diff --git a/sources b/sources
index 9020756..fed76ad 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (unbound-1.8.3.tar.gz) = 545486ccce288a6ef1937d82653a43a11dbd3aec7b8d0036e7fd107e537cdfc935def9db9178c2eb418d6f4b0849a242a0be1dea966f3e9e0145aa7266e483ad
+SHA512 (unbound-1.9.3.tar.gz) = 21e14dc1577adbe502a262d7fbe9aae0cd389cd9c0b822246beadf00f0ee875e268eeb3ce820433cbb01495d6b182c334b34b63b1bc33b08589a230810ccfe90
diff --git a/tmpfiles-unbound.conf b/tmpfiles-unbound.conf
index d625589..bb88f01 100644
--- a/tmpfiles-unbound.conf
+++ b/tmpfiles-unbound.conf
@@ -1 +1 @@
-D /var/run/unbound 0755 unbound unbound -
+D /run/unbound 0755 unbound unbound -
diff --git a/unbound.conf b/unbound.conf
index 9326b4c..6fa1c45 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -121,6 +121,7 @@ server:
 	# so-sndbuf: 0
 
 	# use SO_REUSEPORT to distribute queries over threads.
+	# at extreme load it could be better to turn it off to distribute even.
 	so-reuseport: yes
 
 	# use IP_TRANSPARENT so the interface: addresses can be non-local
@@ -134,7 +135,7 @@ server:
 	# ip-freebind: no
 
 	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
-	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts).
+	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
 	# edns-buffer-size: 4096
 
 	# Maximum UDP response size (not applied to TCP response).
@@ -143,6 +144,9 @@ server:
 	# Helps mitigating DDOS
 	max-udp-size: 3072
 
+	# max memory to use for stream(tcp and tls) waiting result buffers.
+	# stream-wait-size: 4m
+
 	# buffer size for handling DNS data. No messages larger than this
 	# size can be sent or received, by UDP or TCP. In bytes.
 	# msg-buffer-size: 65552
@@ -346,6 +350,10 @@ server:
 	# timetoresolve, fromcache and responsesize.
 	# log-replies: no
 
+	# log with tag 'query' and 'reply' instead of 'info' for
+	# filtering log-queries and log-replies from the log.
+	# log-tag-queryreply: no
+
 	# log the local-zone actions, like local-zone type inform is enabled
 	# also for the other local zone types.
 	# log-local-actions: no
@@ -492,6 +500,9 @@ server:
 
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. Syntax: "[dns64] [validator] iterator"
+	# most modules have to be listed at the beginning of the line,
+	# except cachedb(just before iterator), and python (at the beginning,
+	# or, just before the iterator).
 	module-config: "ipsecmod validator iterator"
 
 	# File with trusted keys, kept uptodate using RFC5011 probes,
@@ -671,6 +682,9 @@ server:
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
 
