diff --git a/.gitignore b/.gitignore
index 1911c71..bb7787d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -65,3 +65,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.13.0.tar.gz.asc
 /unbound-1.13.1.tar.gz
 /unbound-1.13.1.tar.gz.asc
+/unbound-1.13.2.tar.gz
+/unbound-1.13.2.tar.gz.asc
diff --git a/sources b/sources
index c7d1af2..d54a5cf 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (unbound-1.13.1.tar.gz) = f4d26dca28dbcc33a5e65a55147fa01077c331292e88b6a87798cb6c3d4edb0515015d131fd893c92b74d22d9998a640f0adce404e6192d61ebe69a6a599287c
-SHA512 (unbound-1.13.1.tar.gz.asc) = a4a943841c4db14b2d236b4b80ac80129148c42f7b3d82246b0e0150c1e3e3e294863d5c72d1ac41c2164126d1d10f9044554f97aa6d94019acb41b5f7ed7d34
+SHA512 (unbound-1.13.2.tar.gz) = 1e89441446e7a25c6a49bded645f8b348c1758c3be54e3a986041cb1f00c45d152fd469dc52666fb820574db9d51b16f1627dc8afcb9519508d4833ca358191a
+SHA512 (unbound-1.13.2.tar.gz.asc) = b905f5f981361131e7a8d3403df632603304778bd7d4fffba8d113c4246d8133f26903a5af53d21b979b652cbae8f6e92620d3a262d8b2837ab8c2a5712650ee
diff --git a/unbound.conf b/unbound.conf
index e414f9c..4ee6d10 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -393,18 +393,28 @@ server:
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
 
-	# NSID identity (hex string, or "ascii_somestring"). default disabled.
-	# nsid: "aabbccdd"
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
 
 	# enable to not answer trustanchor.unbound queries.
 	# hide-trustanchor: no
 
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
+
 	# the identity to report. Leave "" or default to return hostname.
 	# identity: ""
 
 	# the version to report. Leave "" or default to return package version.
 	# version: ""
 
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
+	# nsid: "aabbccdd"
+
+	# User-Agent HTTP header to use. Leave "" or default to use package name
+	# and version.
+	# http-user-agent: ""
+
 	# the target fetch policy.
 	# series of integers describing the policy per dependency depth.
 	# The number of values in the list determines the maximum dependency
@@ -584,6 +594,10 @@ server:
 	# val-sig-skew-min: 3600
 	# val-sig-skew-max: 86400
 
+	# The maximum number the validator should restart validation with
+	# another authority in case of failed validation.
+	# val-max-restart: 5
+
 	# Should additional section of secure message also be kept clean of
 	# unsecure data. Useful to shield the users of this validator from
 	# potential bogus data in the additional section. All unsigned data
@@ -616,7 +630,7 @@ server:
 	# that the expired records will be served as long as there are queries
 	# for it.
 	# serve-expired-ttl-reset: no
-
+	#
 	# TTL value to use when replying with expired data.
 	# serve-expired-reply-ttl: 30
 	#
@@ -642,7 +656,10 @@ server:
 	# keysize. Keep this table very short, as linear search is done.
 	# A message with an NSEC3 with larger count is marked insecure.
 	# List in ascending order the keysize and count values.
-	# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+	# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
+
+	# if enabled, ZONEMD verification failures do not block the zone.
+	# zonemd-permissive-mode: no
 
 	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
 	# add-holddown: 2592000 # 30 days
@@ -795,6 +812,10 @@ server:
 	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
 	# cipher setting for TLSv1.3
 	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+	# Fedora/RHEL: use system-wide crypto policies
+	tls-ciphers: "PROFILE=SYSTEM"
+	# TODO: ask system-wide crypto people what to use here
+	#tls-ciphersuites: "PROFILE=SYSTEM" # does not work
 
 	# Pad responses to padded queries received over TLS
 	# pad-responses: yes
@@ -931,6 +952,13 @@ server:
 	# ipsecmod-allow: "example.com"
 	# ipsecmod-allow: "nlnetlabs.nl"
 
