diff --git a/SOURCES/root.anchor b/SOURCES/root.anchor
index 1d2f75d..d13dec7 100644
--- a/SOURCES/root.anchor
+++ b/SOURCES/root.anchor
@@ -1,2 +1 @@
-.	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
 .	98799	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
diff --git a/SOURCES/root.key b/SOURCES/root.key
index d8aca0c..6c5622c 100644
--- a/SOURCES/root.key
+++ b/SOURCES/root.key
@@ -1,7 +1,6 @@
 ; // The root key in bind format. This can be read by most tools, including
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
 trusted-keys {
-"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
 "." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
 
 };
diff --git a/SOURCES/unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch b/SOURCES/unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch
new file mode 100644
index 0000000..33e00a7
--- /dev/null
+++ b/SOURCES/unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch
@@ -0,0 +1,45 @@
+From 52aeaf4924ec3f6689e6aafedbe41473d2bda992 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 14 Nov 2017 10:01:44 +0000
+Subject: [PATCH] - Fix #2882: Unbound behaviour changes (wrong) when
+ domain-insecure is set for stub zone. It no longer searches for DNSSEC
+ information.
+
+git-svn-id: file:///svn/unbound/trunk@4404 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ iterator/iter_utils.c | 5 +++++
+ iterator/iter_utils.h | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
+index 0b1b456..70cab40 100644
+--- a/iterator/iter_utils.c
++++ b/iterator/iter_utils.c
+@@ -656,6 +656,11 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
+ 	/* a trust anchor exists with this name, RRSIGs expected */
+ 	if((a=anchor_find(env->anchors, dp->name, dp->namelabs, dp->namelen,
+ 		dclass))) {
++		if(a->numDS == 0 && a->numDNSKEY == 0) {
++			/* insecure trust point */
++			lock_basic_unlock(&a->lock);
++			return 0;
++		}
+ 		lock_basic_unlock(&a->lock);
+ 		return 1;
+ 	}
+diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
+index 50c5fc0..5b6df7f 100644
+--- a/iterator/iter_utils.h
++++ b/iterator/iter_utils.h
+@@ -193,7 +193,7 @@ int iter_indicates_dnssec_fwd(struct module_env* env,
+  * @param dp: delegation point.
+  * @param msg: delegation message, with DS if a secure referral.
+  * @param dclass: class of query.
+- * @return 1 if dnssec is expected, 0 if not.
++ * @return 1 if dnssec is expected, 0 if not or insecure point above qname.
+  */
+ int iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
+ 	struct dns_msg* msg, uint16_t dclass);
+-- 
+2.20.1
+
diff --git a/SOURCES/unbound-1.6.6-rh1775706.patch b/SOURCES/unbound-1.6.6-rh1775706.patch
new file mode 100644
index 0000000..a6bc5fd
--- /dev/null
+++ b/SOURCES/unbound-1.6.6-rh1775706.patch
@@ -0,0 +1,160 @@
+From d905fd132a536e9149c91816704500c659e154f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Tue, 26 Nov 2019 16:32:03 +0100
+Subject: [PATCH] Changed log lock from 'quick' to 'basic' because this is an
+ I/O lock.
+
+We cannot use a 'quick' lock (i.e. lock spinning on the CPU) for the log
+lock because it can wait a lot on I/Os. Using a 'quick' lock leads to
+eating the CPU for no good reason.
