diff --git a/.bind.metadata b/.bind.metadata
index ec0886b..2a4946f 100644
--- a/.bind.metadata
+++ b/.bind.metadata
@@ -1 +1 @@
-771bbb31ab0bfcf3f50effa0af4df6014853ac86 SOURCES/bind-9.16.20.tar.xz
+30cbd1f3e9d2d47d653498143334128aac1f8fc0 SOURCES/bind-9.16.23.tar.xz
diff --git a/.gitignore b/.gitignore
index 463781a..bed248e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/bind-9.16.20.tar.xz
+SOURCES/bind-9.16.23.tar.xz
diff --git a/SOURCES/bind-9.11-rh1666814.patch b/SOURCES/bind-9.11-rh1666814.patch
index e66a5ab..7429999 100644
--- a/SOURCES/bind-9.11-rh1666814.patch
+++ b/SOURCES/bind-9.11-rh1666814.patch
@@ -1,4 +1,4 @@
-From a1a4730c1f02cd85680cf7608ac81e0db59ee522 Mon Sep 17 00:00:00 2001
+From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 16 Jan 2019 16:27:33 +0100
 Subject: [PATCH] Fix possible crash when loading corrupted file
@@ -6,23 +6,14 @@ Subject: [PATCH] Fix possible crash when loading corrupted file
 Some values passes internal triggers by coincidence. Fix the check and
 check also first_node_offset before even passing it further.
 ---
- lib/dns/rbt.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
+ lib/dns/rbt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
-index ef6441b..404fd6d 100644
+index 5aee5f6..7f2c2d2 100644
 --- a/lib/dns/rbt.c
 +++ b/lib/dns/rbt.c
-@@ -754,7 +754,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
- 	}
- 
- 	CONFIRM((void *)n >= base);
--	CONFIRM((char *)n - (char *)base <= (int)nodemax);
-+	CONFIRM((size_t)((char *)n - (char *)base) <= (int)nodemax);
- 	CONFIRM(DNS_RBTNODE_VALID(n));
- 
- 	dns_name_init(&nodename, NULL);
-@@ -911,7 +911,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
  	rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
  				      header->first_node_offset);
  
@@ -34,5 +25,5 @@ index ef6441b..404fd6d 100644
  		goto cleanup;
  	}
 -- 
-2.21.1
+2.31.1
 
diff --git a/SOURCES/bind-9.16.20-map-format-fix.patch b/SOURCES/bind-9.16.20-map-format-fix.patch
deleted file mode 100644
index f6e3c9b..0000000
--- a/SOURCES/bind-9.16.20-map-format-fix.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- a/lib/dns/mapapi
-+++ b/lib/dns/mapapi
-@@ -13,4 +13,4 @@
- # Whenever releasing a new major release of BIND9, set this value
- # back to 1.0 when releasing the first alpha.  Map files are *never*
- # compatible across major releases.
