diff --git a/SOURCES/root.anchor b/SOURCES/root.anchor
index 18367f8..1d2f75d 100644
--- a/SOURCES/root.anchor
+++ b/SOURCES/root.anchor
@@ -1 +1,2 @@
 .	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
+.	98799	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
diff --git a/SOURCES/root.key b/SOURCES/root.key
index e340ed0..d8aca0c 100644
--- a/SOURCES/root.key
+++ b/SOURCES/root.key
@@ -2,5 +2,6 @@
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
 trusted-keys {
 "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
 
 };
diff --git a/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch b/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch
new file mode 100644
index 0000000..6ec4725
--- /dev/null
+++ b/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch
@@ -0,0 +1,312 @@
+From e1132a3a41d2ff5a9479bbb629d73db4856a5f34 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza@redhat.com>
+Date: Tue, 11 Oct 2016 15:38:58 +0200
+Subject: [PATCH] Add cache-max-negative-ttl option
+
+https://github.com/thozza/unbound/commit/0ef133ea5819fbf7518de9c8492c5e05c95ac8ce
+
+git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@3431 be551aaa-1e26-0410-a405-d3ace91eadb9
+Signed-off-by: Tomas Hozza <thozza@redhat.com>
+---
+ doc/example.conf.in                    |  3 +++
+ doc/unbound-control.8.in               |  2 +-
+ doc/unbound.conf.5.in                  |  4 ++++
+ testcode/unitmsgparse.c                |  3 +++
+ testdata/iter_domain_sale.rpl          |  3 ++-
+ testdata/iter_domain_sale_nschange.rpl |  6 ++++--
+ util/config_file.c                     |  5 +++++
+ util/config_file.h                     |  2 ++
+ util/configlexer.lex                   |  1 +
+ util/configparser.y                    | 12 +++++++++++-
+ util/data/msgparse.h                   |  2 ++
+ util/data/msgreply.c                   | 29 ++++++++++++++++++++++++++---
+ 12 files changed, 64 insertions(+), 8 deletions(-)
+
+diff --git a/doc/example.conf.in b/doc/example.conf.in
+index aa9a7f7..52cad67 100644
+--- a/doc/example.conf.in
++++ b/doc/example.conf.in
+@@ -125,6 +125,9 @@ server:
+ 	# cache. Items are not cached for longer. In seconds.
+ 	# cache-max-ttl: 86400
+ 
++	# the time to live (TTL) value cap for negative responses in the cache
++	# cache-max-negative-ttl: 3600
++
+ 	# the time to live (TTL) value for cached roundtrip times, lameness and
+ 	# EDNS version information for hosts. In seconds.
+ 	# infra-host-ttl: 900
+diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
+index 669e81d..f2c76eb 100644
+--- a/doc/unbound-control.8.in
++++ b/doc/unbound-control.8.in
+@@ -170,7 +170,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
+ harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
+ hide\-identity, hide\-version, identity, version, val\-log\-level,
+ val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
+-keep\-missing, tcp\-upstream, ssl\-upstream.
++keep\-missing, tcp\-upstream, ssl\-upstream, cache\-max\-negative\-ttl.
+ .TP
+ .B get_option \fIopt
+ Get the value of the option.  Give the option name without a trailing ':'.
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
+index 6dd0216..7485345 100644
+--- a/doc/unbound.conf.5.in
++++ b/doc/unbound.conf.5.in
+@@ -267,6 +267,10 @@ Zero makes sure the data in the cache is as the domain owner intended,
+ higher values, especially more than an hour or so, can lead to trouble as 
+ the data in the cache does not match up with the actual data any more.
+ .TP
++.B cache\-max\-negative\-ttl: \fI<seconds>
++Time to live maximum for negative responses, these have a SOA in the
++authority section that is limited in time.  Default is 3600.
++.TP
+ .B infra\-host\-ttl: \fI<seconds>
+ Time to live for entries in the host cache. The host cache contains 
+ roundtrip timing, lameness and EDNS support information. Default is 900.