+
+Example of 'pidstat' output when using various locks for log_lock:
+
+- 'quick' lock and slow log file system (tail -f on the log file on XFS on RHEL 8)
+
+04:15:11 PM   UID      TGID       TID    %usr %system    %CPU CPU  Command
+04:15:21 PM   998     16431         -  100.00    4.20  100.00   2  unbound
+04:15:21 PM   998         -     16431   31.00    1.00   32.00   2  |__unbound
+04:15:21 PM   998         -     16432   31.30    0.80   32.10   0  |__unbound
+04:15:21 PM   998         -     16433   30.20    1.40   31.60   1  |__unbound
+04:15:21 PM   998         -     16434   30.70    1.00   31.70   3  |__unbound
+
+- 'quick' lock and log file system being fast
+
+04:15:40 PM   UID      TGID       TID    %usr %system   %CPU CPU  Command
+04:15:50 PM   998     16431         -   10.00    1.60  11.60   1  unbound
+04:15:50 PM   998         -     16431    2.50    0.50   3.00   1  |__unbound
+04:15:50 PM   998         -     16432    2.30    0.40   2.70   3  |__unbound
+04:15:50 PM   998         -     16433    2.70    0.30   3.00   0  |__unbound
+04:15:50 PM   998         -     16434    2.60    0.40   3.00   2  |__unbound
+
+- 'basic' lock (this commit) and slow log file system (tail -f on the log file on XFS on RHEL 8)
+
+04:29:48 PM   UID      TGID       TID    %usr %system   %CPU CPU  Command
+04:29:58 PM   998     11632         -    7.10   14.10  21.20   3  unbound
+04:29:58 PM   998         -     11632    1.70    3.20   4.90   3  |__unbound
+04:29:58 PM   998         -     11633    1.60    3.30   4.90   1  |__unbound
+04:29:58 PM   998         -     11634    2.00    4.10   6.10   1  |__unbound
+04:29:58 PM   998         -     11635    1.90    3.50   5.40   1  |__unbound
+
+We can see in the above example, when 'basic' lock is used, that CPU
+isn't consumed when log file system is slow.
+
+Another reproducer scenario: put the log file on a NFS share with 'sync'
+option.
+---
+ util/log.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/util/log.c b/util/log.c
+index c14b458..5b31854 100644
+--- a/util/log.c
++++ b/util/log.c
+@@ -70,7 +70,7 @@ static int key_created = 0;
+ static ub_thread_key_type logkey;
+ #ifndef THREADS_DISABLED
+ /** pthread mutex to protect FILE* */
+-static lock_quick_type log_lock;
++static lock_basic_type log_lock;
+ #endif
+ /** the identity of this executable/process */
+ static const char* ident="unbound";
+@@ -90,18 +90,18 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
+ 	if(!key_created) {
+ 		key_created = 1;
+ 		ub_thread_key_create(&logkey, NULL);
+-		lock_quick_init(&log_lock);
++		lock_basic_init(&log_lock);
+ 	}
+-	lock_quick_lock(&log_lock);
++	lock_basic_lock(&log_lock);
+ 	if(logfile 
+ #if defined(HAVE_SYSLOG_H) || defined(UB_ON_WINDOWS)
+ 	|| logging_to_syslog
+ #endif
+ 	) {
+-		lock_quick_unlock(&log_lock); /* verbose() needs the lock */
++		lock_basic_unlock(&log_lock); /* verbose() needs the lock */
+ 		verbose(VERB_QUERY, "switching log to %s", 
+ 			use_syslog?"syslog":(filename&&filename[0]?filename:"stderr"));
+-		lock_quick_lock(&log_lock);
++		lock_basic_lock(&log_lock);
+ 	}
+ 	if(logfile && logfile != stderr) {
+ 		FILE* cl = logfile;
+@@ -119,7 +119,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
+ 		 * chroot and no longer be able to access dev/log and so on */
+ 		openlog(ident, LOG_NDELAY, LOG_DAEMON);
+ 		logging_to_syslog = 1;
+-		lock_quick_unlock(&log_lock);