--MAPAPI=2.0
-+MAPAPI=3.0
diff --git a/SOURCES/bind-9.16.20.tar.xz.asc b/SOURCES/bind-9.16.20.tar.xz.asc
deleted file mode 100644
index e247e91..0000000
--- a/SOURCES/bind-9.16.20.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABAgAdFiEE6atueSM8BBbomT9FDAOvqQpZZ8QFAmETiLIACgkQDAOvqQpZ
-Z8SWCBAAn9moH3eaxJit2rMp6119PTx1VJNDAM7IM2jhszhnU5pkbXKZjIusbYJl
-9xPpWr64nx7WSWXvoyR/5DwKERNrYXx4klot6eMa/abIJiNDsVFdai8qJjJtqdcs
-wnvtlYs0OYIpbg8kBfCMUBiEfUdQVxE3XKrbBZ/i7SdnMDnYnpymZbDhkJK7mc+M
-jG0lG77CXdZOpP33LxahXfY63mfm5bK7/MHGF+J8Yxk0Dveh56znYXmCmXYQIw6L
-mmXT56wA+XBsXLIReHgM8prXxwRjFa704WmnPPegWAyEIbL8siWHE/h4zlp6TXl1
-TZyT6cz54kZ1RiEuM4IMVEy0FHXOw/sR6+/bHixGCUw4QZqnsUWt0stzSgMQXgj4
-D+1VtnGZ7tIhyzAGuN1xFX7tjR244jgnNsJlvWMS+NYkCs0zF2wMt7LgwSvf0RVY
-UEGDlLs39fl/pJdyU/kdBSbC6ZKvF2+TDqReaQwiWt6M+GqWGYK1XG1q5oZ7Y9in
-jmcJWrhLdaq17YB+Z9LS69m2hY+Qob4zyErXscSCDiL114Mcp9YCbj9dp3+rI/vY
-USJA23O2D2RnMc5PuLg1Iyh1f9VkT1VI2I/qT5L3mrs4F56G0FcMYofgNcaWaY/X
-H2xDz+h5OHE9DqYLuGaP/23bP9Gt1GHy8DB6ZtUtDp5wuVMSho0=
-=Ryzr
------END PGP SIGNATURE-----
diff --git a/SOURCES/bind-9.16.23.tar.xz.asc b/SOURCES/bind-9.16.23.tar.xz.asc
new file mode 100644
index 0000000..d48514d
--- /dev/null
+++ b/SOURCES/bind-9.16.23.tar.xz.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABAgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMcACgkQxbTukxqf
+nf1EbQ//YXsBbMtyI3c0MoleSi5zwzcpCTZTWTFHqH5WUiruLMDF453j/Fn2zaSC
+WuaUnhN61dR+BVtX+D2Y8GiVQFICo5X1nJj0jb/TcflXFq7YLWUAO0NPwPkBL1J4
+/PA0YCp1zYcvBXIxTKaU7AcBxlKmcGLdZcgCyGU6NSKaOJSxHOWXM460uD/crskB
+iSPEbMevN9TTJs9webztJNKH/3BuNkOD9SFb6JlUIQqwKx1v8rosgdI7BvgGMZqy
+s+10+GlIRFFvsX2XkX8BnjDlQ1QdzDOAoyCU+Se9rXDqu+zZf1VN4ReUCSDuPYf9
+z+GW1EbMxuZzEKrEIJvhnVNNiHqtKVaK6IIUX5bHqgPLEx87HxJMOPmbyBc1kDAe
+0WCmsITaq62WvKOG8Ho8wLrlG4AAO5+A7xit4bJ4XUtLiqyt+9FUIeEFY9nZb/6O
+OXK9eBMZHZ++r52RtA+GYZllkNRpzwnULOdR/9svVQuc10/MjnRoFqInzLlqwfwm
+2q6r372oWn8+MUvjQVBgzprn5BvY+HDo2gNEYEi5QyR3ql2dX/Qz7iUdUfhRvMNL
+FdPt3B3kktfOV98p/imrIwLwVVWwKBlphntkRxLtSZBs3nbo27F/ND54fixC2eCa
+epB6FF5IquzQ/MOiz4uql3YexNDQQ+7N2IGPJVMwO2ILAyZDNOQ=
+=pVtf
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/bind99-rh640538.patch b/SOURCES/bind99-rh640538.patch
deleted file mode 100644
index 833c476..0000000
--- a/SOURCES/bind99-rh640538.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From d3c58d860737f0f70eff05edad77e0b2a90d4cb9 Mon Sep 17 00:00:00 2001
-From: Petr Mensik <pemensik@redhat.com>
-Date: Fri, 19 Jun 2020 18:48:23 +0200
-Subject: [PATCH] .rh640538
-
----
- bin/dig/dig.rst | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst
-index bef52ba..9f16607 100644
---- a/bin/dig/dig.rst
-+++ b/bin/dig/dig.rst
-@@ -615,6 +615,26 @@ To turn off IDN support, use the parameters
- ``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
- variable.
- 
-+Return Codes
-+~~~~~~~~~~~~
-+
-+``dig`` return codes are:
-+
-+``0``
-+   Response received, including NXDOMAIN status
-+
-+``1``
-+   Usage error
-+
-+``8``
-+   Couldn't open batch file
-+
-+``9``
-+   No reply from server
-+
-+``10``
-+   Internal error
-+
- Files
- ~~~~~
- 
--- 
-2.26.2
-
diff --git a/SOURCES/named-chroot.files b/SOURCES/named-chroot.files
index 9a768e4..75e6aa1 100644
--- a/SOURCES/named-chroot.files
+++ b/SOURCES/named-chroot.files
@@ -20,6 +20,7 @@
 /usr/lib/named
 /usr/share/GeoIP
 /run/named
+/proc/sys/net/ipv4/ip_local_port_range
 # Warning: the order is important
 # If a directory containing $ROOTDIR is listed here,
 # it MUST be listed last. (/var/named contains /var/named/chroot)
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index f1ebc1d..6e30f0a 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -30,7 +30,7 @@
 %global        chroot_prefix     %{bind_dir}/chroot
 %global        chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
                                          %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
-                                         %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP
+                                         %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4
 
 %global        selinuxbooleans   named_write_master_zones=1
 ## The order of libs is important. See lib/Makefile.in for details
@@ -50,8 +50,8 @@
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.16.20
-Release:  2%{?dist}
+Version:  9.16.23
+Release:  1%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -90,7 +90,6 @@ Patch72: bind-9.5-dlz-64bit.patch
 Patch106:bind93-rh490837.patch
 Patch112:bind97-rh645544.patch
 Patch130:bind-9.9.1-P2-dlz-libdb.patch
-Patch133:bind99-rh640538.patch
 # Make PKCS11 used only for pkcs11 parts
 Patch135:bind-9.14-config-pkcs11.patch
 # Fedora specific patch to distribute native-pkcs#11 functionality
@@ -102,9 +101,6 @@ Patch157:bind-9.11-fips-tests.patch
 Patch164:bind-9.11-rh1666814.patch
 Patch170:bind-9.11-feature-test-named.patch
 Patch171:bind-9.11-tests-variants.patch
-# https://gitlab.isc.org/isc-projects/bind9/-/issues/2872
-# https://kb.isc.org/docs/map-zone-format-incompatibility-in-bind-9-16-20-and-9-17-17
-Patch172:https://downloads.isc.org/isc/bind9/9.16.20/patches/bind-9.16.20-map-format-fix.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -405,7 +401,6 @@ in HTML and PDF format.
 %patch164 -p1 -b .rh1666814
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
-%patch172 -p1 -b .map-format
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -417,8 +412,6 @@ cp -r lib/ns{,-pkcs11}
 %patch149 -p1 -b .kyua-pkcs11
 %endif
 
-%patch133 -p1 -b .rh640538
-
 # Sparc and s390 arches need to use -fPIE
 %ifarch sparcv9 sparc64 s390 s390x
 for i in bin/named/{,unix}/Makefile.in; do
@@ -1057,6 +1050,7 @@ fi;
 %dir %{chroot_prefix}/%{_libdir}
 %dir %{chroot_prefix}/%{_libdir}/bind
 %dir %{chroot_prefix}/%{_datadir}/GeoIP
+%{chroot_prefix}/proc
 %defattr(0660,root,named,01770)
 %dir %{chroot_prefix}%{_localstatedir}/named
 %defattr(0660,named,named,0770)
@@ -1129,6 +1123,18 @@ fi;
 %endif
 
 %changelog
+* Fri Nov 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-1
+- Update to 9.16.23 (#2024210)
+
+* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-5
+- Propagate ephemeral port ranges to chroot (#2013595)
+
+* Tue Oct 12 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-4
+- Fixes listening on TCP in some race conditions (#1999691)
+
+* Tue Oct 12 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-3
+- Include documentation of dig return codes (#1989909)
+
 * Thu Aug 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-2
 - Fix map file format incompatibility
 - Actually enable LMDB support