+diff --git a/testcode/unitmsgparse.c b/testcode/unitmsgparse.c
+index 4342395..08f3b50 100644
+--- a/testcode/unitmsgparse.c
++++ b/testcode/unitmsgparse.c
+@@ -582,9 +582,11 @@ testfromdrillfile(ldns_buffer* pkt, struct alloc_cache* alloc,
+ 
+ void msgparse_test(void)
+ {
++	uint32_t origttl = MAX_NEG_TTL;
+ 	ldns_buffer* pkt = ldns_buffer_new(65553);
+ 	ldns_buffer* out = ldns_buffer_new(65553);
+ 	struct alloc_cache super_a, alloc;
++	MAX_NEG_TTL = 86400;
+ 	/* init */
+ 	alloc_init(&super_a, NULL, 0);
+ 	alloc_init(&alloc, &super_a, 2);
+@@ -621,4 +623,5 @@ void msgparse_test(void)
+ 	alloc_clear(&super_a);
+ 	ldns_buffer_free(pkt);
+ 	ldns_buffer_free(out);
++	MAX_NEG_TTL = origttl;
+ }
+diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl
+index 724b51d..ff61278 100644
+--- a/testdata/iter_domain_sale.rpl
++++ b/testdata/iter_domain_sale.rpl
+@@ -238,7 +238,8 @@ SECTION QUESTION
+ nx1.example.com. IN A
+ SECTION ANSWER
+ SECTION AUTHORITY
+-example.com.	3600 IN SOA	a. b. 1 2 3 4 5
++; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
++example.com.	5 IN SOA	a. b. 1 2 3 4 5
+ example.com.	1800 IN NS	ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com.	1800 	IN 	A	1.2.3.4
+diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl
+index a7d9f11..bc396f6 100644
+--- a/testdata/iter_domain_sale_nschange.rpl
++++ b/testdata/iter_domain_sale_nschange.rpl
+@@ -285,7 +285,8 @@ SECTION QUESTION
+ nx1.example.com. IN A
+ SECTION ANSWER
+ SECTION AUTHORITY
+-example.com.	3600 IN SOA	a. b. 1 2 3 4 5
++; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
++example.com.	5 IN SOA	a. b. 1 2 3 4 5
+ example.com.	3600 IN NS	nsb.example.com.
+ SECTION ADDITIONAL
+ nsb.example.com.	3600 	IN 	A	1.2.3.4
+@@ -306,7 +307,8 @@ SECTION QUESTION
+ nx1.example.com. IN A
+ SECTION ANSWER
+ SECTION AUTHORITY
+-example.com.	3600 IN SOA	a. b. 1 2 3 4 5
++; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
++example.com.	5 IN SOA	a. b. 1 2 3 4 5
+ example.com.	1800 IN NS	nsb.example.com.
+ SECTION ADDITIONAL
+ nsb.example.com.	3600 	IN 	A	1.2.3.4
+diff --git a/util/config_file.c b/util/config_file.c
+index b946f0d..4e0fbe7 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -128,6 +128,7 @@ config_create(void)
+ 	cfg->bogus_ttl = 60;
+ 	cfg->min_ttl = 0;
+ 	cfg->max_ttl = 3600 * 24;
++	cfg->max_negative_ttl = 3600;
+ 	cfg->prefetch = 0;
+ 	cfg->prefetch_key = 0;
+ 	cfg->infra_cache_slabs = 4;
+@@ -359,6 +360,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
+ 	else S_YNO("prefetch:", prefetch)
+ 	else S_YNO("prefetch-key:", prefetch_key)
+ 	else S_NUMBER_OR_ZERO("cache-max-ttl:", max_ttl)
++	else if(strcmp(opt, "cache-max-negative-ttl:") == 0)
++	{ IS_NUMBER_OR_ZERO; cfg->max_negative_ttl = atoi(val); MAX_NEG_TTL=cfg->max_negative_ttl;}
+ 	else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl)
+ 	else S_POW2("infra-cache-slabs:", infra_cache_slabs)
+ 	else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts)
+@@ -593,6 +596,7 @@ config_get_option(struct config_file* cfg, const char* opt,
+ 	else O_YNO(opt, "prefetch-key", prefetch_key)
+ 	else O_YNO(opt, "prefetch", prefetch)
+ 	else O_DEC(opt, "cache-max-ttl", max_ttl)
++	else O_DEC(opt, "cache-max-negative-ttl", max_negative_ttl)
+ 	else O_DEC(opt, "infra-host-ttl", host_ttl)
+ 	else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs)
+ 	else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts)
+@@ -1149,6 +1153,7 @@ config_apply(struct config_file* config)
+ {
+ 	MAX_TTL = (uint32_t)config->max_ttl;
