diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index ad629cf1a..d21551d71 100644
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
-PKG_VERSION:=1.8.3
-PKG_RELEASE:=2
+PKG_VERSION:=1.9.0
+PKG_RELEASE:=1
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@gmail.com>
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.unbound.net/downloads
-PKG_HASH:=2b692b8311edfad41e7d0380aac34576060d4176add81dc5db419c79b2a4cecc
+PKG_HASH:=415af94b8392bc6b2c52e44ac8f17935cc6ddf2cc81edfb47c5be4ad205ab917
 
 PKG_BUILD_PARALLEL:=1
 PKG_FIXUP:=autoreconf
diff --git a/net/unbound/patches/101-dns64-crash.patch b/net/unbound/patches/101-dns64-crash.patch
deleted file mode 100644
index e27f07205..000000000
--- a/net/unbound/patches/101-dns64-crash.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 023411f97505c8c7e375112ad853b6a40ef848a6 Mon Sep 17 00:00:00 2001
-From: Wouter Wijngaards <wouter@nlnetlabs.nl>
-Date: Wed, 12 Dec 2018 16:03:05 +0000
-Subject: [PATCH] - Fix for crash in dns64 module if response is null.
-
-git-svn-id: file:///svn/unbound/trunk@5025 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- dns64/dns64.c | 1 +
- doc/Changelog | 3 +++
- 2 files changed, 4 insertions(+)
-
-diff --git a/dns64/dns64.c b/dns64/dns64.c
-index 77e68900..f2834da2 100644
---- a/dns64/dns64.c
-+++ b/dns64/dns64.c
-@@ -628,6 +628,7 @@ handle_event_moddone(struct module_qstate* qstate, int id)
- 
- 	/* Store the response in cache. */
- 	if ( (!iq || !iq->started_no_cache_store) &&
-+		qstate->return_msg && qstate->return_msg->rep &&
- 		!dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep,
- 		0, 0, 0, NULL, qstate->query_flags))
- 		log_err("out of memory");
diff --git a/net/unbound/patches/200-openssl-deprecated.patch b/net/unbound/patches/200-openssl-deprecated.patch
index 6eaa082fa..7fa1ea86b 100644
--- a/net/unbound/patches/200-openssl-deprecated.patch
+++ b/net/unbound/patches/200-openssl-deprecated.patch
@@ -1,23 +1,8 @@
-Index: daemon/daemon.c
-===================================================================
---- a/daemon/daemon.c
-+++ b/daemon/daemon.c
-@@ -769,7 +769,7 @@ daemon_delete(struct daemon* daemon)
- #  endif
- #  ifdef HAVE_OPENSSL_CONFIG
- 	EVP_cleanup();
--#  if OPENSSL_VERSION_NUMBER < 0x10100000
-+#  if (OPENSSL_VERSION_NUMBER < 0x10100000) || !defined(OPENSSL_NO_ENGINE)
- 	ENGINE_cleanup();
- #  endif
- 	CONF_modules_free();
-Index: util/net_help.c
-===================================================================
 --- a/util/net_help.c
 +++ b/util/net_help.c
-@@ -1006,10 +1006,10 @@ void* outgoing_ssl_fd(void* sslctx, int fd)
+@@ -1049,10 +1049,10 @@ void* outgoing_ssl_fd(void* sslctx, int
  static lock_basic_type *ub_openssl_locks = NULL;
- 
+
  /** callback that gets thread id for openssl */
 -static unsigned long
 -ub_crypto_id_cb(void)
@@ -27,9 +12,9 @@ Index: util/net_help.c
 -	return (unsigned long)log_thread_get();
 +	CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
  }
- 
+
  static void
-@@ -1035,7 +1035,7 @@ int ub_openssl_lock_init(void)
+@@ -1078,7 +1078,7 @@ int ub_openssl_lock_init(void)
  	for(i=0; i<CRYPTO_num_locks(); i++) {
  		lock_basic_init(&ub_openssl_locks[i]);
  	}
@@ -38,7 +23,7 @@ Index: util/net_help.c
  	CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
  #endif /* OPENSSL_THREADS */
  	return 1;
-@@ -1047,7 +1047,7 @@ void ub_openssl_lock_delete(void)
+@@ -1090,7 +1090,7 @@ void ub_openssl_lock_delete(void)
  	int i;
  	if(!ub_openssl_locks)
  		return;
diff --git a/net/unbound/patches/300-fix-ssl-err-log.patch b/net/unbound/patches/300-fix-ssl-err-log.patch
new file mode 100644
index 000000000..f2f0adda8
--- /dev/null
+++ b/net/unbound/patches/300-fix-ssl-err-log.patch
@@ -0,0 +1,39 @@
+Index: daemon/remote.c
+===================================================================
+--- a/daemon/remote.c	(revision 5105)
++++ b/daemon/remote.c	(working copy)
+@@ -1987,7 +1987,7 @@
+ 				return NULL;
+ 			}
+ 		} else {
+-#ifndef HAVE_SSL_SET1_HOST
++#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+ 			if(auth_name)
+ 			  log_err("no name verification functionality in "
+ 				"ssl library, ignored name for %s", todo);
+Index: iterator/iter_fwd.c
+===================================================================
+--- a/iterator/iter_fwd.c	(revision 5105)
++++ b/iterator/iter_fwd.c	(working copy)
+@@ -239,7 +239,7 @@
+ 				s->name, p->str);
+ 			return 0;
+ 		}
+-#ifndef HAVE_SSL_SET1_HOST
++#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+ 		if(tls_auth_name)
+ 			log_err("no name verification functionality in "
+ 				"ssl library, ignored name for %s", p->str);
+Index: iterator/iter_hints.c
+===================================================================
+--- a/iterator/iter_hints.c	(revision 5105)
++++ b/iterator/iter_hints.c	(working copy)
+@@ -252,7 +252,7 @@
+ 				s->name, p->str);
+ 			return 0;
+ 		}
+-#ifndef HAVE_SSL_SET1_HOST
++#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
+ 		if(auth_name)
+ 			log_err("no name verification functionality in "
+ 				"ssl library, ignored name for %s", p->str);