+	# Timeout for REUSE entries in milliseconds.
+	# tcp-reuse-timeout: 60000
+	# Max number of queries on a reuse connection.
+	# max-reuse-tcp-queries: 200
+	# Timeout in milliseconds for TCP queries to auth servers.
+	# tcp-auth-query-timeout: 3000
+
 # Python config section. To enable:
 # o use --with-pythonmodule to configure before compiling.
 # o list python in the module-config string (above) to enable.
@@ -941,6 +969,17 @@ python:
 	# Script file to load
 	# python-script: "/etc/unbound/ubmodule-tst.py"
 
+# Dynamic library config section. To enable:
+# o use --with-dynlibmodule to configure before compiling.
+# o list dynlib in the module-config string (above) to enable.
+#   It can be placed anywhere, the dynlib module is only a very thin wrapper
+#   to load modules dynamically.
+# o and give a dynlib-file to run. If more than one dynlib entry is listed in
+#   the module-config then you need one dynlib-file per instance.
+dynlib:
+	# Script file to load
+	# dynlib-file: "/etc/unbound/dynlib.so"
+
 # Remote control config section.
 remote-control:
 	# Enable remote control with unbound-control(8) here.
@@ -1036,29 +1075,32 @@ include: /etc/unbound/conf.d/*.conf
 # notifies.
 auth-zone:
 	name: "."
+	primary: 199.9.14.201         # b.root-servers.net
+	primary: 192.33.4.12          # c.root-servers.net
+	primary: 199.7.91.13          # d.root-servers.net
+	primary: 192.5.5.241          # f.root-servers.net
+	primary: 192.112.36.4         # g.root-servers.net
+	primary: 193.0.14.129         # k.root-servers.net
+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+	primary: 2001:500:200::b      # b.root-servers.net
+	primary: 2001:500:2::c        # c.root-servers.net
+	primary: 2001:500:2d::d       # d.root-servers.net
+	primary: 2001:500:2f::f       # f.root-servers.net
+	primary: 2001:500:12::d0d     # g.root-servers.net
+	primary: 2001:7fd::1          # k.root-servers.net
+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+	fallback-enabled: yes
 	for-downstream: no
 	for-upstream: yes
-	fallback-enabled: yes
-	master: 199.9.14.201         # b.root-servers.net
-	master: 192.33.4.12          # c.root-servers.net
-	master: 199.7.91.13          # d.root-servers.net
-	master: 192.5.5.241          # f.root-servers.net
-	master: 192.112.36.4         # g.root-servers.net
-	master: 193.0.14.129         # k.root-servers.net
-	master: 192.0.47.132         # xfr.cjr.dns.icann.org
-	master: 192.0.32.132         # xfr.lax.dns.icann.org
-	master: 2001:500:200::b      # b.root-servers.net
-	master: 2001:500:2::c        # c.root-servers.net
-	master: 2001:500:2d::d       # d.root-servers.net
-	master: 2001:500:2f::f       # f.root-servers.net
-	master: 2001:500:12::d0d     # g.root-servers.net
-	master: 2001:7fd::1          # k.root-servers.net
-	master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
-	master: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+
 # auth-zone:
 #	name: "example.org"
 #	for-downstream: yes
 #	for-upstream: yes
+#	zonemd-check: no
+#	zonemd-reject-absence: no
 #	zonefile: "example.org.zone"
 
 # Views
diff --git a/unbound.spec b/unbound.spec
index 46623e1..51ec747 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -20,13 +20,6 @@
 %if 0%{?rhel}
 %global with_munin   0
 
-%if 0%{?with_python2} && 0%{?rhel} <= 6
-# needed just for EPEL
-%{!?__python2: %global __python2 /usr/bin/python2}
-%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
-%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
-%endif
-
 %if 0%{?rhel} <= 7
 %global with_python3 0
 %else
@@ -36,8 +29,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.13.1
-Release: 8%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.13.2
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -61,13 +54,6 @@ Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_vers
 # source: https://nlnetlabs.nl/people/
 Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
 
-# Backport two fixes:
-# https://github.com/NLnetLabs/unbound/commit/e0d426ebb10653a78bf5c4053198f6ac19bfcd3e
-# https://github.com/NLnetLabs/unbound/pull/427
-# Fix build on Python 3.10 (rhbz#1889726).
-Patch1: unbound-python310.patch
-# rhbz#1935101 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files
-Patch2: unbound-1.13.1-rh1935101.patch
 
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@@ -466,6 +452,10 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Thu Aug 12 2021 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
+- Resolves: rhbz#1992985 unbound-1.13.2 is available
+- Use system-wide crypto policies
+
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.1-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild