diff --git a/libunbound-devel-mini.changes b/libunbound-devel-mini.changes
index 89a93b3..d4dc620 100644
--- a/libunbound-devel-mini.changes
+++ b/libunbound-devel-mini.changes
@@ -1,3 +1,221 @@
+-------------------------------------------------------------------
+Tue Jun 27 11:13:31 UTC 2017 - michael@stroeder.com
+
+- update to 1.6.4
+
+Features:
+- Implemented trust anchor signaling using key tag query.
+- unbound-checkconf -o allows query of dnstap config variables.
+  Also unbound-control get_option.  Also for dnscrypt.
+- unbound.h exports the shm stats structures.  They use
+  type long long and no ifdefs, and ub_ before the typenames.
+- Implemented opportunistic IPsec support module (ipsecmod).
+- Added redirect-bogus.patch to contrib directory.
+- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
+- renumbering B-Root's IPv6 address to 2001:500:200::b.
+- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
+- Fix #1277: disable domain ratelimit by setting value to 0.
+- Added fastrpz patch to contrib
+
+Bug Fixes:
+- Added ECS unit test (from Manu Bretelle).
+- ECS documentation fix (from Manu Bretelle).
+- Fix #1252: more indentation inconsistencies.
+- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
+- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
+- iana portlist update
+- Based on #1257: check parse limit before t increment in sldns RR
+  string parse routine.
+- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
+  and fix that 64bit getting installed in C:\Program Files (x86).
+- Fix #1259: "--disable-ecdsa" argument overwritten
+  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
+- iana portlist update
+- Added test for leak of stub information.
+- Fix sldns wire2str printout of RR type CAA tags.
+- Fix sldns int16_data parse.
+- Fix sldns parse and printout of TSIG RRs.
+- sldns SMIMEA and AVC definitions, same as getdns definitions.
+- Fix tcp-mss failure printout text.
+- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
+  connect limited tcp connections.  With the option tcp connections
+  can share the same source port (for different destinations).
+- Add 'c' to getopt() in testbound.
+- Adjust servfail by iterator to not store in cache when serve-expired
+  is enabled, to avoid overwriting useful information there.
+- Fix queries for nameservers under a stub leaking to the internet.
+- document trust-anchor-signaling in example config file.
+- updated configure, dependencies and flex output.
+- better module memory lookup, fix of unbound-control shm names for
+  module memory printout of statistics.
+- Fix type AVC sldns rrdef.
+- Some whitespace fixup.
+- Fix #1265: contrib/unbound.service contains hardcoded path.
+- Fix #1265 to use /bin/kill.
+- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
+  and compatibility with BoringSSL.
+- Fix #1268: SIGSEGV after log_reopen.
+- exec_prefix is by default equal to prefix.
+- printout localzone for duplicate local-zone warnings.
+- Fix assertion for low buffer size and big edns payload when worker
+  overrides udpsize.
+- Support for openssl EVP_DigestVerify.
+- Fix #1269: inconsistent use of built-in local zones with views.
+- Add defaults for new local-zone trees added to views using
+  unbound-control.
+- Fix #1273: cachedb.c doesn't compile with -Wextra.
+- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
+- Also use global local-zones when there is a matching view that does
+  not have any local-zone specified.
+- Fix fastopen EPIPE fallthrough to perform connect.
+- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
+  (from Manu Bretelle).
+- Fix #1275: cached data in cachedb is never used.
+- Fix that unbound-control can set val_clean_additional and
+  val_permissive_mode.
+- Add dnscrypt XChaCha20 tests.
+- Detect chacha for dnscrypt at configure time.
+- dnscrypt unit tests with chacha.
+- Added domain name based ECS whitelist.
+- Fix #1278: Incomplete wildcard proof.
+- Fix #1279: Memory leak on reload when python module is enabled.
+- Fix #1280: Unbound fails assert when response from authoritative
+  contains malformed qname.  When 0x20 caps-for-id is enabled, when
+  assertions are not enabled the malformed qname is handled correctly.
+- More fixes in depth for buffer checks in 0x20 qname checks.
+- Fix stub zone queries leaking to the internet for
+  harden-referral-path ns checks.
+- Fix query for refetch_glue of stub leaking to internet.
+- Fix #1301: memory leak in respip and tests.
+- Free callback in edns-subnetmod on exit and restart.
+- Fix memory leak in sldns_buffer_new_frm_data.
+- Fix memory leak in dnscrypt config read.
+- Fix dnscrypt chacha cert support ifdefs.
