diff --git a/.gitignore b/.gitignore
index 7239dc8..7381005 100644
--- a/.gitignore
+++ b/.gitignore
@@ -114,3 +114,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.17.20.tar.xz
 /bind-9.17.20.tar.xz.asc
 /isc-logo.pdf
+/bind-9.17.21.tar.xz
+/bind-9.17.21.tar.xz.asc
diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch
index ebf9e55..a91a083 100644
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@@ -1,4 +1,4 @@
-From 0e06aaa5fdd3a537d9646801082c569dbeda4ac3 Mon Sep 17 00:00:00 2001
+From 22a56b67a27b0ab63050ce6a287a15df6ac96f94 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@@ -73,7 +73,6 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
  .../system/allow-query/ns2/named40.conf.in    |  4 +-
  bin/tests/system/allow-query/tests.sh         | 18 ++---
  bin/tests/system/catz/ns1/named.conf.in       |  2 +-
- bin/tests/system/catz/ns2/named.conf.in       |  2 +-
  bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
  bin/tests/system/checkconf/good.conf          |  2 +-
  bin/tests/system/feature-test.c               | 14 ++++
@@ -90,7 +89,7 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
  bin/tests/system/tsig/tests.sh                | 65 ++++++++++++-------
  bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
  bin/tests/system/upforwd/tests.sh             |  2 +-
- 32 files changed, 149 insertions(+), 106 deletions(-)
+ 31 files changed, 148 insertions(+), 105 deletions(-)
 
 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
 index 60f22e1..249f672 100644
@@ -429,10 +428,10 @@ index 687768e..d24d6d2 100644
  };
  
 diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
-index cdc970a..e06ede2 100644
+index c0398fe..cc1962a 100644
 --- a/bin/tests/system/allow-query/tests.sh
 +++ b/bin/tests/system/allow-query/tests.sh
-@@ -181,7 +181,7 @@ rndc_reload ns2 10.53.0.2
+@@ -198,7 +198,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key allowed - query allowed"
  ret=0
@@ -441,25 +440,25 @@ index cdc970a..e06ede2 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -194,7 +194,7 @@ rndc_reload ns2 10.53.0.2
+@@ -211,7 +211,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key not allowed - query refused"
  ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -207,7 +207,7 @@ rndc_reload ns2 10.53.0.2
+@@ -225,7 +225,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key disallowed - query refused"
  ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -340,7 +340,7 @@ rndc_reload ns2 10.53.0.2
+@@ -364,7 +364,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key allowed - query allowed"
  ret=0
@@ -468,25 +467,25 @@ index cdc970a..e06ede2 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -353,7 +353,7 @@ rndc_reload ns2 10.53.0.2
+@@ -377,7 +377,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key not allowed - query refused"
  ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
+@@ -391,7 +391,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key disallowed - query refused"
  ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -499,7 +499,7 @@ status=`expr $status + $ret`
+@@ -531,7 +531,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key allowed - query allowed"
  ret=0
@@ -495,24 +494,24 @@ index cdc970a..e06ede2 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -509,7 +509,7 @@ status=`expr $status + $ret`
+@@ -541,7 +541,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key not allowed - query refused"
  ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -519,7 +519,7 @@ status=`expr $status + $ret`
+@@ -552,7 +552,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key disallowed - query refused"
  ret=0
 -$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
 +$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
- if [ $ret != 0 ]; then echo_i "failed"; fi
 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
 index 1218669..e62715e 100644
 --- a/bin/tests/system/catz/ns1/named.conf.in
@@ -522,17 +521,6 @@ index 1218669..e62715e 100644
  key tsig_key. {
  	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
-+	algorithm hmac-sha256;
- };
-diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
-index 3a017b1..5417463 100644
---- a/bin/tests/system/catz/ns2/named.conf.in
-+++ b/bin/tests/system/catz/ns2/named.conf.in
-@@ -70,5 +70,5 @@ zone "catalog4.example" {
- 
- key tsig_key. {
- 	secret "LSAnCU+Z";
--	algorithm hmac-md5;
 +	algorithm hmac-sha256;
  };
 diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
@@ -685,10 +673,10 @@ index be8c7f8..e465216 100644
  $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
  $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 88910f9..56c57db 100755
+index 7b9c0e6..26e6b01 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
-@@ -822,7 +822,14 @@ fi
+@@ -823,7 +823,14 @@ fi
  n=`expr $n + 1`
  ret=0
  echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
@@ -704,7 +692,7 @@ index 88910f9..56c57db 100755
      $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
  server 10.53.0.1 ${PORT}
  update add ${alg}.keytests.nil. 600 A 10.10.10.3
-@@ -830,7 +837,7 @@ send
+@@ -831,7 +838,7 @@ send
  END
  done
  sleep 2
diff --git a/bind9-next.spec b/bind9-next.spec
index f601600..feaa5bd 100644
--- a/bind9-next.spec
+++ b/bind9-next.spec
@@ -63,7 +63,7 @@ Conflicts: %1 \
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind9-next
 License:  MPLv2.0
-Version:  9.17.20
+Version:  9.17.21
 Release:  1%{?dist}
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -101,8 +101,6 @@ Source50: https://gitlab.isc.org/isc-projects/bind9/-/raw/main/doc/arm/isc-logo.
 # FIXME: Is this still required?
 Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5601
-Patch21: bind93-rh490837.patch
 Patch22: bind-9.11-fips-tests.patch
 