+ 	MIN_TTL = (uint32_t)config->min_ttl;
++	MAX_NEG_TTL = (uint32_t)config->max_negative_ttl;
+ 	EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
+ 	MINIMAL_RESPONSES = config->minimal_responses;
+ 	RRSET_ROUNDROBIN = config->rrset_roundrobin;
+diff --git a/util/config_file.h b/util/config_file.h
+index 69595cb..4d493b8 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -179,6 +179,8 @@ struct config_file {
+ 	int max_ttl;
+ 	/** the number of seconds minimum TTL used for RRsets and messages */
+ 	int min_ttl;
++	/** the number of seconds maximal negative TTL for SOA in auth */
++	int max_negative_ttl;
+ 	/** if prefetching of messages should be performed. */
+ 	int prefetch;
+ 	/** if prefetching of DNSKEYs should be performed. */
+diff --git a/util/configlexer.lex b/util/configlexer.lex
+index 4694cdd..079f195 100644
+--- a/util/configlexer.lex
++++ b/util/configlexer.lex
+@@ -208,6 +208,7 @@ msg-cache-slabs{COLON}		{ YDVAR(1, VAR_MSG_CACHE_SLABS) }
+ rrset-cache-size{COLON}		{ YDVAR(1, VAR_RRSET_CACHE_SIZE) }
+ rrset-cache-slabs{COLON}	{ YDVAR(1, VAR_RRSET_CACHE_SLABS) }
+ cache-max-ttl{COLON}     	{ YDVAR(1, VAR_CACHE_MAX_TTL) }
++cache-max-negative-ttl{COLON}   { YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) }
+ cache-min-ttl{COLON}     	{ YDVAR(1, VAR_CACHE_MIN_TTL) }
+ infra-host-ttl{COLON}		{ YDVAR(1, VAR_INFRA_HOST_TTL) }
+ infra-lame-ttl{COLON}		{ YDVAR(1, VAR_INFRA_LAME_TTL) }
+diff --git a/util/configparser.y b/util/configparser.y
+index 0dbee2b..7d7147d 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -105,6 +105,7 @@ extern struct config_parser_state* cfg_parser;
+ %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
+ %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
+ %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
++%token VAR_CACHE_MAX_NEGATIVE_TTL
+ 
+ %%
+ toplevelvars: /* empty */ | toplevelvars toplevelvar ;
+@@ -161,7 +162,7 @@ content_server: server_num_threads | server_verbosity | server_port |
+ 	server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
+ 	server_log_queries | server_tcp_upstream | server_ssl_upstream |
+ 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
+-	server_minimal_responses | server_rrset_roundrobin
++	server_minimal_responses | server_rrset_roundrobin | server_cache_max_negative_ttl
+ 	;
+ stubstart: VAR_STUB_ZONE
+ 	{
+@@ -934,6 +935,15 @@ server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG
+ 		free($2);
+ 	}
+ 	;
++server_cache_max_negative_ttl: VAR_CACHE_MAX_NEGATIVE_TTL STRING_ARG
++	{
++		OUTYY(("P(server_cache_max_negative_ttl:%s)\n", $2));
++		if(atoi($2) == 0 && strcmp($2, "0") != 0)
++			yyerror("number expected");
++		else cfg_parser->cfg->max_negative_ttl = atoi($2);
++		free($2);
++	}
++	;
+ server_cache_min_ttl: VAR_CACHE_MIN_TTL STRING_ARG
+ 	{
+ 		OUTYY(("P(server_cache_min_ttl:%s)\n", $2));
+diff --git a/util/data/msgparse.h b/util/data/msgparse.h
+index 830d68e..825d368 100644
+--- a/util/data/msgparse.h
++++ b/util/data/msgparse.h
+@@ -74,6 +74,8 @@ struct regional;
+ extern uint32_t MAX_TTL;
+ /** Minimum TTL that is allowed. */
+ extern uint32_t MIN_TTL;
++/** Maximum Negative TTL that is allowed */
++extern uint32_t MAX_NEG_TTL;
+ /** Negative cache time (for entries without any RRs.) */
+ #define NORR_TTL 5 /* seconds */
+ 
+diff --git a/util/data/msgreply.c b/util/data/msgreply.c
+index 6d711ff..dce724d 100644
+--- a/util/data/msgreply.c
++++ b/util/data/msgreply.c
+@@ -56,6 +56,8 @@
+ uint32_t MAX_TTL = 3600 * 24 * 10; /* ten days */
+ /** MIN TTL default for messages and rrsets */
+ uint32_t MIN_TTL = 0;
++/** MAX Negative TTL, for SOA records in authority section */
++uint32_t MAX_NEG_TTL = 3600; /* one hour */
+ 
+ /** allocate qinfo, return 0 on error */
+ static int
+@@ -151,10 +153,23 @@ repinfo_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc,
+ 	return 1;
+ }
+ 
++/** find the minimumttl in the rdata of SOA record */
++static uint32_t
++soa_find_minttl(struct rr_parse* rr)
++{
++	uint16_t rlen = ldns_read_uint16(rr->ttl_data+4);
++	if(rlen < 20)
++		return 0; /* rdata too small for SOA (dname, dname, 5*32bit) */
++	/* minimum TTL is the last 32bit value in the rdata of the record */
++	/* at position ttl_data + 4(ttl) + 2(rdatalen) + rdatalen - 4(timeval)*/
++	return ldns_read_uint32(rr->ttl_data+6+rlen-4);
++}
++
+ /** do the rdata copy */
+ static int
+ rdata_copy(ldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to, 
+-	struct rr_parse* rr, uint32_t* rr_ttl, uint16_t type)
++	struct rr_parse* rr, uint32_t* rr_ttl, uint16_t type,
++	ldns_pkt_section section)
+ {
+ 	uint16_t pkt_len;
+ 	const ldns_rr_descriptor* desc;
+@@ -163,6 +178,14 @@ rdata_copy(ldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
+ 	/* RFC 2181 Section 8. if msb of ttl is set treat as if zero. */
+ 	if(*rr_ttl & 0x80000000U)
+ 		*rr_ttl = 0;
++	if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) {
++		/* negative response. see if TTL of SOA record larger than the
++		 * minimum-ttl in the rdata of the SOA record */
++		if(*rr_ttl > soa_find_minttl(rr))
++			*rr_ttl = soa_find_minttl(rr);
++		if(*rr_ttl > MAX_NEG_TTL)
++			*rr_ttl = MAX_NEG_TTL;
++	}
+ 	if(*rr_ttl < MIN_TTL)
+ 		*rr_ttl = MIN_TTL;
+ 	if(*rr_ttl < data->ttl)
+@@ -252,7 +275,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset,
+ 		data->rr_data[i] = nextrdata;
+ 		nextrdata += rr->size;
+ 		if(!rdata_copy(pkt, data, data->rr_data[i], rr, 
+-			&data->rr_ttl[i], pset->type))
++			&data->rr_ttl[i], pset->type, pset->section))
+ 			return 0;
+ 		rr = rr->next;
+ 	}
+@@ -263,7 +286,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset,
+ 		data->rr_data[i] = nextrdata;
+ 		nextrdata += rr->size;
+ 		if(!rdata_copy(pkt, data, data->rr_data[i], rr, 
+-			&data->rr_ttl[i], LDNS_RR_TYPE_RRSIG))
++			&data->rr_ttl[i], LDNS_RR_TYPE_RRSIG, pset->section))
+ 			return 0;
+ 		rr = rr->next;
+ 	}
+-- 
+2.7.4
+
diff --git a/SOURCES/unbound-1.4.20-longcheck-fixup.patch b/SOURCES/unbound-1.4.20-longcheck-fixup.patch
new file mode 100644
index 0000000..1ba0808
--- /dev/null
+++ b/SOURCES/unbound-1.4.20-longcheck-fixup.patch
@@ -0,0 +1,74 @@
+diff --git a/testcode/do-tests.sh b/testcode/do-tests.sh
+index 84d2ef5..b44dd77 100755
+--- a/testcode/do-tests.sh
++++ b/testcode/do-tests.sh
+@@ -1,6 +1,10 @@
+ #!/usr/bin/env bash
+ . testdata/common.sh
+ 
++# make sure that the binaries used during tests can find the libraries compiled with them
++LD_LIBRARY_PATH_BAK="$LD_LIBRARY_PATH"
++export LD_LIBRARY_PATH="$(pwd)/.libs"
++
+ NEED_SPLINT='00-lint.tpkg'
+ NEED_DOXYGEN='01-doc.tpkg'
+ NEED_XXD='fwd_compress_c00c.tpkg fwd_zero.tpkg'
+@@ -10,6 +14,23 @@ NEED_WHOAMI='07-confroot.tpkg'
+ NEED_IPV6='fwd_ancil.tpkg fwd_tcp_tc6.tpkg stub_udp6.tpkg edns_cache.tpkg'
+ NEED_NOMINGW='tcp_sigpipe.tpkg 07-confroot.tpkg 08-host-lib.tpkg fwd_ancil.tpkg'
+ 
++# 01-doc - checks for errors and warnings and there are warnings due to obsolted keywords
++# in the doxygen documentation. Not a big deal, therefore skipping this.