+- Fix dnscrypt chacha cert unit test escapes in grep.
+- Fix to unlock view in view test.
+- Fix warning in pythonmod under clang compiler.
+- Fix lintian typo.
+- Fix #1316: heap read buffer overflow in parse_edns_options.
+
+-------------------------------------------------------------------
+Wed Jun 14 10:22:38 UTC 2017 - michael@stroeder.com
+
+- update to 1.6.3
+
+Bug Fixes
+- Fix #1280: Unbound fails assert when response from authoritative
+  contains malformed qname. When 0x20 caps-for-id is enabled, when
+  assertions are not enabled the malformed qname is handled correctly.
+
+-------------------------------------------------------------------
+Mon Apr 24 15:54:02 UTC 2017 - michael@stroeder.com
+
+- update to 1.6.2
+
+Features
+- Add trustanchor.unbound CH TXT that gets a response with a number
+  of TXT RRs with a string like "example.com. 2345 1234" with
+  the trust anchors and their keytags.
+- Patch for view functionality for local-data-ptr from Björn Ketelaars.
+- Response actions based on IP address from Jinmei Tatuya (Infoblox).
+- Patch from Luiz Fernando Softov for Stats Shared Memory.
+- unbound-control stats_shm command prints stats using shared memory,
+  which uses less cpu.
+- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
+  DS records.  NSEC3 is not disabled.
+- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
+  enabled in the config file from Manu Bretelle.
+- Merge EDNS Client subnet implementation from feature branch into main
+  branch, using new EDNS processing framework.
+- harden-algo-downgrade: no also makes unbound more lenient about
+  digest algorithms in DS records.
+
+Bug fixes
+- sldns has ED25519 and ED448 algorithm number and name for display.
+- sldns updated for vfixed and buffer resize indication from getdns.
+- iana portlist update
+- Fix #1224: Fix that defaults should not fall back to "Program Files
+  (x86) if Unbound is 64bit by default on windows.
+- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
+  redirect.
+- make depend, autoconf, doxygen and lint fixed up.
+- include sys/time.h for new shm code on NetBSD.
+- Fix #1227: Fix that Unbound control allows weak ciphersuits.
+- Fix #1226: provide official 32bit binary for windows.
+- For #1227: if we have sha256, set the cipher list to have no
+  known vulns.
+- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
+  record.
+- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
+- Fix #1230: swig version 2.0.1 is required for pythonmod, with
+  1.3.40 it crashes when running repeatly unbound-control reload.
+- fix enum conversion warnings
+- fake-sha1 test option; print warning if used.  To make unit tests.
+- unbound-control list local zone and data commands listed in the
+  help output.
+- Fix #1234: shortening DNAME loop produces duplicate DNAME records
+  in ANSWER section.
+- testbound understands Deckard MATCH rcode question answer commands.
+- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
+  of YXDOMAIN + query loop, reported by Petr Spacek.
+- Fix that SHM is not inited if not enabled.
+- Fix that looped DNAMEs do not cause unbound to spend effort.
+- trustanchor tags are sorted.  reusable routine to fetch taglist.
+- Fix #1237 - Wrong resolving in chain, for norec queries that get
+  SERVFAIL returned.
+- make depend, autoconf, remove warnings about statement before var.
+- lru_demote and lruhash_insert_or_retrieve functions for getdns.
+- fixup for lruhash (whitespace and header file comment).
+- dnscrypt tests.
+- Fix doxygen for dnscrypt files.
+- Fix #1238: segmentation fault when adding through the remote
+  interface a per-view local zone to a view with no previous
+  (configured) local zones.
+- Fix #1229: Systemd service sandboxing, options in wrong sections.
+- Fix #1239: configure fails to find python distutils if python
+  prints warning.
+- Fix to prevent non-referal query from being cached as referal when the
+  no_cache_store flag was set.
+- Remove (now unused) event2 include from dnscrypt code.
+- Fix #1217: Add metrics to unbound-control interface showing
+  crypted, cert request, plaintext and malformed queries (from
+  Manu Bretelle).
+- Do not add current time twice to TTL before ECS cache store.
+- Do not touch rrset cache after ECS cache message generation.
+- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
+- Fix #1244: document that use of chroot requires trust anchor file to
+  be under chroot.
+- Small fixup for documentation.
+- Fix respip for braces when locks arent used.
+- Fix pythonmod for cb changes.