+	# Add example.com into ipset
+	# local-zone: "example.com" ipset
+
 	# If unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
@@ -694,6 +708,7 @@ server:
 	# o typetransparent resolves normally for other types and other names
 	# o inform acts like transparent, but logs client IP address
 	# o inform_deny drops queries and logs client IP address
+	# o inform_redirect redirects queries and logs client IP address
 	# o always_transparent, always_refuse, always_nxdomain, resolve in
 	#   that way but ignore local data for that name
 	# o noview breaks out of that view towards global local-zones.
@@ -737,7 +752,20 @@ server:
 	# tls-service-key: "/etc/unbound/unbound_server.key"
 	# tls-service-pem: "/etc/unbound/unbound_server.pem"
 	# tls-port: 853
-	#
+
+	# cipher setting for TLSv1.2
+	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
+	# cipher setting for TLSv1.3
+	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+
+	# Add the secret file for TLS Session Ticket.
+	# Secret file must be 80 bytes of random data.
+	# First key use to encrypt and decrypt TLS session tickets.
+	# Other keys use to decrypt only.
+	# requires restart to take effect.
+	# tls-session-ticket-keys: "path/to/secret_file1"
+	# tls-session-ticket-keys: "path/to/secret_file2"
+
 	# request upstream over TLS (with plain DNS inside the TLS stream).
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
@@ -833,6 +861,8 @@ server:
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
+#   It can be at the start, it gets validated results, or just before
+#   the iterator and process before DNSSEC validation.
 # o and give a python-script to run.
 python:
 	# Script file to load
@@ -913,6 +943,7 @@ include: /etc/unbound/conf.d/*.conf
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
 # 	forward-tls-upstream: no
+#	forward-no-cache: no
 # forward-zone:
 # 	name: "example.org"
 # 	forward-host: fwd.example.com
@@ -935,12 +966,22 @@ auth-zone:
 	for-downstream: no
 	for-upstream: yes
 	fallback-enabled: yes
-	master: b.root-servers.net
-	master: c.root-servers.net
-	master: e.root-servers.net
-	master: f.root-servers.net
-	master: g.root-servers.net
-	master: k.root-servers.net
+	master: 199.9.14.201         # b.root-servers.net
+	master: 192.33.4.12          # c.root-servers.net
+	master: 199.7.91.13          # d.root-servers.net
+	master: 192.5.5.241          # f.root-servers.net
+	master: 192.112.36.4         # g.root-servers.net
+	master: 193.0.14.129         # k.root-servers.net
+	master: 192.0.47.132         # xfr.cjr.dns.icann.org
+	master: 192.0.32.132         # xfr.lax.dns.icann.org
+	master: 2001:500:200::b      # b.root-servers.net
+	master: 2001:500:2::c        # c.root-servers.net
+	master: 2001:500:2d::d       # d.root-servers.net
+	master: 2001:500:2f::f       # f.root-servers.net
+	master: 2001:500:12::d0d     # g.root-servers.net
+	master: 2001:7fd::1          # k.root-servers.net
+	master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	master: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
 # auth-zone:
 #	name: "example.org"
 #	for-downstream: yes
@@ -958,7 +999,7 @@ auth-zone:
 #	name: "viewname"
 #	local-zone: "example.com" redirect
 #	local-data: "example.com A 192.0.2.3"
-# 	local-data-ptr: "192.0.2.3 www.example.com"
+#	local-data-ptr: "192.0.2.3 www.example.com"
 #	view-first: no
 # view:
 #	name: "anotherview"
@@ -991,7 +1032,7 @@ auth-zone:
 # Enable external backend DB as auxiliary cache.  Specify the backend name
 # (default is "testframe", which has no use other than for debugging and
 # testing) and backend-specific options.  The 'cachedb' module must be
-# included in module-config.
+# included in module-config, just before the iterator module.
 # cachedb:
 #     backend: "testframe"
 #     # secret seed string to calculate hashed keys
@@ -1004,3 +1045,14 @@ auth-zone:
 #     redis-server-port: 6379
 #     # timeout (in ms) for communication with the redis server
 #     redis-timeout: 100
+
+# IPSet
+# Add specify domain into set via ipset.
+# Note: To enable ipset needs run unbound as root user.
+# ipset:
+#     # set name for ip v4 addresses
+#     name-v4: "list-v4"
+#     # set name for ip v6 addresses
+#     name-v6: "list-v6"
+#
+
diff --git a/unbound.spec b/unbound.spec
index f3fa13f..bafc1ac 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -33,8 +33,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.8.3
-Release: 8%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.9.3
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -55,8 +55,6 @@ Source15: unbound-anchor.timer
 Source16: unbound-munin.README
 Source17: unbound-anchor.service
 
-Patch1: unbound-1.8.3-dns64-again.patch
-
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
@@ -149,7 +147,7 @@ Python 3 modules and extensions for unbound
 %setup -qcn %{pkgname}
 
 pushd %{pkgname}
-%patch1
+# patches go here
 
 # only for snapshots
 # autoreconf -iv
@@ -173,7 +171,7 @@ cp -a %{dir_primary} %{dir_secondary}
             --enable-relro-now --enable-pie \\\
             --enable-subnet --enable-ipsecmod \\\
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
-            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
+            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
             --enable-sha2 --disable-gost --enable-ecdsa \\\
             --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
 
@@ -410,6 +408,12 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
+- Updated to 1.9.3
+- Resolves: rhbz#1672578 unbound-1.9.2 is available
+- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
+- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT
+
 * Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
 - Subpackage python2-unbound has been removed
   See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal