)
- {
-+	int was_ratelimited = RCODE_IS_RATELIMITED(rcode);
- 	struct ctx_query* q = (struct ctx_query*)arg;
- 
-+	rcode = RCODE_NOT_RATELIMITED(rcode);
- 	if(q->cancelled || q->w->back->want_to_quit) {
- 		if(q->w->is_bg_thread) {
- 			/* delete it now */
-diff --git a/unbound-1.16.2/libunbound/unbound-event.h b/unbound-1.16.2/libunbound/unbound-event.h
-index a5d5c03..70aa4c8 100644
---- a/unbound-1.16.2/libunbound/unbound-event.h
-+++ b/unbound-1.16.2/libunbound/unbound-event.h
-@@ -170,7 +170,8 @@ struct ub_event {
- 	struct ub_event_vmt* vmt;
- };
- 
--typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*, int);
-+/* Uses define LDNS_RCODE_RATELIMITED from services/mesh.h */
-+typedef void (*ub_event_callback_type)(void*, int, void*, int, int, char*);
- 
- /**
-  * Create a resolving and validation context.
-diff --git a/unbound-1.16.2/libunbound/unbound.h b/unbound-1.16.2/libunbound/unbound.h
-index c779d18..f6d5c7c 100644
---- a/unbound-1.16.2/libunbound/unbound.h
-+++ b/unbound-1.16.2/libunbound/unbound.h
-@@ -203,18 +203,19 @@ struct ub_result {
- 	 */
- 	char* why_bogus;
- 
-+	/**
-+	 * TTL for the result, in seconds.  If the security is bogus, then
-+	 * you also cannot trust this value.
-+	 */
-+	int ttl;
-+
- 	/**
- 	 * If the query or one of its subqueries was ratelimited.  Useful if
- 	 * ratelimiting is enabled and answer to the client is SERVFAIL as a
- 	 * result.
-+	 * RHEL8 Change, moved after ttl.
- 	 */
- 	int was_ratelimited;
--
--	/**
--	 * TTL for the result, in seconds.  If the security is bogus, then
--	 * you also cannot trust this value.
--	 */
--	int ttl;
- };
- 
- /**
-diff --git a/unbound-1.16.2/libunbound/worker.h b/unbound-1.16.2/libunbound/worker.h
-index 0fa5bfa..8b64b4d 100644
---- a/unbound-1.16.2/libunbound/worker.h
-+++ b/unbound-1.16.2/libunbound/worker.h
-@@ -90,15 +90,15 @@ void libworker_handle_control_cmd(struct tube* tube, uint8_t* msg, size_t len,
- 
- /** mesh callback with fg results */
- void libworker_fg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
--	enum sec_status s, char* why_bogus, int was_ratelimited);
-+	enum sec_status s, char* why_bogus);
- 
- /** mesh callback with bg results */
- void libworker_bg_done_cb(void* arg, int rcode, sldns_buffer* buf, 
--	enum sec_status s, char* why_bogus, int was_ratelimited);
-+	enum sec_status s, char* why_bogus);
- 
- /** mesh callback with event results */
- void libworker_event_done_cb(void* arg, int rcode, struct sldns_buffer* buf, 
--	enum sec_status s, char* why_bogus, int was_ratelimited);
-+	enum sec_status s, char* why_bogus);
- 
- /**
-  * Worker signal handler function. User argument is the worker itself.
-diff --git a/unbound-1.16.2/services/authzone.c b/unbound-1.16.2/services/authzone.c
-index b9e0b11..c72949f 100644
---- a/unbound-1.16.2/services/authzone.c
-+++ b/unbound-1.16.2/services/authzone.c
-@@ -5656,8 +5656,7 @@ xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
- 
- /** callback for task_transfer lookup of host name, of A or AAAA */
- void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
--	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
--	int ATTR_UNUSED(was_ratelimited))
-+	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
- {
- 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
- 	struct module_env* env;
-@@ -5669,6 +5668,7 @@ void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- 		return; /* stop on quit */
- 	}
- 
-+	rcode = RCODE_NOT_RATELIMITED(rcode);
- 	/* process result */
- 	if(rcode == LDNS_RCODE_NOERROR) {
- 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
-@@ -6717,8 +6717,7 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
- 
- /** callback for task_probe lookup of host name, of A or AAAA */
- void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
--	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
--	int ATTR_UNUSED(was_ratelimited))
-+	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus))
- {
- 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
- 	struct module_env* env;
-@@ -6730,6 +6729,7 @@ void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- 		return; /* stop on quit */
- 	}
- 
-+	rcode = RCODE_NOT_RATELIMITED(rcode);
- 	/* process result */
- 	if(rcode == LDNS_RCODE_NOERROR) {
- 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
-@@ -8212,7 +8212,7 @@ auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
- 
- /** callback for ZONEMD lookup of DNSKEY */
- void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
--	enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
-+	enum sec_status sec, char* why_bogus)
- {
- 	struct auth_zone* z = (struct auth_zone*)arg;
- 	struct module_env* env;
-@@ -8234,6 +8234,7 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
- 	if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
- 		typestr = "DS";
- 	downprot = env->cfg->harden_algo_downgrade;
-+	rcode = RCODE_NOT_RATELIMITED(rcode);
- 
- 	/* process result */
- 	if(sec == sec_status_bogus) {
-diff --git a/unbound-1.16.2/services/authzone.h b/unbound-1.16.2/services/authzone.h
-index 07614ed..b339fc1 100644
---- a/unbound-1.16.2/services/authzone.h
-+++ b/unbound-1.16.2/services/authzone.h
-@@ -690,12 +690,10 @@ void auth_xfer_probe_timer_callback(void* arg);
- void auth_xfer_transfer_timer_callback(void* arg);
- /** mesh callback for task_probe on lookup of host names */
- void auth_xfer_probe_lookup_callback(void* arg, int rcode,
--	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
--	int was_ratelimited);
-+	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
- /** mesh callback for task_transfer on lookup of host names */
- void auth_xfer_transfer_lookup_callback(void* arg, int rcode,
--	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
--	int was_ratelimited);
-+	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
- 
- /*
-  * Compares two 32-bit serial numbers as defined in RFC1982.  Returns
-@@ -774,8 +772,7 @@ void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
- 
- /** mesh callback for zonemd on lookup of dnskey */
- void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode,
--	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus,
--	int was_ratelimited);
-+	struct sldns_buffer* buf, enum sec_status sec, char* why_bogus);
- 
- /**
-  * Check the ZONEMD records that need online DNSSEC chain lookups,
-diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
-index 30bcf7c..fc3c690 100644
---- a/unbound-1.16.2/services/mesh.c
-+++ b/unbound-1.16.2/services/mesh.c
-@@ -63,6 +63,7 @@
- #include "util/data/dname.h"
- #include "respip/respip.h"
- #include "services/listen_dnsport.h"
-+#include "libunbound/unbound-event.h"
- 
- #ifdef CLIENT_SUBNET
- #include "edns-subnet/subnetmod.h"
-@@ -1012,7 +1013,7 @@ mesh_state_cleanup(struct mesh_state* mstate)
- 			mstate->cb_list = cb->next;
- 			fptr_ok(fptr_whitelist_mesh_cb(cb->cb));
- 			(*cb->cb)(cb->cb_arg, LDNS_RCODE_SERVFAIL, NULL,
--				sec_status_unchecked, NULL, 0);
-+				sec_status_unchecked, NULL);
- 			log_assert(mesh->num_reply_addrs > 0);
- 			mesh->num_reply_addrs--;
- 		}
-@@ -1268,8 +1269,9 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
- 					r->edns.opt_list_inplace_cb_out = NULL;
- 		}
- 		fptr_ok(fptr_whitelist_mesh_cb(r->cb));
--		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL,
--			was_ratelimited);
-+		if (was_ratelimited)
-+			rcode |= LDNS_RCODE_RATELIMITED;
-+		(*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL);
- 	} else {
- 		size_t udp_size = r->edns.udp_size;
- 		sldns_buffer_clear(r->buf);
-@@ -1287,11 +1289,14 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
- 		{
- 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
- 			(*r->cb)(r->cb_arg, LDNS_RCODE_SERVFAIL, r->buf,
--				sec_status_unchecked, NULL, 0);
-+				sec_status_unchecked, NULL);
- 		} else {
- 			fptr_ok(fptr_whitelist_mesh_cb(r->cb));
--			(*r->cb)(r->cb_arg, LDNS_RCODE_NOERROR, r->buf,
--				rep->security, reason, was_ratelimited);
-+			rcode = LDNS_RCODE_NOERROR;
-+			if (was_ratelimited)
-+				rcode |= LDNS_RCODE_RATELIMITED;
-+			(*r->cb)(r->cb_arg, rcode, r->buf,
-+				rep->security, reason);
- 		}
- 	}
- 	free(reason);
-diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
-index 3be9b63..5050d6c 100644
---- a/unbound-1.16.2/services/mesh.h
-+++ b/unbound-1.16.2/services/mesh.h
-@@ -234,13 +234,20 @@ struct mesh_reply {
- 	struct http2_stream* h2_stream;
- };
- 
-+/* RHEL 8 compatibility layer.
-+ * Special rcode to send was_ratelimited to callback without adding
-+ * extra parameter. It is ORed to the rcode parameter of the callback. */
-+#define LDNS_RCODE_RATELIMITED 0x100
-+#define RCODE_IS_RATELIMITED(rcode) ((rcode & LDNS_RCODE_RATELIMITED) != 0)
-+#define RCODE_NOT_RATELIMITED(rcode) (rcode & ~LDNS_RCODE_RATELIMITED)
-+
- /** 
-  * Mesh result callback func.
-  * called as func(cb_arg, rcode, buffer_with_reply, security, why_bogus,
-  *		was_ratelimited);
-  */
- typedef void (*mesh_cb_func_type)(void* cb_arg, int rcode, struct sldns_buffer*,
--	enum sec_status, char* why_bogus, int was_ratelimited);
-+	enum sec_status, char* why_bogus);
- 
- /**
-  * Callback to result routine
-diff --git a/unbound-1.16.2/smallapp/worker_cb.c b/unbound-1.16.2/smallapp/worker_cb.c
-index c689817..c7b1653 100644
---- a/unbound-1.16.2/smallapp/worker_cb.c
-+++ b/unbound-1.16.2/smallapp/worker_cb.c
-@@ -159,21 +159,21 @@ void libworker_handle_control_cmd(struct tube* ATTR_UNUSED(tube),
- 
- void libworker_fg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
- 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
--	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
-+	char* ATTR_UNUSED(why_bogus))
- {
- 	log_assert(0);
- }
- 
- void libworker_bg_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
- 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
--	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
-+	char* ATTR_UNUSED(why_bogus))
- {
- 	log_assert(0);
- }
- 
- void libworker_event_done_cb(void* ATTR_UNUSED(arg), int ATTR_UNUSED(rcode), 
- 	struct sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(s),
--	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
-+	char* ATTR_UNUSED(why_bogus))
- {
- 	log_assert(0);
- }
-diff --git a/unbound-1.16.2/validator/autotrust.c b/unbound-1.16.2/validator/autotrust.c
-index 3cdf9ce..40b3e35 100644
---- a/unbound-1.16.2/validator/autotrust.c
-+++ b/unbound-1.16.2/validator/autotrust.c
-@@ -2331,7 +2331,7 @@ autr_debug_print(struct val_anchors* anchors)
- 
- void probe_answer_cb(void* arg, int ATTR_UNUSED(rcode), 
- 	sldns_buffer* ATTR_UNUSED(buf), enum sec_status ATTR_UNUSED(sec),
--	char* ATTR_UNUSED(why_bogus), int ATTR_UNUSED(was_ratelimited))
-+	char* ATTR_UNUSED(why_bogus))
- {
- 	/* retry was set before the query was done,
- 	 * re-querytime is set when query succeeded, but that may not
-diff --git a/unbound-1.16.2/validator/autotrust.h b/unbound-1.16.2/validator/autotrust.h
-index 057f2b6..c549798 100644
---- a/unbound-1.16.2/validator/autotrust.h
-+++ b/unbound-1.16.2/validator/autotrust.h
-@@ -206,6 +206,6 @@ void autr_debug_print(struct val_anchors* anchors);
- 
- /** callback for query answer to 5011 probe */
- void probe_answer_cb(void* arg, int rcode, struct sldns_buffer* buf, 
--	enum sec_status sec, char* errinf, int was_ratelimited);
-+	enum sec_status sec, char* errinf);
- 
- #endif /* VALIDATOR_AUTOTRUST_H */
--- 
-2.37.1
-