+- Generalise inplace callback (de)registration
+- (de)register inplace callbacks for module id
+- No unbound-control set_option for ECS options
+- Deprecated client-subnet-opcode config option
+- Introduced client-subnet-always-forward config option
+- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
+- Removed extern ECS config options
+- module_restart_next now calls clear on all following modules
+- Also create ECS module qstate on module_event_pass event
+- remove malloc from inplace_cb_register
+- Unlock view in respip unit test
+- Some whitespace fixup.
+- Remove ECS option after REFUSED answer.
+- Fix small memory leak in edns_opt_copy_alloc.
+- Respip dereference after NULL check.
+- Zero initialize addrtree allocation.
+- Use correct identifier for SHM destroy.
+- Display ECS module memory usage.
+- Fix #1247: unbound does not shorten source prefix length when
+  forwarding ECS.
+- Properly check for allocation failure in local_data_find_tag_datas.
+- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
+- Set SHM ECS memory usage to 0 when module not loaded.
+- subnet mem value is available in shm, also when not enabled,
+  to make the struct easier to memmap by other applications,
+  independent of the configuration of unbound.
+- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
+
 -------------------------------------------------------------------
 Tue Feb 21 21:34:22 UTC 2017 - michael@stroeder.com
 
diff --git a/libunbound-devel-mini.spec b/libunbound-devel-mini.spec
index 284f273..8be5429 100644
--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@@ -24,7 +24,7 @@
 
 #
 Name:           libunbound-devel-mini
-Version:        1.6.1
+Version:        1.6.4
 Release:        0
 #
 #
@@ -34,6 +34,7 @@ BuildRequires:  ldns-devel >= %{ldns_version}
 BuildRequires:  libevent-devel
 BuildRequires:  libexpat-devel
 BuildRequires:  openssl-devel
+BuildRequires:  libsodium-devel
 Requires:       this-is-only-for-build-envs
 Conflicts:      unbound-devel
 Conflicts:      libunbound2
@@ -81,6 +82,7 @@ export CXXFLAGS="%{optflags}"
   --enable-event-api \
   --enable-pie \
   --enable-relro-now \
+  --enable-dnscrypt \
   --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
   --with-pidfile=%{piddir}%{name}/%{name}.pid \
   --without-pythonmodule --without-pyunbound \
diff --git a/unbound-1.6.1.tar.gz b/unbound-1.6.1.tar.gz
deleted file mode 100644
index db9a764..0000000
--- a/unbound-1.6.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
-size 5074713
diff --git a/unbound-1.6.4.tar.gz b/unbound-1.6.4.tar.gz
new file mode 100644
index 0000000..da0a4a1
--- /dev/null
+++ b/unbound-1.6.4.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed
+size 5477897
diff --git a/unbound.changes b/unbound.changes
index 89a93b3..d4dc620 100644
--- a/unbound.changes
+++ b/unbound.changes
@@ -1,3 +1,221 @@
+-------------------------------------------------------------------
+Tue Jun 27 11:13:31 UTC 2017 - michael@stroeder.com
+
+- update to 1.6.4
+
+Features:
+- Implemented trust anchor signaling using key tag query.
+- unbound-checkconf -o allows query of dnstap config variables.
+  Also unbound-control get_option.  Also for dnscrypt.
+- unbound.h exports the shm stats structures.  They use
+  type long long and no ifdefs, and ub_ before the typenames.
+- Implemented opportunistic IPsec support module (ipsecmod).
+- Added redirect-bogus.patch to contrib directory.
+- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
+- renumbering B-Root's IPv6 address to 2001:500:200::b.
+- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
+- Fix #1277: disable domain ratelimit by setting value to 0.
+- Added fastrpz patch to contrib
+
+Bug Fixes:
+- Added ECS unit test (from Manu Bretelle).
+- ECS documentation fix (from Manu Bretelle).
+- Fix #1252: more indentation inconsistencies.
+- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
+- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
+- iana portlist update
+- Based on #1257: check parse limit before t increment in sldns RR
+  string parse routine.
+- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
+  and fix that 64bit getting installed in C:\Program Files (x86).
+- Fix #1259: "--disable-ecdsa" argument overwritten
+  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
+- iana portlist update
+- Added test for leak of stub information.
+- Fix sldns wire2str printout of RR type CAA tags.
+- Fix sldns int16_data parse.
+- Fix sldns parse and printout of TSIG RRs.
+- sldns SMIMEA and AVC definitions, same as getdns definitions.
+- Fix tcp-mss failure printout text.
+- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
+  connect limited tcp connections.  With the option tcp connections
+  can share the same source port (for different destinations).
+- Add 'c' to getopt() in testbound.
