diff --git a/unbound-1.4.20-roundrobin.patch b/unbound-1.4.20-roundrobin.patch
new file mode 100644
index 0000000..dcd4ebc
--- /dev/null
+++ b/unbound-1.4.20-roundrobin.patch
@@ -0,0 +1,12 @@
+diff -Naur unbound-1.4.20-orig/util/data/msgencode.c unbound-1.4.20/util/data/msgencode.c
+--- unbound-1.4.20-orig/util/data/msgencode.c	2012-04-10 05:16:39.000000000 -0400
++++ unbound-1.4.20/util/data/msgencode.c	2013-05-21 15:47:01.435609420 -0400
+@@ -659,7 +659,7 @@
+ 		}
+ 	}
+ 	/* roundrobin offset. using query id for random number */
+-	rr_offset = RRSET_ROUNDROBIN?id:0;
++	rr_offset = RRSET_ROUNDROBIN ? ntohs(id) : 0;
+ 
+ 	/* insert answer section */
+ 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer, 
diff --git a/unbound.conf b/unbound.conf
index 2bb28a0..d3add29 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -323,11 +323,11 @@ server:
 	prefetch-key: yes
 
 	# if yes, Unbound rotates RRSet order in response.
-	# rrset-roundrobin: no
+	rrset-roundrobin: yes
 
 	# if yes, Unbound doesn't insert authority/additional sections
 	# into response messages when those sections are not required.
-	# minimal-responses: no
+	minimal-responses: yes
 
 	# module configuration of the server. A string with identifiers
 	# separated by spaces. "iterator" or "validator iterator"
diff --git a/unbound.init b/unbound.init
index ddf187a..f709032 100644
--- a/unbound.init
+++ b/unbound.init
@@ -25,7 +25,6 @@
 
 exec="/usr/sbin/unbound"
 config="/etc/unbound/unbound.conf"
-rootdir="/var/lib/unbound"
 pidfile="/var/run/unbound/unbound.pid"
 piddir=`dirname $pidfile`
 
@@ -44,9 +43,9 @@ start() {
     # /var/run could (and should) be tmpfs
     [ -d $piddir ] || mkdir $piddir
 
-    if [ -f /etc/unbound/root.anchor -a -f /usr/sbin/unbound-anchor ]
+    if [ -f /var/lib/unbound/root.anchor -a -f /usr/sbin/unbound-anchor ]
     then
-	/usr/sbin/unbound-anchor -a /etc/unbound/root.anchor -c /etc/unbound/icannbundle.pem
+	/sbin/runuser --command="/usr/sbin/unbound-anchor -a /var/lib/unbound/root.anchor -c /etc/unbound/icannbundle.pem" --shell /bin/sh unbound
     fi
 
     if [ ! -f /etc/unbound/unbound_control.key ]
diff --git a/unbound.spec b/unbound.spec
index 8aaf9a4..4ad79e8 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -11,7 +11,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.4.20
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: BSD
 Url: http://www.nlnetlabs.nl/unbound/
 Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -31,6 +31,8 @@ Source14: unbound.sysconfig
 Source15: unbound.cron
 Source16: unbound-munin.README
 
+Patch1: unbound-1.4.20-roundrobin.patch
+
 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.13, 
 BuildRequires: libevent-devel expat-devel
@@ -107,6 +109,7 @@ Python modules and extensions for unbound
 
 %prep
 %setup -q 
+%patch1 -p1
 
 %build
 export LDFLAGS="$LDFLAGS -Wl,-z,now,-z,relro -pie"
@@ -151,7 +154,7 @@ done
 install -p -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
 
 # install root and DLV key
-install -p -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key
+install -p -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.anchor
 
 # old location for compatibility with changed config files that don't get updated
 install -p -m 0644 %{SOURCE5} %{SOURCE6} %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/
@@ -234,7 +237,7 @@ install -p -m 0644 %{SOURCE16}  .
 %{_sysconfdir}/%{name}/icannbundle.pem
 %attr(0644,root,root) %{_sysconfdir}/cron.d/unbound-anchor
 %attr(0755,unbound,unbound) %dir %{_sharedstatedir}/%{name}
-%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
+%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.anchor
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
@@ -258,7 +261,7 @@ sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbo
 
 %post libs 
 /sbin/ldconfig
-/sbin/runuser unbound -G unbound %{_sbindir}/unbound-anchor -a %{_sharedstatedir}/%{name}/root.key -c %{_sysconfdir}/%{name}/icannbundle.pem ||:
+/sbin/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem"  --shell /bin/sh unbound
 
 %preun
 if [ "$1" -eq 0 ]; then
@@ -274,6 +277,11 @@ fi
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Apr 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-2
+- Fix for the runuser command in post (rhbz#953337)
+- Enable round-robin in unbound.conf (and patch for ntohs)
+- Enable minimum-response in unbound.conf
+
 * Tue Apr 16 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-1
 - Updated to 1.4.20
 - Build with full RELRO / pie