++#
++# 06-ianaports - This checks if the bundled copy is up to date, which is obviously not
++# as the version we are shipping is old version
++#
++# root_anchor - This fails because the pem file has been updated and re are shipping an
++# old copy of it.
++#
++# root_hints - This fails because addresses of root servers changed and we are shipping
++# an old copy of it. This is not an issue as all servers usually do priming on startup
++#
++# fwd_compress_c00c - The test fails because the HEX output contains one more zero on each
++# line at the beginning of the address from which the data is dumped. Nevertheless the data
++# are correct and match.
++ALWAYS_SKIP='01-doc.tpkg 06-ianaports.tpkg root_anchor.tpkg root_hints.tpkg fwd_compress_c00c.tpkg'
++
+ # test if dig and ldns-testns are available.
+ test_tool_avail "dig"
+ test_tool_avail "ldns-testns"
+@@ -50,6 +71,11 @@ for test in `ls *.tpkg`; do
+ 			SKIP=1;
+ 		fi
+ 	fi
++
++	if echo $ALWAYS_SKIP | grep $test >/dev/null; then
++		SKIP=1;
++	fi
++
+ 	if test $SKIP -eq 0; then
+ 		echo $test
+ 		sh ../testcode/mini_tpkg.sh -a ../.. exe $test
+@@ -57,5 +83,21 @@ for test in `ls *.tpkg`; do
+ 		echo "skip $test"
+ 	fi
+ done
+-sh ../testcode/mini_tpkg.sh report
++sh ../testcode/mini_tpkg.sh report > .report.txt
++cat .report.txt
++
++# Make sure the test suite fails when some test failed
++if cat .report.txt | grep "FAILED" >/dev/null; then
++	echo "Some tests FAILED!!!"
++	RESULTS=1
++else
++	echo "All tests PASSED"
++	RESULTS=0
++fi
++rm -f .report.txt
+ cat .perfstats.txt
++
++# restore LD_LIBRARY_PATH
++export LD_LIBRARY_PATH=$LD_LIBRARY_PATH_BAK
++
++exit $RESULTS
diff --git a/SOURCES/unbound-1.4.20-trust-anchor.patch b/SOURCES/unbound-1.4.20-trust-anchor.patch
new file mode 100644
index 0000000..0d019d9
--- /dev/null
+++ b/SOURCES/unbound-1.4.20-trust-anchor.patch
@@ -0,0 +1,16 @@
+diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
+index ef0031c..c622f24 100644
+--- a/smallapp/unbound-anchor.c
++++ b/smallapp/unbound-anchor.c
+@@ -239,7 +239,10 @@ static const char*
+ get_builtin_ds(void)
+ {
+ 	return
+-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
++/* anchor 19036 is from 2010 */
++/* anchor 20326 is from 2017 */
++". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
++". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
+ }
+ 
+ /** print hex data */
diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf
index 2590f6d..26cb47e 100644
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@@ -135,6 +135,9 @@ server:
 	# cache. Items are not cached for longer. In seconds.
 	# cache-max-ttl: 86400
 