+- Adjust servfail by iterator to not store in cache when serve-expired
+  is enabled, to avoid overwriting useful information there.
+- Fix queries for nameservers under a stub leaking to the internet.
+- document trust-anchor-signaling in example config file.
+- updated configure, dependencies and flex output.
+- better module memory lookup, fix of unbound-control shm names for
+  module memory printout of statistics.
+- Fix type AVC sldns rrdef.
+- Some whitespace fixup.
+- Fix #1265: contrib/unbound.service contains hardcoded path.
+- Fix #1265 to use /bin/kill.
+- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
+  and compatibility with BoringSSL.
+- Fix #1268: SIGSEGV after log_reopen.
+- exec_prefix is by default equal to prefix.
+- printout localzone for duplicate local-zone warnings.
+- Fix assertion for low buffer size and big edns payload when worker
+  overrides udpsize.
+- Support for openssl EVP_DigestVerify.
+- Fix #1269: inconsistent use of built-in local zones with views.
+- Add defaults for new local-zone trees added to views using
+  unbound-control.
+- Fix #1273: cachedb.c doesn't compile with -Wextra.
+- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
+- Also use global local-zones when there is a matching view that does
+  not have any local-zone specified.
+- Fix fastopen EPIPE fallthrough to perform connect.
+- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
+  (from Manu Bretelle).
+- Fix #1275: cached data in cachedb is never used.
+- Fix that unbound-control can set val_clean_additional and
+  val_permissive_mode.
+- Add dnscrypt XChaCha20 tests.
+- Detect chacha for dnscrypt at configure time.
+- dnscrypt unit tests with chacha.
+- Added domain name based ECS whitelist.
+- Fix #1278: Incomplete wildcard proof.
+- Fix #1279: Memory leak on reload when python module is enabled.
+- Fix #1280: Unbound fails assert when response from authoritative
+  contains malformed qname.  When 0x20 caps-for-id is enabled, when
+  assertions are not enabled the malformed qname is handled correctly.
+- More fixes in depth for buffer checks in 0x20 qname checks.
+- Fix stub zone queries leaking to the internet for
+  harden-referral-path ns checks.
+- Fix query for refetch_glue of stub leaking to internet.
+- Fix #1301: memory leak in respip and tests.
+- Free callback in edns-subnetmod on exit and restart.
+- Fix memory leak in sldns_buffer_new_frm_data.
+- Fix memory leak in dnscrypt config read.
+- Fix dnscrypt chacha cert support ifdefs.
+- Fix dnscrypt chacha cert unit test escapes in grep.
+- Fix to unlock view in view test.
+- Fix warning in pythonmod under clang compiler.
+- Fix lintian typo.
+- Fix #1316: heap read buffer overflow in parse_edns_options.
+
+-------------------------------------------------------------------
+Wed Jun 14 10:22:38 UTC 2017 - michael@stroeder.com
+
+- update to 1.6.3
+
+Bug Fixes
+- Fix #1280: Unbound fails assert when response from authoritative
+  contains malformed qname. When 0x20 caps-for-id is enabled, when
+  assertions are not enabled the malformed qname is handled correctly.
+
+-------------------------------------------------------------------
+Mon Apr 24 15:54:02 UTC 2017 - michael@stroeder.com
+
+- update to 1.6.2
+
+Features
+- Add trustanchor.unbound CH TXT that gets a response with a number
+  of TXT RRs with a string like "example.com. 2345 1234" with
+  the trust anchors and their keytags.
+- Patch for view functionality for local-data-ptr from Björn Ketelaars.
+- Response actions based on IP address from Jinmei Tatuya (Infoblox).
+- Patch from Luiz Fernando Softov for Stats Shared Memory.
+- unbound-control stats_shm command prints stats using shared memory,
+  which uses less cpu.
+- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
+  DS records.  NSEC3 is not disabled.
+- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
+  enabled in the config file from Manu Bretelle.
+- Merge EDNS Client subnet implementation from feature branch into main
+  branch, using new EDNS processing framework.
+- harden-algo-downgrade: no also makes unbound more lenient about
+  digest algorithms in DS records.
+
+Bug fixes
+- sldns has ED25519 and ED448 algorithm number and name for display.
+- sldns updated for vfixed and buffer resize indication from getdns.
+- iana portlist update
+- Fix #1224: Fix that defaults should not fall back to "Program Files
+  (x86) if Unbound is 64bit by default on windows.
+- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
+  redirect.
+- make depend, autoconf, doxygen and lint fixed up.