++		lock_basic_unlock(&log_lock);
+ 		return;
+ 	}
+ #elif defined(UB_ON_WINDOWS)
+@@ -128,13 +128,13 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
+ 	}
+ 	if(use_syslog) {
+ 		logging_to_syslog = 1;
+-		lock_quick_unlock(&log_lock);
++		lock_basic_unlock(&log_lock);
+ 		return;
+ 	}
+ #endif /* HAVE_SYSLOG_H */
+ 	if(!filename || !filename[0]) {
+ 		logfile = stderr;
+-		lock_quick_unlock(&log_lock);
++		lock_basic_unlock(&log_lock);
+ 		return;
+ 	}
+ 	/* open the file for logging */
+@@ -143,7 +143,7 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
+ 		filename += strlen(chrootdir);
+ 	f = fopen(filename, "a");
+ 	if(!f) {
+-		lock_quick_unlock(&log_lock);
++		lock_basic_unlock(&log_lock);
+ 		log_err("Could not open logfile %s: %s", filename, 
+ 			strerror(errno));
+ 		return;
+@@ -153,14 +153,14 @@ log_init(const char* filename, int use_syslog, const char* chrootdir)
+ 	setvbuf(f, NULL, (int)_IOLBF, 0);
+ #endif
+ 	logfile = f;
+-	lock_quick_unlock(&log_lock);
++	lock_basic_unlock(&log_lock);
+ }
+ 
+ void log_file(FILE *f)
+ {
+-	lock_quick_lock(&log_lock);
++	lock_basic_lock(&log_lock);
+ 	logfile = f;
+-	lock_quick_unlock(&log_lock);
++	lock_basic_unlock(&log_lock);
+ }
+ 
+ void log_thread_set(int* num)
+@@ -239,9 +239,9 @@ log_vmsg(int pri, const char* type,
+ 		return;
+ 	}
+ #endif /* HAVE_SYSLOG_H */
+-	lock_quick_lock(&log_lock);
++	lock_basic_lock(&log_lock);
+ 	if(!logfile) {
+-		lock_quick_unlock(&log_lock);
++		lock_basic_unlock(&log_lock);
+ 		return;
+ 	}
+ 	if(log_now)
+@@ -268,7 +268,7 @@ log_vmsg(int pri, const char* type,
+ 	/* line buffering does not work on windows */
+ 	fflush(logfile);
+ #endif
+-	lock_quick_unlock(&log_lock);
++	lock_basic_unlock(&log_lock);
+ }
+ 
+ /**
+-- 
+2.21.0
+
diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec
index fcb5457..353575d 100644
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@@ -12,7 +12,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.6.6
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: BSD
 Url: https://unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -39,6 +39,9 @@ Patch3: unbound-1.6.3-print-test-fails.patch
 Patch4: unbound-1.6.3-coverity.patch
 # Randomize outgoing port too, do not fail on two running builds on one host
 Patch5: unbound-1.6.6-test-fwd_oneport.patch
+Patch6: unbound-1.6.6-fix-domain-insecure-for-stub-zone.patch
+Patch7: unbound-1.6.6-rh1775706.patch
+
 Group: System Environment/Daemons
 BuildRequires: openssl-devel
 %if %{with_test}
@@ -137,6 +140,8 @@ Python modules and extensions for unbound
 %patch3 -p1 -b .testlog
 %patch4 -p1 -b .coverity
 %patch5 -p1 -b .test-fwd_oneport
+%patch6 -p1 -b .domain-insecure
+%patch7 -p1 -b .rh1775706
 
 # regrnerate config parser due to new options added
 echo "#include \"config.h\"" > util/configlexer.c || echo "Failed to create configlexer"
@@ -348,6 +353,14 @@ fi
 %endif
 
 %changelog
+* Tue Dec 03 2019 Petr Menšík <pemensik@redhat.com> - 1.6.6-3
+- Lower CPU usage on slow log I/O (#1775706)
+
+* Thu Jul 25 2019 Martin Osvald <mosvald@redhat.com> - 1.6.6-2
+- Do not search for DNSSEC info when domain-insecure is set
+  for stub zone (#1678550)
+- Remove KSK-2010 from configuration files - it has been revoked (#1665503)
+
 * Wed Oct 11 2017 Petr Menšík <pemensik@redhat.com> - 1.6.6-1
 - Rebase to 1.6.6
 - Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics