diff --git a/bind-9.18.27.tar.xz b/bind-9.18.27.tar.xz
deleted file mode 100644
index de7ab7c..0000000
--- a/bind-9.18.27.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ea3f3d8cfa2f6ae78c8722751d008f54bc17a3aed2be3f7399eb7bf5f4cda8f1
-size 5524000
diff --git a/bind-9.18.27.tar.xz.asc b/bind-9.18.27.tar.xz.asc
deleted file mode 100644
index 769ebcb..0000000
--- a/bind-9.18.27.tar.xz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmY6DEcACgkQUQpkKgbF
-LOwbQQ/7B3netZ0er8j5iMfTsalXKrgdTafhwN5SEQdZuxWKFBiuGZmydiDUqr9i
-YMyAhpsf3+uHGtvn5NeDkp2J+RDwZW5qqv+o+cjTVso0VbrzRmnhkSXagV1++10i
-rZtHNGp4cFXU6nSXczsWSPhE51vKCvMxqA0xPONRpnczto8yw+GYhgaoCeOdO0Y9
-k+ZoeUgVyEK4KGg60RvxqEchA7T883BZD9zUCr1/E9DwTqUAe22CfQ6j6IXIq5Cl
-cFYqgy1AcG+YvVFhwaA0PPBW+b+RevXW7FRILQ/oELwyjZrMjS+3Z0uATPy7AjL+
-Zkh22BPsAQebSsUAbX6p59I8XyxzdxJwMXSC/jYaIhknFLvC4v6L3QlGOpY7DviD
-v03n6a2n0PdXdm1WzbG8S+hcVNrlzXqaYT4HAFjrBpTWvvRP3+JXel7OLSRDDuyQ
-J5Y6nZiMLnhAmN2QfqM5vFXHgEACN8zHC1vYoPdmMScWFiW1d48Q4RKvY1oVmSJZ
-c/4ZCqZMOZXbe+6gvYO8xJXBTveX/inS4no05JNork2s7gkr/hcGk2NDly8+yTIx
-STdiOHtcKyuv0YV1yfY5WFN9i0nHQsbrcpsmWVNyX/zqle3Qjg4d4zBhqUryDDX6
-XaIE7cWt26h98U4Hzx1Iq9jhnlqERUY+AX+8w1q2zZ2VjXKcNV8=
-=YjPE
------END PGP SIGNATURE-----
diff --git a/bind-9.20.0.tar.xz b/bind-9.20.0.tar.xz
new file mode 100644
index 0000000..669dbef
--- /dev/null
+++ b/bind-9.20.0.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc580998017b51f273964058e8cb3aa5482bc785243dea71e5556ec565a13347
+size 5760416
diff --git a/bind-9.20.0.tar.xz.asc b/bind-9.20.0.tar.xz.asc
new file mode 100644
index 0000000..9f46a95
--- /dev/null
+++ b/bind-9.20.0.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmaNMyYACgkQUQpkKgbF
+LOzwnBAAgICQ7MC0rkXZxD/8X3vatdpDZ4MkUvkhOR+J4kkKWBuSqZJQvuWA8XeS
+/rycCHWFeUf3V9Wj6XbCPa1l4eV5rAnSVJtHHoDoK9Tt/1H6HCd0v2b270a9q1pU
+ra5Jdi/ZP76iRYAAse8FpRymMcjEk/aXnnnOsCACOY8MNvxC83mmrciPJJxloEBy
+9zGPGzkvnYTM1H/qSR0GrUsGLtzKPiXbvtsRo9jI3f8kL9Tdxw9IlmH0OY14L26L
+QKgaFC4Sa3J2PmELLCORtvUEDeKi9FAG9+6ua3h7ork2n/cARmOhvmZ8FFgLlB1e
+7GSWCMujw+h44vNJrz1w14Bm1sN3k9PgY34i7ter/WA6ZTFDIWyhQh5tHrbjsdyv
+DTlE8EvVNIg4fYMCew57yedXqzWO6bavwFlsiPyjXyG9+k9xSeQEYuuLGismF3gQ
+AGXPyUUAiqhnyQd1uCf8qK5sgkH39+g5TRFl5oSvZavOAr/GtzsNhAo5Ii5ia8qL
+mUVESk+Jyl4/rKJAAMwWtdl8mk8RYx1BF0XAG/mnvC81HBcuiu5aRBa5N3p8Kg+W
+cUMPOjDhXn90pxEcD1MSg6nH1P0sVVOYWaQvJ1FtzKUp7JKNJus0yjgQarF5VI/l
+7VSUi36dGSlDyM4EvspS/KAnItErzA8Vn40R9x8qbmzjD1Ka5LU=
+=wneo
+-----END PGP SIGNATURE-----
diff --git a/bind.changes b/bind.changes
index 35c73e4..fea5750 100644
--- a/bind.changes
+++ b/bind.changes
@@ -1,3 +1,64 @@
+-------------------------------------------------------------------
+Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to new major version 9.20.0