+- include sys/time.h for new shm code on NetBSD.
+- Fix #1227: Fix that Unbound control allows weak ciphersuits.
+- Fix #1226: provide official 32bit binary for windows.
+- For #1227: if we have sha256, set the cipher list to have no
+  known vulns.
+- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
+  record.
+- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
+- Fix #1230: swig version 2.0.1 is required for pythonmod, with
+  1.3.40 it crashes when running repeatly unbound-control reload.
+- fix enum conversion warnings
+- fake-sha1 test option; print warning if used.  To make unit tests.
+- unbound-control list local zone and data commands listed in the
+  help output.
+- Fix #1234: shortening DNAME loop produces duplicate DNAME records
+  in ANSWER section.
+- testbound understands Deckard MATCH rcode question answer commands.
+- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
+  of YXDOMAIN + query loop, reported by Petr Spacek.
+- Fix that SHM is not inited if not enabled.
+- Fix that looped DNAMEs do not cause unbound to spend effort.
+- trustanchor tags are sorted.  reusable routine to fetch taglist.
+- Fix #1237 - Wrong resolving in chain, for norec queries that get
+  SERVFAIL returned.
+- make depend, autoconf, remove warnings about statement before var.
+- lru_demote and lruhash_insert_or_retrieve functions for getdns.
+- fixup for lruhash (whitespace and header file comment).
+- dnscrypt tests.
+- Fix doxygen for dnscrypt files.
+- Fix #1238: segmentation fault when adding through the remote
+  interface a per-view local zone to a view with no previous
+  (configured) local zones.
+- Fix #1229: Systemd service sandboxing, options in wrong sections.
+- Fix #1239: configure fails to find python distutils if python
+  prints warning.
+- Fix to prevent non-referal query from being cached as referal when the
+  no_cache_store flag was set.
+- Remove (now unused) event2 include from dnscrypt code.
+- Fix #1217: Add metrics to unbound-control interface showing
+  crypted, cert request, plaintext and malformed queries (from
+  Manu Bretelle).
+- Do not add current time twice to TTL before ECS cache store.
+- Do not touch rrset cache after ECS cache message generation.
+- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
+- Fix #1244: document that use of chroot requires trust anchor file to
+  be under chroot.
+- Small fixup for documentation.
+- Fix respip for braces when locks arent used.
+- Fix pythonmod for cb changes.
+- Generalise inplace callback (de)registration
+- (de)register inplace callbacks for module id
+- No unbound-control set_option for ECS options
+- Deprecated client-subnet-opcode config option
+- Introduced client-subnet-always-forward config option
+- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
+- Removed extern ECS config options
+- module_restart_next now calls clear on all following modules
+- Also create ECS module qstate on module_event_pass event
+- remove malloc from inplace_cb_register
+- Unlock view in respip unit test
+- Some whitespace fixup.
+- Remove ECS option after REFUSED answer.
+- Fix small memory leak in edns_opt_copy_alloc.
+- Respip dereference after NULL check.
+- Zero initialize addrtree allocation.
+- Use correct identifier for SHM destroy.
+- Display ECS module memory usage.
+- Fix #1247: unbound does not shorten source prefix length when
+  forwarding ECS.
+- Properly check for allocation failure in local_data_find_tag_datas.
+- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
+- Set SHM ECS memory usage to 0 when module not loaded.
+- subnet mem value is available in shm, also when not enabled,
+  to make the struct easier to memmap by other applications,
+  independent of the configuration of unbound.
+- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
+
 -------------------------------------------------------------------
 Tue Feb 21 21:34:22 UTC 2017 - michael@stroeder.com
 
diff --git a/unbound.spec b/unbound.spec
index b4c59f3..8eb886e 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -53,7 +53,7 @@
 %endif
 
 Name:           unbound
-Version:        1.6.1
+Version:        1.6.4
 Release:        0
 #
 #
@@ -64,6 +64,7 @@ BuildRequires:  libevent-devel
 BuildRequires:  libexpat-devel
 BuildRequires:  openssl-devel
 BuildRequires:  python-devel
+BuildRequires:  libsodium-devel
 %if %{with dnstap}
 BuildRequires:  protobuf-c >= 1.0.0
 BuildRequires:  libprotobuf-c-devel >= 1.0.0
@@ -199,6 +200,7 @@ export CXXFLAGS="%{optflags}"
   --enable-event-api \
   --enable-pie \
   --enable-relro-now \
+  --enable-dnscrypt \
 %if %{with dnstap}
   --enable-dnstap \
 %endif