+	# the time to live (TTL) value cap for negative responses in the cache
+	# cache-max-negative-ttl: 3600
+
 	# the time to live (TTL) value for cached roundtrip times, lameness
 	# and EDNS version information for hosts. In seconds.
 	# infra-host-ttl: 900
diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec
index 6389c5e..faf9ae4 100644
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@@ -11,7 +11,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.4.20
-Release: 28%{?dist}
+Release: 34%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -38,9 +38,16 @@ Patch1: unbound-1.4.20-roundrobin.patch
 Patch2: unbound-1.4.20-streamtcp-manpage.patch
 Patch3: unbound-1.4.20-coverity_scan.patch
 Patch4: unbound-1.4.20-CVE-2014-8602.patch
+Patch5: unbound-1.4.20-cache-max-negative-ttl.patch
+Patch6: unbound-1.4.20-longcheck-fixup.patch
+Patch7: unbound-1.4.20-trust-anchor.patch
 
 Group: System Environment/Daemons
-BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.16-10
+BuildRequires: openssl-devel , ldns-devel >= 1.6.16-10
+# needed for the test suite
+BuildRequires: bind-utils
+# needed to regenerate configparser
+BuildRequires: flex, byacc
 BuildRequires: libevent-devel expat-devel
 %if %{with_python}
 BuildRequires:  python-devel swig
@@ -93,6 +100,9 @@ Summary: Libraries used by the unbound server and client applications
 Group: Applications/System
 Requires(post): /sbin/ldconfig
 Requires(post): systemd
+Requires(post): grep
+Requires(post): sed
+Requires(post): util-linux
 Requires(preun): systemd
 Requires(postun): /sbin/ldconfig
 Requires(postun): systemd
@@ -125,6 +135,15 @@ Python modules and extensions for unbound
 %patch2 -p1
 %patch3 -p1
 %patch4 -p0
+%patch5 -p1 -b .cache-max-negative-ttl
+%patch6 -p1 -b .longcheck-fixup
+%patch7 -p1 -b .root-anchor
+
+# regrnerate config parser due to new options added
+echo "#include \"config.h\"" > util/configlexer.c || echo "Failed to create configlexer"
+echo "#include \"util/configyyrename.h\"" >> util/configlexer.c || echo "Failed to create configlexer"
+flex -i -t util/configlexer.lex >> util/configlexer.c  || echo "Failed to create configlexer"
+yacc -y -d -o util/configparser.c util/configparser.y || echo "Failed to create configparser"
 
 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -252,6 +271,7 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control
 %{_unitdir}/unbound-anchor.timer
 %{_unitdir}/unbound-anchor.service
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
+# this file will be modified always after installation
 %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
@@ -271,6 +291,18 @@ exit 0
 
 %post libs 
 /sbin/ldconfig
+# If update contains new keys not already in database, use package keys
+if [ "$1" -eq 2 -a -f %{_sharedstatedir}/unbound/root.key.rpmnew ]; then
+        /sbin/runuser --command="
+	cp -pf %{_sharedstatedir}/unbound/root.key %{_sharedstatedir}/unbound/root.key.rpmupdate && \
+	sed -e 's/;.*//' -e '/^[[:space:]]*$/ d' %{_sharedstatedir}/unbound/root.key.rpmnew | while read KEY;
+	do
+		if ! grep -q \"\$KEY\" %{_sharedstatedir}/unbound/root.key.rpmupdate; then
+			echo \"\$KEY\" >> %{_sharedstatedir}/unbound/root.key.rpmupdate || exit 1;
+		fi;
+	done && \
+	mv %{_sharedstatedir}/unbound/root.key.rpmupdate %{_sharedstatedir}/unbound/root.key" --shell /bin/sh unbound || :
+fi
 %{_sbindir}/runuser  --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem"  --shell /bin/sh unbound ||:
 %systemd_post unbound-anchor.timer
 # the Unit is in presets, but would be started afte reboot
@@ -302,7 +334,31 @@ exit 0
 /bin/systemctl try-restart unbound.service >/dev/null 2>&1 || :
 /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
 
+
+%check
+make check
+make longcheck
+
 %changelog
+* Fri Jun 02 2017 Petr Menšík <pemensik@redhat.com> - 1.4.20-34
+- Make merge of updated database more safe
+
+* Wed May 24 2017 Petr Menšík <pemensik@redhat.com> - 1.4.20-33
+- Update also built-in digest in unbound-anchor
+
+* Wed May 24 2017 Petr Menšík <pemensik@redhat.com> - 1.4.20-32
+- Update trust anchors (#1452636)
+- Update managed keys from trigger
+
+* Mon Mar 27 2017 Tomas Hozza <thozza@redhat.com> - 1.4.20-31
+- Run internal test suite during build (#1383722)
+
+* Thu Feb 02 2017 Tomas Hozza <thozza@redhat.com> - 1.4.20-30
+- Added cache-max-negative-ttl option to the default configuration file (#1382383)
+
+* Tue Oct 11 2016 Tomas Hozza <thozza@redhat.com> - 1.4.20-29
+- Added cache-max-negative-ttl option (#1382383)
+
 * Fri May 20 2016 Pavel Šimerda <psimerda@redhat.com> - 1.4.20-28
 - Related: #1245250 - depend on the right ldns version