+  For a complete list of all changes see:
+  * https://bind9.readthedocs.io/en/v9.20.0/notes.html
+  * The CHANGES file in the source RPM
+
+  Some noteworthy changes:
+  * Added new BuildRequires liburcu for lock free data structures.
+  * A new DNSSEC tool dnssec-ksr has been added to create Key
+    Signing Request (KSR) and Signed Key Response (SKR) files.
+  * /etc/bind.keys and /var/lib/named/named.root.key have been
+    removed as the correct defaults are pre-compiled and there is
+    no need to configure bind.keys manually.
+  * The functions that were in the libbind9 shared library have
+    been moved to the libisc and libisccfg libraries. The now-empty
+    libbind9 has been removed and is no longer installed.
+  * The irs_resconf module has been moved to the libdns shared
+    library. The now-empty libirs library has been removed and is
+    no longer installed.
+
+  Security Fixes:
+  * A malicious DNS client that sent many queries over TCP but
+    never read the responses could cause a server to respond slowly
+    or not at all for other clients. This has been fixed.
+    (CVE-2024-0760)
+    [bsc#1228255]
+  * It is possible to craft excessively large resource records
+    sets, which have the effect of slowing down database
+    processing. This has been addressed by adding a configurable
+    limit to the number of records that can be stored per name and
+    type in a cache or zone database. The default is 100, which can
+    be tuned with the new max-records-per-type option.
+  * It is possible to craft excessively large numbers of resource
+    record types for a given owner name, which has the effect of
+    slowing down database processing. This has been addressed by
+    adding a configurable limit to the number of records that can
+    be stored per name and type in a cache or zone database. The
+    default is 100, which can be tuned with the new
+    max-types-per-name option. (CVE-2024-1737)
+    [bsc#1228256]
+  * Validating DNS messages signed using the SIG(0) protocol (RFC
+    2931) could cause excessive CPU load, leading to a
+    denial-of-service condition. Support for SIG(0) message
+    validation was removed from this version of named.
+    (CVE-2024-1975)
+    [bsc#1228257]
+  * Due to a logic error, lookups that triggered serving stale data
+    and required lookups in local authoritative zone data could
+    have resulted in an assertion failure. This has been fixed.
+  * Potential data races were found in our DoH implementation,
+    related to HTTP/2 session object management and endpoints set
+    object management after reconfiguration. These issues have been
+    fixed.