 %{?systemd_ordering}
@@ -126,6 +124,7 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  selinux-policy
 BuildRequires:  findutils sed
 BuildRequires:  libnghttp2-devel
+BuildRequires:  jemalloc-devel
 %if 0%{?fedora}
 BuildRequires:  gnupg2
 %endif
@@ -1079,6 +1078,9 @@ fi;
 %endif
 
 %changelog
+* Mon Dec 20 2021 Petr Menšík <pemensik@redhat.com> - 9.17.21-1
+- Update to 9.17.21, enable jemalloc support
+
 * Mon Nov 29 2021 Petr Menšík <pemensik@redhat.com> - 32:9.17.20-1
 - Update to 9.17.20
 - Propagate ephemeral port ranges to chroot (#2013597)
diff --git a/bind93-rh490837.patch b/bind93-rh490837.patch
deleted file mode 100644
index b6cdcc2..0000000
--- a/bind93-rh490837.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-diff --git a/lib/isc/errno2result.c b/lib/isc/errno2result.c
-index 623ac6d..7f34e45 100644
---- a/lib/isc/errno2result.c
-+++ b/lib/isc/errno2result.c
-@@ -36,6 +36,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
- 	case EINVAL: /* XXX sometimes this is not for files */
- 	case ENAMETOOLONG:
- 	case EBADF:
-+	case EISDIR:
- 		return (ISC_R_INVALIDFILE);
- 	case ENOENT:
- 		return (ISC_R_FILENOTFOUND);
-diff --git a/lib/isc/lex.c b/lib/isc/lex.c
-index 8ab3682..b198000 100644
---- a/lib/isc/lex.c
-+++ b/lib/isc/lex.c
-@@ -27,6 +27,8 @@
- #include <isc/string.h>
- #include <isc/util.h>
- 
-+#include "errno2result.h"
-+
- typedef struct inputsource {
- 	isc_result_t result;
- 	bool is_file;
-@@ -425,7 +427,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
- #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
- 				if (c == EOF) {
- 					if (ferror(stream)) {
--						source->result = ISC_R_IOERROR;
-+						source->result = isc__errno2result(errno);
- 						result = source->result;
- 						goto done;
- 					}
diff --git a/sources b/sources
index 917448e..7d02b33 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,2 @@
-SHA512 (bind-9.17.20.tar.xz) = ae0428b40a3f7a7c3db093da97b05d7901c4e48b2a9a9fac61d02b8e4d192f668ef05baf0f7d07402d88d3ed510f951637d7717a9da3c167b933166267adf070
-SHA512 (bind-9.17.20.tar.xz.asc) = 16a3689da98601ca28d5acf5a33f9ffdd2ac03c797ceca593f4c1fe19ec07582a9d5305b0a9df84122e7dc085950e686f55c617af7f9f5692666d2944016cfcc
-SHA512 (isc-logo.pdf) = 08124d14c4884aa6c078ef6b98ec37146319b51ca2dff44b6e38d1742d06778ce053299c15ad28e32dff36847242b2bb586848a1bb7cc5c05d9b2fdf2fd4a0bc
+SHA512 (bind-9.17.21.tar.xz) = 089925f055af4236f31bd0efe8e66d6bf1b2e2327e3b832e6610f0de4e8f96e93cec90ad91f8eddc882078343fc04f00793d90d006ef2851d9390b8540643cd2
+SHA512 (bind-9.17.21.tar.xz.asc) = c3b2e54cb976b131511ed1574b3e163d340ff758987557a5909f576c9d011e5eafe76a9f0d20510ced70bc56c846ca8d36a33ca21c2b3bb4e4ce320e0d948a69