diff --git a/unbound-remove-buildin-key.patch b/unbound-remove-buildin-key.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8ed447392f1c91c448bce4541ee083abcf3a9191
--- /dev/null
+++ b/unbound-remove-buildin-key.patch
@@ -0,0 +1,44 @@
+From bd895d2d82990bfe059acfb0e078bb8d44207287 Mon Sep 17 00:00:00 2001
+From: hanzhijun <hanzhijun1@huawei.com>
+Date: Fri, 19 Feb 2021 16:20:53 +0800
+Subject: [PATCH] remove buildin key
+
+Conflict:NA
+Reference:https://gitee.com/src-openeuler/unbound/blob/openEuler-20.03-LTS-SP1/unbound-remove-buildin-key.patch
+
+---
+ unbound-1.7.3/smallapp/unbound-anchor.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+diff --git a/unbound-1.7.3/smallapp/unbound-anchor.c b/unbound-1.7.3/smallapp/unbound-anchor.c
+index f398509..1ca062b 100644
+--- a/smallapp/unbound-anchor.c
++++ b/smallapp/unbound-anchor.c
+@@ -214,25 +214,6 @@ get_builtin_cert(void)
+ static const char ICANN_UPDATE_CA[] =
+ 	/* The ICANN CA fetched at 24 Sep 2010.  Valid to 2028 */
+ 	"-----BEGIN CERTIFICATE-----\n"
+-	"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
+-	"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
+-	"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
+-	"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
+-	"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
+-	"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
+-	"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
+-	"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
+-	"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
+-	"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
+-	"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
+-	"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
+-	"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
+-	"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
+-	"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
+-	"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
+-	"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
+-	"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
+-	"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
+ 	"-----END CERTIFICATE-----\n";
+ 
+ static const char DS_TRUST_ANCHOR[] =
+-- 
+2.23.0
\ No newline at end of file
diff --git a/unbound.spec b/unbound.spec
index d5b1ea4d0d081957c232d1567d0cc50f3a338a57..6ca3917a4151dc6899ed11259a916fd594aa08dc 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -2,7 +2,7 @@
 
 Name:          unbound
 Version:       1.13.2
-Release:       3
+Release:       4
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@@ -22,10 +22,10 @@ Source12:      unbound-anchor.timer
 Source13:      unbound-anchor.service
 
 Patch0:        backport-fix-q-doesnt-work-when-use-with-unbound-control-stats_shm.patch
+Patch1:        unbound-remove-buildin-key.patch
 
 BuildRequires: make flex swig pkgconfig systemd
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
-BuildRequires: unbound-libs
 BuildRequires: gcc
 
 %{?systemd_requires}
@@ -108,7 +108,11 @@ popd
 install -d -m 0755 $RPM_BUILD_ROOT%{_tmpfilesdir} $RPM_BUILD_ROOT%{_sharedstatedir}/unbound
 install -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/
 install -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_tmpfilesdir}/unbound.conf
+%if %{?openEuler:1}0
 install -m 0644 %{SOURCE10} $RPM_BUILD_ROOT%{_sharedstatedir}/unbound/root.key
+%else
+install -m 0600 %{SOURCE10} $RPM_BUILD_ROOT%{_sharedstatedir}/unbound/root.key
+%endif
 
 install -p -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_unitdir}/unbound.service
 install -p -m 0755 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/unbound
@@ -202,10 +206,17 @@ popd
 %files libs
 %defattr(-,root,root)
 %dir %attr(0755,root,root) %{_sysconfdir}/%{name}
+%if %{?openEuler:1}0
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
 %attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
 %{_sysconfdir}/%{name}/icannbundle.pem
+%else
+%attr(0600,root,root) %config %{_sysconfdir}/%{name}/root.key
+%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
+%attr(0600,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key
+%attr(0600,root,root) %{_sysconfdir}/%{name}/icannbundle.pem
+%endif
 %{_sbindir}/unbound-anchor
 %{_libdir}/libunbound.so.*
 %{_unitdir}/unbound-anchor.timer
@@ -227,6 +238,14 @@ popd
 %{_mandir}/man*
 
 %changelog
+* Sat Jun 11 2022 gaihuiying <eaglegai@163.com> - 1.13.2-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:remove buildin key
+       add macros to control if key files permissons is 600 or 644
+       remove useless BuildRequires:unbound-libs
+
 * Mon Mar 21 2022 gaihuiying <eaglegai@163.com> - 1.13.2-3
 - Type:bugfix
 - ID:NA