diff --git a/knot-resolver.spec b/knot-resolver.spec
index c38da04..60c3f3e 100644
--- a/knot-resolver.spec
+++ b/knot-resolver.spec
@@ -2,7 +2,7 @@
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}}
 
 %define GPG_CHECK 1
-%define VERSION 4.3.0
+%define VERSION 5.0.0
 %define repodir %{_builddir}/%{name}-%{version}
 %define NINJA ninja-build
 
@@ -49,6 +49,7 @@ BuildRequires:  pkgconfig(libuv)
 BuildRequires:  pkgconfig(luajit) >= 2.0
 
 Requires:       systemd
+Requires(post): systemd
 
 # Distro-dependent dependencies
 %if 0%{?rhel}
@@ -56,9 +57,7 @@ BuildRequires:  lmdb-devel
 # Lua 5.1 version of the libraries have different package names
 Requires:       lua-basexx
 Requires:       lua-psl
-Requires:       lua-socket
-Requires:       lua-sec
-Requires:       lua-filesystem
+Requires:       lua-http
 Requires(pre):  shadow-utils
 %endif
 %if 0%{?fedora}
@@ -66,10 +65,8 @@ BuildRequires:  pkgconfig(lmdb)
 BuildRequires:  python3-sphinx
 Requires:       lua5.1-basexx
 Requires:       lua5.1-cqueues
+Requires:       lua5.1-http
 Recommends:     lua5.1-psl
-Requires:       lua-filesystem-compat
-Requires:       lua-socket-compat
-Requires:       lua-sec-compat
 Requires(pre):  shadow-utils
 %endif
 
@@ -82,15 +79,13 @@ BuildRequires:  openssl-devel
 %define NINJA ninja
 BuildRequires:  lmdb-devel
 BuildRequires:  python3-Sphinx
-Requires:       lua51-luafilesystem
-Requires:       lua51-luasocket
-Requires:       lua51-luasec
 Requires(pre):  shadow
 %endif
 
 %if "x%{?rhel}" == "x"
 # dependencies for doc package
-# enable once CentOS 7.6 makes it into OBS buildroot
+# NOTE: doc isn't possible to build on CentOS 7
+#       python2-sphinx is too old and python36-breathe is broken
 BuildRequires:  doxygen
 BuildRequires:  python3-breathe
 BuildRequires:  python3-sphinx_rtd_theme
@@ -154,10 +149,8 @@ gpg2 --verify %{SOURCE1} %{SOURCE0}
 CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" meson build_rpm \
 %if "x%{?rhel}" == "x"
     -Ddoc=enabled \
-    -Dsystemd_files=enabled \
-%else
-    -Dsystemd_files=nosocket \
 %endif
+    -Dsystemd_files=enabled \
     -Dclient=enabled \
     -Dunit_tests=enabled \
     -Dmanaged_ta=enabled \
@@ -186,10 +179,6 @@ DESTDIR="${RPM_BUILD_ROOT}" %{NINJA} -v -C build_rpm install
 install -m 0755 -d %{buildroot}%{_unitdir}/multi-user.target.wants
 ln -s ../kresd.target %{buildroot}%{_unitdir}/multi-user.target.wants/kresd.target
 
-# install .tmpfiles.d dirs
-install -m 0750 -d %{buildroot}%{_localstatedir}/cache/%{name}
-install -m 0750 -d %{buildroot}/run/%{name}
-
 # remove modules with missing dependencies
 rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/etcd.lua
 
@@ -198,9 +187,6 @@ rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua
 rm -r %{buildroot}%{_libdir}/knot-resolver/kres_modules/http
 rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/http*.lua
 rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/prometheus.lua
-rm %{buildroot}%{_unitdir}/kresd@.service.d/module-http.conf
-rm %{buildroot}%{_unitdir}/kresd-doh.socket
-rm %{buildroot}%{_unitdir}/kresd-webmgmt.socket
 %endif
 
 # rename doc directory for centos, opensuse
@@ -213,26 +199,59 @@ mv %{buildroot}/%{_datadir}/doc/%{name}/* %{buildroot}/%{_pkgdocdir}/
 getent group knot-resolver >/dev/null || groupadd -r knot-resolver
 getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysconfdir}/knot-resolver -s /sbin/nologin -c "Knot Resolver" knot-resolver
 
+%if "x%{?rhel}" == "x"
+# upgrade-4-to-5
+if [ -f %{_unitdir}/kresd.socket ] ; then
+	export UPG_DIR=%{_sharedstatedir}/knot-resolver/.upgrade-4-to-5
+	mkdir -p ${UPG_DIR}
+	touch ${UPG_DIR}/.unfinished
+
+	for sock in kresd.socket kresd-tls.socket kresd-webmgmt.socket kresd-doh.socket ; do
+		if systemctl is-enabled ${sock} 2>/dev/null | grep -qv masked ; then
+			systemctl show ${sock} -p Listen > ${UPG_DIR}/${sock}
+			case "$(systemctl show ${sock} -p BindIPv6Only)" in
+			*ipv6-only)
+				touch ${UPG_DIR}/${sock}.v6only
+				;;
+			*default)
+				if cat /proc/sys/net/ipv6/bindv6only | grep -q 1 ; then
+					touch ${UPG_DIR}/${sock}.v6only
+				fi
+				;;
+			esac
+		fi
+	done
+fi
+%endif
+
+
 %post
-%if 0%{?fedora}
-# in case socket/service files are updated
-systemctl daemon-reload
-%systemd_post 'system-kresd.slice'
-# https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets
-%else
+# upgrade-4-to-5
+%if "x%{?rhel}" == "x"
+export UPG_DIR=%{_sharedstatedir}/knot-resolver/.upgrade-4-to-5
+if [ -f ${UPG_DIR}/.unfinished ] ; then
+	rm -f ${UPG_DIR}/.unfinished
+	kresd -c %{_libdir}/knot-resolver/upgrade-4-to-5.lua &>/dev/null
+	echo -e "\n   !!! WARNING !!!"
+	echo -e "Knot Resolver configuration file requires manual upgrade.\n"
+	cat ${UPG_DIR}/kresd.conf.net 2>/dev/null
+fi
+%endif
+
+# in case service files are updated
+systemctl daemon-reload &>/dev/null ||:
 %systemd_post 'kresd@*.service'
+%tmpfiles_create %{_tmpfilesdir}/knot-resolver.conf
+%if "x%{?fedora}" == "x"
 /sbin/ldconfig
 %endif
 
 %preun
-%systemd_preun 'kresd@*.service' kres-cache-gc.service kresd.target kresd.socket kresd-tls.socket
+%systemd_preun kres-cache-gc.service kresd.target
 
 %postun
-# NOTE: this doesn't restart the services on CentOS 7
 %systemd_postun_with_restart 'kresd@*.service'
-%if 0%{?fedora}
-# https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets
-%else
+%if "x%{?fedora}" == "x"
 /sbin/ldconfig
 %endif
 
@@ -253,18 +272,11 @@ systemctl daemon-reload
 %{_unitdir}/kresd.target
 %dir %{_unitdir}/multi-user.target.wants
 %{_unitdir}/multi-user.target.wants/kresd.target
-%if "x%{?rhel}" == "x"
-%dir %{_unitdir}/kresd@.service.d
-%{_unitdir}/kresd.socket
-%{_unitdir}/kresd-tls.socket
-%{_unitdir}/kresd-control@.socket
-%ghost /run/%{name}/
 %{_mandir}/man7/kresd.systemd.7.gz
-%else
-%{_mandir}/man7/kresd.systemd.nosocket.7.gz
-%endif
 %{_tmpfilesdir}/knot-resolver.conf
-%attr(750,knot-resolver,knot-resolver) %dir %{_localstatedir}/cache/%{name}
+%ghost /run/%{name}
+%ghost %{_localstatedir}/cache/%{name}
+%attr(750,knot-resolver,knot-resolver) %dir %{_libdir}/%{name}
 %{_sbindir}/kresd
 %{_sbindir}/kresc
 %{_sbindir}/kres-cache-gc
@@ -311,11 +323,6 @@ systemctl daemon-reload
 
 %if "x%{?suse_version}" == "x"
 %files module-http
-%if 0%{?fedora}
-%{_unitdir}/kresd@.service.d/module-http.conf
-%{_unitdir}/kresd-doh.socket
-%{_unitdir}/kresd-webmgmt.socket
-%endif
 %{_libdir}/knot-resolver/debug_opensslkeylog.so
 %{_libdir}/knot-resolver/kres_modules/http
 %{_libdir}/knot-resolver/kres_modules/http*.lua
@@ -323,6 +330,13 @@ systemctl daemon-reload
 %endif
 
 %changelog
+* Mon Jan 27 2020 Tomas Krizek <tomas.krizek@nic.cz> - 5.0.0-1
+- update to new upstream version 5.0.0
+- removed systemd socket files (no longer supported)
+- add upgrade scriptlets for 5.x
+- remove lua-sec, lua-socket, lua-filesystem dependencies
+- create tmpfiles dirs with macro
+
 * Wed Dec 04 2019 Tomas Krizek <tomas.krizek@nic.cz> - 4.3.0-1
 - update to new upstream version 4.3.0
 - make config directory read-only for knot-resolver, relocate root.keys to /var/lib
diff --git a/sources b/sources
index e878fe5..27c66d3 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (knot-resolver-4.3.0.tar.xz) = cb59b8bd3d12feeba0fbf45e021c8cd7736393377aa6c71d2d365d0ebb58122c440df3187ed4d3396dacfa5aba4bb752826b9d9da02aea4b626fcba3767c7c47
-SHA512 (knot-resolver-4.3.0.tar.xz.asc) = cbae77267438ca6928c159854fb385ef5e9f2419fcb82c396e14b5c0bb562563be203c3b141b992cdee02720c4c437e91457a9102e37c09dbb24dea47636ac0d
+SHA512 (knot-resolver-5.0.0.tar.xz) = e9bce51bc0f48d6ed4dd6e9c097f39579e5fa3d7fb630ce0d1bd86a9b494439ffa610f80034a2e4259a9326dc654d27b91e79ace2ddac6bb7edb89d7e5864095
+SHA512 (knot-resolver-5.0.0.tar.xz.asc) = 2ab341891d1433534de6a502a11aeb7581ba68ffec41a51d079d66d38e51958e6edcdd271cc7248131a0f7ae17d9f5af5f07c40c0b7f5c531b65945edaaf9efd