SOURCES/unbound-1.16.2.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmLnudYACgkQn28cLX4E
-X43GmRAAoROXbktLR2AXGEECgPCFlHag9oNZosa3J5yR2vaV4e8eA6AMzPyZbl7P
-LnLon8PZZR+pTW+dDRqakvzJIwXkLeONFgEdvd0cAghWAtPrKCDZIkCyeQj0OOv3
-wt1pRRl2PXUKNZZf0bzpTUIhVsHF/w5f5T/mFAZm49rUDboj77xgokmaFK4kei0I
-Gz4W8Vx3TIwwJc8nea8GtCYIg3UKmR/TMznMFExAoKdMllzKuJnGx5lR/eU0+NRc
-uwWEQhNJrHXZyWethp9swLCrOmDHcgBJOd04TqcDwSIZrw9VuT3/Uza3Tw73N7kr
-PZvF2xSOASL+i91QP6tnkmQD5pAORVpUFN3NePEWV5922iG/pVipaYBbEyV3dfph
-Y4QGwj8G6ppcfjV7gmlxsAOM2gnhD3rDqFmkxau6zB1kktHnV2aqlzIQo396ZBJQ
-hKyIAJlNvpTiFaACD7/cFkE80awJnCD/qvXATN//BWHKytgO8eYg7fZGrxjbpIQk
-XV/vVlOJWRXPyPBnp8MQyCIDe2eq2ELlMfYw62/TNDuj2qKsM/W03cem3GlveOa6
-tw8RVfFFjwZlCLbXSbmsKo+mWJ3jCAvb3/gql52vJDE5FuRz7MvptIVU6DVE1O+J
-mQ3AoQ2Mq9iHsZePfze4sq531DMlWTgBMwqfBTWqMaTC/8VH5rg=
-=Ax9n
------END PGP SIGNATURE-----

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

root.key

@@ -2,4 +2,5 @@
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
 trusted-keys {
 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
+
 };

sources

@@ -0,0 +1,2 @@
+SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572
+SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f

unbound-1.8.0-rh1633874.patch

@@ -0,0 +1,39 @@
+From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Thu, 27 Sep 2018 08:19:29 +0000
+Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL,
+ fixes   qname minimisation with a forwarder when connectivity has issues  
+ from rejecting responses.
+
+git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ iterator/iterator.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+index 7baf92b7..2f26bd33 100644
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 		return 0;
+ 	}
+ 
+-	if(iq->minimisation_state == INIT_MINIMISE_STATE) {
++	if(iq->minimisation_state == INIT_MINIMISE_STATE
++		&& !(iq->chase_flags & BIT_RD)) {
+ 		/* (Re)set qinfo_out to (new) delegation point, except when
+ 		 * qinfo_out is already a subdomain of dp. This happens when
+ 		 * increasing by more than one label at once (QNAMEs with more
+@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ 			sock_list_insert(&qstate->reply_origin, 
+ 				&qstate->reply->addr, qstate->reply->addrlen, 
+ 				qstate->region);
+-		if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
++		if(iq->minimisation_state != DONOT_MINIMISE_STATE
++			&& !(iq->chase_flags & BIT_RD)) {
+ 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
+ 				LDNS_RCODE_NOERROR) {
+ 				if(qstate->env->cfg->qname_minimisation_strict)
+-- 
+2.14.4
+

unbound-1.8.1-keygen-group-rights.patch

@@ -0,0 +1,29 @@
+From 6429b5c298b10b96feb6b90c111948df97269f40 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Mon, 22 Oct 2018 10:07:13 +0000
+Subject: [PATCH] - Fix #4192: unbound-control-setup generates keys not
+ readable by   group.
+
+git-svn-id: file:///svn/unbound/trunk@4942 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ smallapp/unbound-control-setup.sh.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/smallapp/unbound-control-setup.sh.in b/smallapp/unbound-control-setup.sh.in
+index 0d759f44..f4024b43 100644
+--- a/smallapp/unbound-control-setup.sh.in
++++ b/smallapp/unbound-control-setup.sh.in
+@@ -148,8 +148,8 @@ test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
+ # echo "empty password is used, simply click OK on the password dialog box."
+ # openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
+ 
+-# remove unused permissions
+-chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
++# set desired permissions
++chmod 0640 $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
+ 
+ # remove crap
+ rm -f request.cfg
+-- 
+2.14.4
+

unbound-1.8.2-dns64.patch

@@ -0,0 +1,13 @@
+diff --git a/dns64/dns64.c b/dns64/dns64.c
+index 6c81192..77e6890 100644
+--- a/dns64/dns64.c
++++ b/dns64/dns64.c
+@@ -925,7 +925,7 @@ dns64_inform_super(struct module_qstate* qstate, int id,
+ 	 * successful or not. This lets the state machine terminate.
+ 	 */
+ 	if(!super_dq) {
+-		super_dq = (struct dns64_qstate*)regional_alloc(qstate->region,
++		super_dq = (struct dns64_qstate*)regional_alloc(super->region,
+ 			sizeof(*super_dq));
+ 		super->minfo[id] = super_dq;
+ 		memset(super_dq, 0, sizeof(*super_dq));

unbound-aarch64.patch

@@ -0,0 +1,22 @@
+Index: unbound-1.5.0/compat/getentropy_linux.c
+===================================================================
+--- unbound-1.5.0.orig/compat/getentropy_linux.c
++++ unbound-1.5.0/compat/getentropy_linux.c
+@@ -102,7 +102,7 @@ getentropy(void *buf, size_t len)
+ 	if (ret != -1)
+ 		return (ret);
+ 
+-#ifdef CTL_MAXNAME
++#ifdef SYS__sysctl
+ 	/*
+ 	 * Try to use sysctl CTL_KERN, KERN_RANDOM, RANDOM_UUID.
+ 	 * sysctl is a failsafe API, so it guarantees a result.  This
+@@ -235,7 +235,7 @@ nodevrandom:
+ 	return -1;
+ }
+ 
+-#ifdef CTL_MAXNAME
++#ifdef SYS__sysctl
+ static int
+ getentropy_sysctl(void *buf, size_t len)
+ {

unbound.conf

@@ -989,7 +989,6 @@ remote-control:
 
 	# Set to no and use an absolute path as control-interface to use
 	# a unix local named pipe for unbound-control.
-	# For local sockets this option is ignored, and TLS is not used.
 	# control-use-cert: yes
 
 	# what interfaces are listened to for remote control.
@@ -998,11 +997,14 @@ remote-control:
 	# are not used for that, so key and cert files need not be present.
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
-	# moved to /etc/unbound/conf.d/remote-control.conf
 
 	# port number for remote control operations.
 	# control-port: 8953
 
+	# for localhost, you can disable use of TLS by setting this to "no"
+	# For local sockets this option is ignored, and TLS is not used.
+	control-use-cert: "no"
+
 	# Unbound server key file.
 	server-key-file: "/etc/unbound/unbound_server.key"
 

unbound.spec

@@ -1,43 +1,39 @@
 %{?!with_python2:     %global with_python2     0}
 %{?!with_python3:     %global with_python3     1}
 %{?!with_munin:       %global with_munin       1}
+%bcond_without dnstap
+%bcond_with    systemd
+%bcond_without doh
 
 %global _hardened_build 1
 
-#global extra_version rc1
+#%%global extra_version rc1
 
 %if 0%{with_python2}
 %global python_primary %{__python2}
-%endif # with_python2
+%endif
 
 %if 0%{with_python3}
 %global python_primary %{__python3}
-%endif # with_python3
+%endif
 
 %if 0%{?rhel}
 %global with_munin   0
 
-%if 0%{?with_python2} && 0%{?rhel} <= 6
-# needed just for EPEL
-%{!?__python2: %global __python2 /usr/bin/python2}
-%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
-%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
-%endif # with_python2 && rhel <= 6
-
 %if 0%{?rhel} <= 7
 %global with_python3 0
 %else
 %global with_python2 0
-%endif # rhel <= 7
-%endif # rhel
+%endif
+%endif
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.16.2
-Release: 5%{?extra_version:.%{extra_version}}%{?dist}.6
+Release: 3%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
-Url: https://www.unbound.net/
-Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
+Url: https://nlnetlabs.nl/projects/unbound/
+Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
 Source1: unbound.service
 Source2: unbound.conf
 Source3: unbound.munin
@@ -55,34 +51,42 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
-Source21: remote-control.conf
+Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 
-# Reverts ABI change done in version 1.8.0 (bz#2027735)
-# Makes possible backward binary compatibility with a new features
-Patch1:   unbound-1.15-soversion2-compat.patch
-Patch2:   unbound-1.15-source-compat.patch
 # https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
-Patch3:   unbound-1.16-CVE-2022-3204.patch
-# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
-Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
+Patch1: unbound-1.16-CVE-2022-3204.patch
 
-BuildRequires: gdb
 BuildRequires: gcc, make
-BuildRequires: byacc, flex, openssl-devel
+BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
 BuildRequires: pkgconfig
+%if 0%{?fedora}
+BuildRequires: gnupg2
+%endif
 %if 0%{with_python2}
 BuildRequires: python2-devel swig
-%endif # with_python
+%endif
 %if 0%{with_python3}
 BuildRequires: python3-devel swig
-%endif # with_python3
+%endif
+%if %{with dnstap}
+BuildRequires: fstrm-devel protobuf-c-devel
+%endif
+%if %{with systemd}
+BuildRequires: systemd-devel
+%endif
+%if %{with doh}
+BuildRequires: libnghttp2-devel
+%endif
+%if 0%{?fedora} >= 30
+BuildRequires: systemd-rpm-macros
+%else
 BuildRequires: systemd
-# Required for SVN versions
+%endif
+# Required for SVN versions or modified configure.ac
 BuildRequires: bison
 BuildRequires: automake autoconf libtool
 
-%{?systemd_requires}
 # Needed because /usr/sbin/unbound links unbound libs staticly
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 # unbound-keygen.service requires it, bug #2116790
@@ -120,8 +124,11 @@ The devel package contains the unbound library and the include files
 
 %package libs
 Summary: Libraries used by the unbound server and client applications
-%{?systemd_requires}
 Requires(pre): shadow-utils
+%if ! 0%{with_python2}
+# Make explicit conflict with no longer provided python package
+Obsoletes: python2-unbound < 1.9.3
+%endif
 
 %description libs
 Contains libraries used by the unbound server and client applications
@@ -136,19 +143,26 @@ Obsoletes: unbound-python < %{version}-%{release}
 
 %description -n python2-unbound
 Python 2 modules and extensions for unbound
-%endif # with_python
+%endif
 
 %if 0%{with_python3}
 %package -n python3-unbound
 Summary: Python 3 modules and extensions for unbound
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+%if ! 0%{with_python2}
+# Make explicit conflict with no longer provided python package
+Conflicts: python2-unbound < 1.9.3
+%endif
 
 %description -n python3-unbound
 Python 3 modules and extensions for unbound
-%endif # with_python3
+%endif
 
 
 %prep
+%if 0%{?fedora}
+%gpgverify -k 19 -s 18 -d 0
+%endif
 %global pkgname %{name}-%{version}%{?extra_version}
 
 %if 0%{with_python2} && 0%{with_python3}
@@ -158,17 +172,16 @@ Python 3 modules and extensions for unbound
 %global python_secondary %{__python2}
 %else
 %global dir_primary %{pkgname}
-%endif # with_python2 && with_python3
+%endif
 
-%setup -qcn %{pkgname}
+%autosetup -c -N -n %{pkgname}
 
 pushd %{pkgname}
+# patches go here
+%autopatch -p2
 
-%patch1 -p2 -b .solib2-compat
-%patch2 -p1 -b .srccompat
-%patch3 -p2 -b .CVE-2022-3204
-%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
-
+# only for snapshots
+autoreconf -iv
 
 # copy common doc files - after here, since it may be patched
 cp -pr doc pythonmod libunbound ../
@@ -180,30 +193,39 @@ cp -a %{dir_primary} %{dir_secondary}
 %endif
 
 %build
+# This is needed to rebuild the configure script to support Python 3.x
+# autoreconf -iv
+
 # ./configure script common arguments
 %global configure_args --with-libevent --with-pthreads --with-ssl \\\
             --disable-rpath --disable-static \\\
             --enable-relro-now --enable-pie \\\
             --enable-subnet --enable-ipsecmod \\\
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
-            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
+            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\
-            --enable-linux-ip-local-port-range
+            --enable-linux-ip-local-port-range --disable-sha1
 
 pushd %{dir_primary}
 
-# configure.ac is modified, force refresh
-autoreconf -fiv
-
 %configure  \
 %if 0%{?python_primary:1}
             --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
-%endif # python_primary
+%endif
+%if %{with dnstap}
+            --enable-dnstap \
+%endif
+%if %{with systemd}
+            --enable-systemd \
+%endif
+%if %{with doh}
+            --with-libnghttp2 \
+%endif
             %{configure_args}
 
-%{__make} %{?_smp_mflags}
-%{__make} %{?_smp_mflags} streamtcp
+%make_build
+%make_build streamtcp
 
 popd
 
@@ -211,11 +233,17 @@ popd
 pushd %{dir_secondary}
 %configure  \
             --with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
+%if %{with dnstap}
+            --enable-dnstap \
+%endif
+%if %{with systemd}
+            --enable-systemd \
+%endif
             %{configure_args}
 
-%{__make} %{?_smp_mflags}
+%make_build
 popd
-%endif # python_secondary
+%endif
 
 
 %install
@@ -224,12 +252,12 @@ install -p -m 0644 %{SOURCE16} .
 %if 0%{?python_secondary:1}
 # install first secondary build. It will be overwritten by primary
 pushd %{dir_secondary}
-%{__make} DESTDIR=%{buildroot} unbound-event-install install
+%make_install unbound-event-install
 popd
-%endif # python_secondary
+%endif
 
 pushd %{dir_primary}
-%{__make} DESTDIR=%{buildroot} unbound-event-install install
+%make_install unbound-event-install
 install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
 popd
 
@@ -273,13 +301,13 @@ rm %{buildroot}%{_libdir}/*.la
 
 %if 0%{with_python2}
 rm %{buildroot}%{python2_sitearch}/*.la
-%endif # with_python
+%endif
 
 %if 0%{with_python3}
 rm %{buildroot}%{python3_sitearch}/*.la
-%endif # with_python3
+%endif
 
-mkdir -p %{buildroot}%{_localstatedir}/run/unbound
+mkdir -p %{buildroot}%{_rundir}/unbound
 
 # Install directories for easier config file drop in
 
@@ -287,7 +315,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
 install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
 install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
-install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
 
 # Link unbound-control-setup.8 manpage to unbound-control.8
 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
@@ -304,7 +331,6 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 %systemd_post unbound-keygen.service
 
 %post libs
-%{?ldconfig}
 %systemd_post unbound-anchor.timer
 # start the timer only if installing the package to prevent starting it, if it was stopped on purpose
 if [ "$1" -eq 1 ]; then
@@ -324,20 +350,8 @@ fi
 %systemd_postun unbound-keygen.service
 
 %postun libs
-%{?ldconfig}
 %systemd_postun_with_restart unbound-anchor.timer
 
-%triggerun -- unbound < 1.4.12-4
-# Save the current service runlevel info
-# User must manually run systemd-sysv-convert --apply unbound
-# to migrate them to systemd targets
-/usr/bin/systemd-sysv-convert --save unbound >/dev/null 2>&1 ||:
-
-# Run these because the SysV package being removed won't do them
-/sbin/chkconfig --del unbound >/dev/null 2>&1 || :
-/bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
-/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
-
 %check
 pushd %{dir_primary}
 #pushd pythonmod
@@ -355,14 +369,14 @@ pushd %{dir_secondary}
 #popd
 make check
 popd
-%endif # python_secondary
+%endif
 
 
 %files
 %doc doc/CREDITS doc/FEATURES
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-keygen.service
-%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
+%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
 %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
@@ -424,115 +438,203 @@ popd
 %{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
 %{_mandir}/man8/unbound-anchor*
-%{_sysconfdir}/%{name}/icannbundle.pem
+# icannbundle and root.key(s) should be replaced from package
+# intentionally not using noreplace
+%config %{_sysconfdir}/%{name}/icannbundle.pem
 %{_unitdir}/unbound-anchor.timer
 %{_unitdir}/unbound-anchor.service
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
-# modification of root.key is maintained by unbound-achor.service and is intentional, so let rpm know
-%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
 
 %changelog
-* Wed Apr 03 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
-- Rebuilt again with z-stream target
-
-* Wed Apr 03 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.5
-- Correct typo in new config file
-
-* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.4
-- Ensure group access correction reaches also updated configs (CVE-2024-1488)
-
-* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
-- Ensure only unbound group can change configuration (CVE-2024-1488)
-
-* Mon Feb 19 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.2
-- Fix wrong entry in changelog
-- Resolves: RHEL-25634
-
-* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
-- Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
-- Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
-- Resolves: RHEL-25660
-- Resolves: RHEL-25634
-
-* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
-- Stop creating wrong devel manual pages (#2135322)
-
-* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-4
-- Apply correctly previous change (CVE-2022-3204)
-
 * Tue Oct 11 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-3
 - Fix NRDelegation attack leading to uncontrolled resource consumption
   (CVE-2022-3204)
 
 * Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
-- Require openssl tool for unbound-keygen (#2018806)
+- Require openssl tool for unbound-keygen (#2116802)
 
 * Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
-- Update to 1.16.2 (#2027735)
+- Update to 1.16.2 (#2087120)
 
-* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
-- Restart keygen service before every unbound start (#1959468)
+* Fri Jul 08 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-3
+- Disable ED25519 and ED448 in FIPS mode (#2079548)
 
-* Wed Jun 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
-- Upgrade to 9.16.0 (#2027735)
-- Update to recent version with compatibility with RHEL8 (#2027735)
-- Ensure also source level compatibility with previous version
+* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-2
+- Restart keygen service before every unbound start (#2094336)
 
-* Thu May 19 2022 Richard Lescak <rlescak@gmail.com> - 1.7.3-18
-- Change file mode before owner when configuring remote control unix socket to avoid AVC denials
-- Resolves: rhbz#2038251
+* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
+- Update to 1.16.0 (#2087120)
 
-* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-17
+* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
+- Update to 1.15.0 (#2030608)
+- Update icannbundle.pem
+
+* Mon May 02 2022 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
+- Resolves: rhbz#1992985 unbound-1.13.2 is available
+- Use system-wide crypto policies
+
+* Mon May 02 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-15
+- Export unbound-devel to CRB repository (#2056116)
+
+* Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-14
+- Stop creating wrong devel manual pages (#2071943)
+
+* Thu Mar 31 2022 Petr Menšík <pemensik@redhat.com> - 1.13.1-13
+- Disable SHA-1 support (#2070495)
+
+* Fri Feb 11 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-12
+- Fixed error in the patch
+- Resolves: rhbz#1977401
+
+* Thu Feb 10 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-11
+- regional_alloc() failure handled
+- Resolves: rhbz#1977401
+
+* Thu Feb 10 2022 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-10
+- RESOURCE_LEAK fixed
+- Resolves: rhbz#1977400
+
+* Tue Aug 10 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-9
+- Don't use delted OpenSSL macroses
+- Resolves: rhbz#1991005
+
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-8
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-7
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Tue Jun 08 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-6
+- Changelog date fixed
+- Rebuild for new gating.yaml
+- Resolves: rhbz#1951923
+
+* Mon Apr 26 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-5
 - Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
-- Resolves: rhbz#1830625
+- Resolves: rhbz#1952814
 
-* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-16
+* Tue Apr 20 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-4
 - Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
   environment variable equals to "yes"
-- Resolves: rhbz#1922448
+- Resolves: rhbz#1951923
 
-* Tue Sep 01 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-15
-- Fix SPEC file to not check md5 mtime and size of /var/lib/unbound/root.key
-- Resolves: rhbz#1714175
-- Use system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting
-- Resolves: rhbz#1842837
-- Enable additional logging in unbound
-- Resolves: rhbz#1850460
-- security hardening from x41 report
-- Resolves: rhbz#1859933
-- symbolic link traversal when writing PID file
-- Resolves: rhbz#1899058
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.13.1-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Thu May 28 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-14
-- Fix unbound-1.7.3-amplifying-an-incoming-query.patch patch
-- Resolves: rhbz#1839178 (CVE-2020-12662)
+* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
+- Resolves rhbz#1860887 unbound-1.13.1 is available
+- Fixup unbound.conf
 
-* Mon May 25 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-13
-- Fix two previous patches and add missing patch lines to %%prep
-- Fix amplifying an incoming query into a large number of queries directed to a target
-- Resolves: rhbz#1839178 (CVE-2020-12662)
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Tue Apr 21 2020 Anna Khaitovich <akhaitov@redhat.com> - 1.7.3-12
-- Remove KSK-2010 from configuration files
-- Resolves: rhbz#1665502
-- Replace legacy directory /var/run/ with /run
-- Resolves: rhbz#1766463
-- Resolves: rhbz#1805978
-- Fix memory leak when DNS over TLS forwarding is configured
-- Resolves: rhbz#1819870
+* Thu Dec 10 2020 Petr Menšík <pemensik@redhat.com> - 1.13.0-1
+- Update to 1.13.0
 
-* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.7.3-11
-- Resolves bz1818761. unbound crash fixed.
+* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
+- Update to 1.12.0 (#1860887)
 
-* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-10
-- Secure ipsec mode (#1772061)
-- CVE-2019-18934
+* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
+- Move command line tools to utils subpackage
 
-* Tue Dec 10 2019 Tomas Korbar <tkorbar@redhat.com> - 1.7.3-9
-- Use pthread_mutex_t locks when dealing with I/O operations (#1775708)
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-3
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.10.1-2
+- Rebuilt for Python 3.9
+
+* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
+- Resolves: rhbz#1837279 unbound-1.10.1 is available
+- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
+- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
+- Updated unbound.conf for new options in 1.10.1
+
+* Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
+- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.
+
+* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.10.0-2
+- Resolves: rhbz#1824536 unbound crash
+
+* Thu Mar 19 2020 Petr Menšík <pemensik@redhat.com> - 1.10.0-1
+- Update to 1.10.0 (#1805199)
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Dec 13 2019 Paul Wouters <pwouters@redhat.com> - 1.9.6-1
+- Resolves: rhbz#1758107 unbound-1.9.5 is available
+- Resolves: CVE-2019-18934
+
+* Fri Nov 01 2019 Paul Wouters <pwouters@redhat.com> - 1.9.4-1
+- Fix build on rhel/centos systems
+- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query
+
+* Thu Sep 26 2019 Petr Menšík <pihhan@gmail.com> - 1.9.3-2
+- Obsolete no longer provided python2 subpackage (#1749400)
+
+* Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
+- Updated to 1.9.3
+- Resolves: rhbz#1672578 unbound-1.9.2 is available
+- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
+- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
+
+* Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
+- Subpackage python2-unbound has been removed
+  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal
+
+* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-7
+- Rebuilt for Python 3.8
+
+* Mon Aug  5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.8.3-6
+- Drop install-time requirements on systemd (#1723777)
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 11 2019 Paul Wouters <pwouters@redhat.com> - 1.8.3-3
+- Remove KSK-2010 from configs - it has been revoked
+
+* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-2
+- Another dns64 fixup
+
+* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-1
+- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes
+
+* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-2
+- Fix dns64 allocation in wrong region for returned internal queries.
+
+* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
+- Updated to 1.8.2.
+- Enabled deny ANY query support and edns-tcp-keepalive
+- Set serve-stale timeout to 4h
+- Updated unbound.conf for latest options
+
+* Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
+- Allow group by default to unbound-control (#1640259)
+
+* Mon Oct 08 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-1
+- Update to 1.8.1
+
+* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
+- Skip ipv6 forwarders without ipv6 support (#1633874)
+
+* Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
+- Rebase to 1.8.0
+
+* Tue Aug 14 2018 Paul Wouters <pwouters@redhat.com> - 1.7.3-9
+- Fix for restarting unbound service after deleting key/pem files for remote control
 
 * Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
 - Release memory in unbound-host
@@ -561,8 +663,16 @@ popd
 * Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.2-3
 - Remove last python2 dependency from python3 build
 
-* Mon Jun 25 2018 Tomas Hozza <thozza@redhat.com> - 1.7.0-6
-- Disable Python2 support
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.2-2
+- Rebuilt for Python 3.7
+
+* Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
+- Resolves rhbz#1589807 unbound-1.7.2 is available
+- Add patch to fix stub/forward zone not returning ServFail when TTL expires
+- Enabled the new root-key-sentinel option
+
+* Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
+- Update to 1.7.1 (#1574495)
 
 * Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
 - Require gcc and make on build

wouter.nlnetlabs.nl.key

@@ -0,0 +1,212 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" >
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Public Key Server -- Get "0x9f6f1c2d7e045f8d "</title>
+<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<style type="text/css">
+/*<![CDATA[*/
+ .uid { color: green; text-decoration: underline; }
+ .warn { color: red; font-weight: bold; }
+/*]]>*/
+</style></head><body><h1>Public Key Server -- Get "0x9f6f1c2d7e045f8d "</h1>
+<pre>
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: sks.pod02.fleetstreetops.com
+
+mQINBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xESH45ncnI
+SUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs61pTcPU2PnH7Rsr2q
+p6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0xTQh95M8o6AFo6UKWApBpgsvE
+Zr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8
+AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyEqn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub
+4Awsby3DH5YpPhi4N2vj2pAXVpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjD
+ilNDBiKiDdgtrLYGx+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T
+8E2NQqmFWjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
+/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hedhvb6mAkv
+SFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQABtCdXLkMuQS4gV2lq
+bmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD6IRgQQEQIABgUCThRSKQAKCRD5yv3rOc/E
+3iiwAJ0SIjqFSwBm7sEZf2nn4JhkWKoG0gCfTD0g9RhtJFZa+0rdtMGUpYtDA1aIRgQQEQIA
+BgUCT/FYZQAKCRDidkIqx06dxeI6AJ9JZvcA78yRPDAMS+TklrNhFbEixgCgwiltuquOD4Qw
+vTS+NZr1ECUit8+IRgQTEQIABgUCTa///wAKCRCQMuo3A6Gk+Ot2AKCi4IvI/AT2kSzy0pWH
+Zfrpl93zlACZAaBqkUKcA1jxk8HtqDYtuCRhSfiIRgQTEQIABgUCTb7dfwAKCRCL5TxDRLCU
+K/4yAJ9Zgx/YRiu/X+KLDTQoYXTxNNbCHACfcBLrfl5uABiyOzBC+/R5rXnoRaqIRgQTEQIA
+BgUCV+zVuQAKCRAjc9NHiaFq+OY4AKC6GV6dlBdvo4bEaJpWPHh9WShqIwCgjJi+haVoUR52
+ovPF0zsXx6/um+GITAQTEQIADAUCTbAJsgWDCWX06gAKCRC039xrdgkihyx4AJ9iuMMszOpC
+jRYkVjTgmDyVmAA5uACg7qmMbKb03FbTFdd5VG5/6RTiPtSJARwEEAECAAYFAlTvL9UACgkQ
+lumWUDlMmaxLZgf/WeQK3FqemgsgcNCfkPuE9XpSdyJhQ+n1Yb6tAK4osry7H3lFBQIKTpmX
+SxauZDazYt6G4BYWsA0ARBwZVOaEaIbFRHFWs3/SLynNf9ZGBw8FumIMlEw3+tUdZck6u7pU
+q1OFeL1HWRLEC/njyLe7zAFHHWwMUIL9ZAZGiknADbqiiyF/JTcv4cpfNhdRAFzRriUJ2zYf
+0r6vKnf8pjc9QfDricAq/WzfANycfaSqx5GEBokxZY3lq/oLe4dGpZmrGecvBMtmTRHAG0Ln
+sNwXVujej3sU0vfhkZ1A0lnKoZCOTwGTPkL3dkOwbUdoYiYakTjM8NKav/TxNDxdaG/QbYkB
+HAQQAQgABgUCVnyBkgAKCRAIbcKm1AudBFrsB/9oKXW7oiQ7eJJ036fsfM5UODQGoXc1XO0R
+TEV/8pBRSDhqOVwRUsPqgtU6p2UWJbwxgB7MmPt3Z4cXs+ff1jkTzn/iefMyB7W6NogotrTt
+Nlj8x30Y9dVJB4KSHnQW2Gsf/OmZM9cDBAuyK3j3yLWkn65FRKVoH/4sYil1Tm/ogEC8vdvX
+RpwsCaZG8HOLDphjjU0JErE1jWk2L+P0TeGCmbrsfhORxTaCROjvcJ0fQsdX7kcA262iRrU0
+xDlBBYZA9wyGfd4wf+zIt7LcVBjNNvIUdUC3Uf0prYJawaG2/YV6R7eY4ooJxTutadugLmZp
+fBRiITflLZssO3YAW9RxiQEcBBMBCgAGBQJU7y/ZAAoJEMFDUWYtzEe6MyQIALSGlZ4X0LJw
+6zNoHGVxC0P911NBtDRO2/Hfg38UMT8KjQ1jOynm1KZm67viNOVGRGWar23PNppofpViZSlQ
+xUXUyLXVajcV9klg7RV7GC/3P2dvrCjELHXJ6w8qrcUKDighjbdctHXiQ9W5nU1IWPTLdg+z
+cvTbSVybvLwcbu5kzUzlYvesetJjSWnU9PXswed2cN9sqN3ikrWlYv4qHp6RwrLBN/VjZQov
+AxXN68PHxLz8GNxZTO9Aa4j4CheejXPVHDhqqw/K0XI86hnvZX7kwy4KBq/o4Kl+fstaOM6T
+571D2fljTVztmsKZBhiuKm1t8/Ltoifch+bpFx5AZkaJAhwEEAECAAYFAk2+3aIACgkQi0GC
+sRlrLScyHw//accdcVbHGYLwS0imk5SMEJX2bdu87uXqseeMU5OhnYip4ySQ727VihGYkhmL
+c/o1dIEznvFudWc/fMEi0x3R5J53Qbt3XQEUjOgZUoeomQJCItoJsDRoItvgdUvj3o6hVWhu
++8PL6oC2J/JAHvfsMKiaTBHrUcNdgovLPGo5bcZCJwOxqPLYPLW2fCkanY9EhbyVAsFIiuH4
++8tSDnqrgZFATyDqhqAYP96CanJrSalB6l/2r10q3V/OxcyCwys5w54FExhQAhpwThpbpFcK
+kBrM647ak7x8dZha4C/RltwkFn6jFp2sNUSEa0USTOTyDw7WkqgZZOWvauQ+fKgSOJwWU+MR
+cs11bNEGtwBu+wPheeyAlITu7A9PIrMZTmmJKy124I7ZvfXF3NZrHVm2KanLaWqHrso8tYg4
+9C7ptSCEZlgLHaeOl1wOOLbH6OneB3mQqf2u0elWYv64sbEqmFwd0C4rFeT7VSFSDLc1AsZB
+zc4WveDPnjzMXE2KLIwP+/x+betpntuYKYzYov0fryS79fjwu5JGh0gfEDITSta+tPRAYqKf
+mCt/jpeZxUQBfI6SW6LyP2Go8uYlbplV5IJuZ04c2Pr/9G/e3vh4O/kJmDZo4EX9op9TKJpg
+w/shReVuUAP9E24rD0oEyiWnHu/ZsgMtaVKQc2SsIghSG8eJAhwEEAEKAAYFAlTvL+sACgkQ
+V0EnLQMH4n8IuA//cZqhGvBiSNpRkSjjZWu5BY7fhMOdshiVPkEZmILRytnXnxVcu+PuuIk0
+kXfgt/jcS762dBZK3UOVAAsGsLfkisLN18UGWKhokNUWybSmdmhTb6Ns5tJbZfnFTaSjA3Gk
+Z+R/U8O1tNHTmqBfYHTSq8utpIi1JEJRf5itUYytP75nt0rnjpYTFEbvKgukgZldLDk581Zc
+x4Y6pj1ILrxtqF369yBtYIEkHFcYDuXsApTIXY1G4V5mq4t9QCk07E2ZKZ2aJjaCA7VeD+vR
+8Z50oyu4kuc1RdFnP8TfQUAr/tYIFinuzKSqELu9b+JSPO3qawXaq9Y+X42XWkeQSeu7SNl2
+xqe1uVhHd8qduf8U438fUOBeY+gpae9e2IPbErU+itmd+m+WlHp8FUH2pS6VlXXhBrBPEZ3+
+8ph9wUtSAenFVyT1leu21pMuP2nNpD2nTsNlYcX9gA/vkA7bQyOtaEOC+8zNHtZYhx4u/nmI
++yZ4Cc95CmfwTE0/fRX+T+jK2x5ZGRZMudygnKRbnod+OgnNVBWIykGSzULKgLY9i5PlxCA2
+a7FUoLpIOW4OJSgo6WNsBc3j48RjqNm3cUcLco1kDcoGaQ43dGyLVGMlB332u6m2W+g+AwGm
+vhJQh3yy5XYvRXRzfiHvWUok8ess1/0qSRua22JY14KBxJF80EeJAhwEEwECAAYFAk2wI04A
+CgkQ5fj4IS93pJjaOw/8DG4fn6z4LYmY3MsLNu2Efg9YflaWPkD+z0iLPGUHhrzObIIMfGL0
+kpqYJSbvYqYUSIR8AjQGwRrJVidBqOX9bK7ZVPPvsX61hjt6e0T0O2Q6JuDMCfseiseLBo/a
+6DJu2P7LfDNGaath0WMonOxnqs+kRG8SVyTqmbnyC0AwthgYB57CIyNuz3MPkQr7pJNmyWFv
+kUYs7Z2Awq0hyD9M1KAV8igqFGYjrZAJoSv1nX6OzGRCSFmxqKwmCd7OtHLpqdNHos5CLhrj