+  * When looking up the NS records of parent zones as part of
+    looking up DS records, it was possible for named to trigger an
+    assertion failure if serve-stale was enabled. This has been
+    fixed. (CVE-2024-4076)
+    [bsc#1228258]
+
 -------------------------------------------------------------------
 Fri May 17 16:05:37 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 
diff --git a/bind.spec b/bind.spec
index d19ad95..f2c74e8 100644
--- a/bind.spec
+++ b/bind.spec
@@ -56,7 +56,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.18.27
+Version:        9.20.0
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@@ -92,6 +92,7 @@ BuildRequires:  pkgconfig(krb5)
 BuildRequires:  pkgconfig(libidn2)
 BuildRequires:  pkgconfig(libmaxminddb)
 BuildRequires:  pkgconfig(libnghttp2)
+BuildRequires:  pkgconfig(liburcu)
 BuildRequires:  pkgconfig(libuv)
 BuildRequires:  pkgconfig(libxml-2.0)
 Requires:       %{name}-utils
@@ -375,7 +376,6 @@ mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
 	install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
 	install -D -m 0644 %{_sourcedir}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint
 	install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
-	install -m 0644 bind.keys %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/named.root.key
 	install -d -m 0755 %{buildroot}/%{_unitdir}/named.service.d
 %else
 	for file in named; do
@@ -422,7 +422,6 @@ done
 # ---------------------------------------------------------------------------
 # remove useless Makefiles and Makefile skeletons
 find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} +
-install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key
 %if %{with_systemd}
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
@@ -532,7 +531,6 @@ fi
 %config %{_var}/lib/named/root.hint
 %config %{_var}/lib/named/127.0.0.zone
 %config %{_var}/lib/named/localhost.zone
-%config %{_var}/lib/named/named.root.key
 %dir %{_libexecdir}/bind
 %{_libexecdir}/bind/named.prep
 %dir %{_libdir}/bind-plugins
@@ -571,7 +569,6 @@ fi
 %files utils
 %dir %{_sysconfdir}/named.d
 %config(noreplace) %{_sysconfdir}/named.d/rndc-access.conf
-%config(noreplace) %{_sysconfdir}/bind.keys
 %dir %{_sysconfdir}/openldap
 %dir %{_sysconfdir}/openldap/schema
 %attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/dnszone.schema
@@ -594,20 +591,17 @@ fi
 %{_bindir}/dnssec-verify
 %{_bindir}/dnssec-cds
 %{_bindir}/dnstap-read
+%{_bindir}/dnssec-ksr
 %{_sbindir}/ddns-confgen
 %{_sbindir}/rndc
 %{_sbindir}/rndc-confgen
 %{_sbindir}/tsig-keygen
-%{_libdir}/libbind9-%{version}.so
 %{_libdir}/libdns-%{version}.so
-%{_libdir}/libirs-%{version}.so
 %{_libdir}/libisc-%{version}.so
 %{_libdir}/libisccc-%{version}.so
 %{_libdir}/libisccfg-%{version}.so
 %{_libdir}/libns-%{version}.so
-%{_libdir}/libbind9.so
 %{_libdir}/libdns.so
-%{_libdir}/libirs.so
 %{_libdir}/libisc.so
 %{_libdir}/libisccc.so
 %{_libdir}/libisccfg.so
@@ -634,6 +628,7 @@ fi
 %{_mandir}/man1/named-journalprint.1%{ext_man}
 %{_mandir}/man1/nsec3hash.1%{ext_man}
 %{_mandir}/man1/dnstap-read.1%{ext_man}
+%{_mandir}/man1/dnssec-ksr.1.gz
 %{_mandir}/man5/rndc.conf.5%{ext_man}
 %{_mandir}/man8/ddns-confgen.8%{ext_man}
 %{_mandir}/man8/rndc.8%{ext_man}
diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2
index f049d29..7b6de0a 100644
--- a/vendor-files.tar.bz2
+++ b/vendor-files.tar.bz2
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7d4bca3adb71c0b663fe751ab13abb8e14548585338014a0f106f330fc4d1039
-size 20398
+oid sha256:4e9c271e4e1c7d9a7fef8ac8afb01986aa037c6c020ed52a6d19cb7d093a7f3f
+size 20084