+ouLJwiNt8gv7w06owYFxEsctAGqjVjvvtD0L19Skp3jgLAro6x53UFUtxm+Z/8YLLh+lNHJx
+JMDQu5CpSn3zLwRkF/cYgINOa1CS1yceynlbRGxrIb2vSfmnZeNZ2cTwedM/+9C044DfIB1y
+9FmmZBaXOaA4ITjvcEf2FpFn9MdF+zN8N8AN5m1y/qftFqgG0P40AQ0hQAhk+F8JxD7wVh65
+jcj62f287L1h8EDo/NE1JH8dAb9dUlJQeohAkiIMurDYLYRop9u+ogtUtRpMKXTwgNUanIq7
+oTYpNunbI1NUXc9Fdi9Z8OYZagHlo4v6T3fqvaRbGElncoF6faz7les2zh2S8etACX7mNsxV
+c6kXIpdHqoHKGShdxtb+PhRirbIxdCzlFstk5c9zpsCJCr/yu+pCL6KJAiIEEAECAAwFAk2w
+CcoFgwll9NIACgkQVGoRHjtqqmQGaRAAuHuKIupTerS7qrEIkyOvECN06fg+U/caYv3Qpue0
+4ZC2aIk4oK/7wsuhEsMLCL3J1JFYCCmbc0QfYBtzIM5lu9SX7/1R8/+VnCvYvME8tKdMdQAM
+BWq4ZG5Bi9rH8j+450mjgmPRC0s8tmmfp62gB9zBAd/poVZQOVSUV43HE3n6Vkxj0ediGEmw
+GakB2pPtAY7HAaLxRdXidwjNTzpAz7JPinoZgpz/MYseuxSSyhIqqREYn/ynX1+YQhu1l4X6
+rpIsVWawMv93PhO42Y3Ny6SvC/hnZ1J+Y359quClHTQ/ogrbZrbhlKtpJNeNOCBKUzgIuT3/
+PSy1XheYQR2m8SbOmOMpgInr16i3ijsYBKI6qdoxB//YCkFCJmxfCUqRGPe6sAW2n9ow4VmE
+rAUDEqYTPDzkRA5zBY6C6cMugoClY8LidDwKHGXjbPMLz+CnWIVsC8BedjQcfPkuQs/P4QtQ
++UYwt6UiFywYe4Na9JfJsYDwkUaKgZadva/JFxGkm7ApMpeMBuZUDIl9qptKipdmRrMnBx9l
+fvBqrrXYKPEzVMW0FpX9D5F1L4k5u3x4B0VDZ9WPJgkSKFQIMatDxFsyJNWZmh/0dODC/LKF
+mZZCk3B34rr91He99MzKNrrq3vZSlbMKoCQYjDGQDWVXCplwjq1zCt/JSZUJYVhwbcyJAiIE
+EQECAAwFAlRgbtMFgwK1j8kACgkQBhyEc3tNEByR3A/+MKwW1tgIspbnE8WEGjdNJtXUHQUv
+UJHFTuoBNKZA/uAYxe7FLoSKQI8lH5PgJrLnu8lq0Z7h4BObnx7F4NrB1ixTtMGgRXD1amVY
+Gw6STlXH6Fhr/0RvBTg/wbdm/nFFdaEEhclMNHY/mW69bcqGjHjcnk6nOmlVrYegWRGjGgTI
+JBqHUhoX2+VixkMrBDSESBpHHQHlwsOlT9T0v3pCVHQz9I/WygQpn0bjgWEISyZkWbLcmJVZ
+yYYmWU9WWw8n16qFChdO6BTEjChuzVupLS5LoBgxCJkh9gl4F6VGRg2kVvsQoxE0CKbM+4qy
+qAAK2jrgQZRg4ihC2WmOpr9X0mrjO38Bz/tmZL389ZBzj9S3VO8otgBRgDbJvNHm8EjWdQHj
+SOE2x5/F2T69g8IK3S/vkkKrySsjSlD/NJpWwldkUh1RtO7wFO2Zk+2+vr55joOjKApXKQgO
+7PKw2awkL91UWWHAvJ3tTq/16FUypnY9RHM9rHtU8XDLCp4iEzE7rzIywEwX4fUAut4CRf8m
+u3czrhdPh+oQyOyQHZJMdX0mCKZREPgKo2ca5iAFtzOzrgD5OTCD/Pz4+99+gLEMOML1bWQ4
+R43L4YyrB1UIQUAvVmLDhn19bUcIS+wZ3kKI0et24wqjkaIsLSSounGBPxB4jOLhG0BBojzV
+dvqUElOJAiIEEwECAAwFAk2wAP4Fgwll/Z4ACgkQrImYjct//fHn8Q/+JdXKAXtSq5ReGTDR
+F3PcpsQK9q0LGvdyNPZ91oSkGl2UpcRhQ2KqTY0RJa7CZdk/3jG9G8aRuAmC6O5MhcsVU36j
+zBTanDgiSqFEpJCLXWWkPbwWIXdL3/FVm/1iYkDNqOZkWsYxU6BixgrDJoKcIZctt2igZqqa
+qdJYJ8tdbEXfW67rx+cu+DTXuZIuBwFETNix8zL7XpCQZAOG79IvBNaSaJr0x90tn+6rlLrk
+w6+NCXFjzm9aDNGyyWTs7s4kLfDR1LbBGpJNL+kmWmF9hkQTFHDxwNmHPyhjZcHVXaRfdl86
+ahClxBT6hitmurAGDIjjqy0d3Rs41Q3rcm9AZUWH4YbtRn2hXC/VCzsDvZvsjFB258mj4oDl
+jcgeuoY4uJEK8EJa9RJ6z3+UATcDaZTmlWhmb3UhG6suhz4hjmC4Y+JcovSVvq9AJksLJA74
+m6TxExiKzCGwy9xw1gcgJlFD4iVarfV4+jv5YGuPipPwz1ho6+P4uUOOtLFVHesSQ7S0W8eX
+rMdbu1Plw+m+fad/Asb8SoUm4ckfCwgoDMZsrGHBLhMa9D7AW/4z478DWqM6aZnZlpK4pNk+
+/jyW8cPDfjRePFKC/zH2Vm679JGgT13qQUJF1fja4KOSEi0lIKegPCRVJ1h0MseVgd2Qa9vX
+2VJwbZkrnoBa6VZH8dqJAj4EEwECACgCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW
+76tkBQkNAhVIAAoJEJ9vHC1+BF+N2tYQAIxArTFi1m0C8sv/wIJwKL3Y6LWu1dEZadHLslfT
+bSF+2ZaWIyrg/QXcIkpUuGBn+V2nw46qZ8N+bAsxVJoJDzpRuqfs5+t/wq7xIZC4gzFjY4MH
+3uGi5jhucMdozYKqLomQE34bW2B3Co3+Rx5wXa2reqXaTt5f3X74D4XkCki7WyKXMk8vhnxb
+oxU50qu3MQzu3rWFGWxukQ+Pva9tUFnWGZOIgvhVbB3FBhqbEGg56d6yTIMMb6IwIjc/UYbc
+RCST70B5y3+If26u4TSbGfZoo3xx+6hH3dw8X+jMLFLki3ABWc17f1ZE7UZPbNhoWBibSV/1
+zNylGxHM1sbD3fyVneI9SJl77JsqAsqRWa+uQzn2WMdP31KsLXhVfGBDBKziBLet3Ntj20+m
+zrZnWr7EJV9PHUhjk/ie3n3HBBXQjD6lX1L+ZVw6c9eXVQpvS2051gkSuurdGkX8PaD80O0v
+Q5aohrwu+sGXJBiZY8q8rDvq+3hsnc1TfWNJzSjD+PsQ5WM6y3zqzrb3Oa2dsmNZWvos7LkQ
+NQ+6yaoe/W3hnhEyN/w6sl01sUmhFdm/wVtbg3Nd4a0x/yTq8p56Ol0wfj54u6hkbt1yFTUl
+xx+Cp/BanLSiOZvn12slxpCBULom/D2XROYY80iwThSshahxoWC/h04q8cDaFycwMzyuiQI+
+BBMBAgAoBQJNr/0cAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCfbxwt
+fgRfjd8qEACMp3672f/ETQL/ZS3EnNj1937xu6ESRCUsvbjMiGzLW/2tQVQnoV40fBoRyeQ/
+2d40VgUCsNayy7zqm7gRpKSjEddNGVReM//HuglrUwDhctvH9SUMNvJIpTeyur456NtUtSSd
+VyQHaBXYnMm9Ultq/imKHen40shdJW+9aHfrHZ0hPTv8XQqssrunF/gMHw3LiemPIjlrvAnl
+gM+NS0dUAVEJAm/9PJlXwhLvgo/jN9Y4zw2RMlAMNtfb6+EBXtKN7fjLL9AFGb3EZFuvvKj+
+ZTuiOcHv991gS2R+9JYRb2LaGzOxzjAo4XkWYLks70ahBE3044mtblYt2M9qjOAhXSSGRehK
++/cinAd42Krrpba55R3V2fyGbB1UZOiX4qhZM/btU/T5LzKEOOdmlKJhk4PcUHIZyqXtRPKL
+CoC7pWmPos0xKmfKR/x1lif2E9d/5/KcSvRGwv/EpFYclzXoTkgBg2Wq/rY1QaH4M0vK/hg8
+r/qQU0po4rSK1V2TboYoC6daO077OJIypXBZy4Xwxyfsm+ScomXdNW1b2qp30YQAql31paAt
+LrJUW3oKGMCVIF9ATq7Drhxh9knxo3f0JwNG3BFzNpKdQ6dYKrXBHeUIrZuuO2M/pXlpIa5j
+JrU8Krpl6AHL4M7YSRVD3AM7oV2TX6kCTDhkcQBlSND/e4kCVQQTAQIAPwIbIwYLCQgHAwIG
+FQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCWaU4BQUJEZjVaQAK
+CRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL2IK/Zencv7DZGRfFrzijROFtHbe//H8o2Zhl
+yiaFSA/dT1ehjsukkR0oFkYadA+qUi06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY
+8DP57bA+N2pdCcGu7gUtYzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpG
+N79otVWO6ebM4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t
+7EotzxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW5/EI
+QmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN46c1y3prjZRp
+QUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCtGpDIfag6fV6V97Pd3zfh
+Tf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/JnCCceB4NxRRxsgkRYHwdnXN9FnO
+PSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/KlxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7m
+t7HQ2bCLXAPgfZjy7n79WiCQVHg7iYnNikiNWR5TR7JcvdkxOdiA/4kCVQQTAQgAPwIbIwYL
+CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJ
+GaQN2QAKCRCfbxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y
+17Bx4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2bWok
+W0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJGJALRtZzjtzs
+JqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59vcqLRZgkrJrObw0sEv3Y
+FOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao+Qnhdi161W0YKCW4JAmOoQ4bQ0wf
+E9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67
+e5e3JfUb0vNKssyZojao4h1MF5nvaPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsF
+wRDcCnSEKnksgM0321m17RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/v
+x5uxyqSHPuGAsXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVo
+CfDvvizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p7kCDQRNr/0c
+ARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeRlJ83O8dFG7UB
+VuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqjq4pKDmO1c9J7h5d+auOV
+fzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7deZcgt8v7VcLK9jv+P8QJHTIyDzJd+
+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaMjwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyA
+FomDQ93/wkHZ9IEChTxdZnfvsd//Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3H
+VxwB8/owJ+FZDsTNBbJd7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyT
+RlwGUBJkzQFWQa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV
+6FfLi09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDYehfO
+o/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOVH1OBTKNdBjc+
+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAYkCJQQYAQIADwIbDAUCVu+raQUJ
+DQIVTQAKCRCfbxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5
+NGB4RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtUXC5/
+JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0CurUeb4WTVpw4d
+rBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4IxeY3/CGBfQfSQHylK7ifm
+PWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3BY6+P8Ch5gddOYaY18wpedarswnpO
+LQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27eg35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kk
+fqDn2ouCtM8/kqLX1v0+NkBxlhZUkTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZ
+xdl3QuyxMktExWzk9Q5DYqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXu
+QL9SWObF+sIFc9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7
+CLUTk7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JIkCJQQYAQIA
+DwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3udV67KmVmytwGM
+fzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQzgOZhGP5Y0OREf4kSzfb7
+tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmWDK/Eh/eNVeNd+3yyDEzl2p7a0yUh
+I8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVtPfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEi
+IrR3PbZ9tV6+F5LzCUJJP5nepz6CShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8n
+OfTzdHhXXEogGvRfcxatxeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEn
+EHoo8rPETkXwUK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7
+ZobL2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gGoltX
+WokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB2Igll2ZT3Avr
+BQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9NTpaq1vtAZOwc0kl3uGNK
+18PnV4kCPAQYAQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJ
+EJ9vHC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+VoRt
+B+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgLYc6ac5PEHF1q
+ZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG0Z+wQvPSiu+Q00XpENT8
+HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4yoC+Nd6iPQpnc+5xs7NDnq2dFuST
+p7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeIN
+yJO8A5KS3ceP+eo3SLR8T0hPzu9gZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy
+2HSXUq2fs5rH0uszFGesG7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY
++xlVULjEfCWyRVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9Yo
+u1Fi1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa7Hzd
+8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQiQI8BBgBCAAmAhsMFiEE
+7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28cLX4EX43TQA/+JV8ReMRJ
+Cn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJObQcqw7s50FJuLUbxdvbcuGIaoTu7
+dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N
+0y58eoDC4sGmBKuN2EW2MoWahlXw8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSF
+lYWVhr0zGAi5rnswlFGrECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZ
+cBlddGhmSVVJZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVR
+ep0/s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7ddHaBt
+g/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ9pGORJ+P2Jr2
+pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2yp4CShmWoZwN0V3aGYMe/
+rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA5bNxwTWe8skwOKsxXnP9RC974k0X
+kPS+VwgmVgNN1ewS/0oHvmEP71Q=
+=ZSkT
+-----END PGP PUBLIC KEY BLOCK-----
+</pre>
+</body></html>