import opendnssec-2.1.14-0.2rc1.el10

4 months ago · f6d70b0d09
commit f6d70b0d09
16 changed files with 1635 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+SOURCES/opendnssec-2.1.14rc1.tar.gz
+SOURCES/opendnssec-2.1.14rc1.tar.gz.sig
--- a/.opendnssec.metadata
+++ b/.opendnssec.metadata
@ -0,0 +1,2 @@
+6756f80a9817ca95dbc170af2d36a567870435ef SOURCES/opendnssec-2.1.14rc1.tar.gz
+6ed3b3a0d4c2fb5482ec04c9dc0d62f7b2947213 SOURCES/opendnssec-2.1.14rc1.tar.gz.sig
--- a/SOURCES/0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
+++ b/SOURCES/0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
@ -0,0 +1,35 @@
+From 4d87db0f11bcdd5c54fadb92351b603bd07f76f8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 30 Jan 2023 11:44:49 +0200
+Subject: [PATCH] Pass right remaining buffer size in hsm_hex_unparse to handle
+ string fortification
+
+When string fortification is in use (-DFORTIFY_SOURCE=3), GCC and glibc
+will cut few bytes off the string buffer for prevention of buffer
+overruns. As a result, hsm_hex_unparse() will call into snprintf() with
+a buffer length bigger than the size of the buffer as seen by the
+GCC/glibc pair.
+
+See also: https://pagure.io/freeipa/issue/9312
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ libhsm/src/lib/libhsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index 88dc79e31..8f1e0c3bc 100644
+--- a/libhsm/src/lib/libhsm.c
+++ b/libhsm/src/lib/libhsm.c
+@@ -1382,7 +1382,7 @@ hsm_hex_unparse(char *dst, const unsigned char *src, size_t len)
+     size_t i;
+ 
+     for (i = 0; i < len; i++) {
+-        snprintf(dst + (2*i), dst_len, "%02x", src[i]);
+        snprintf(dst + (2*i), dst_len - (2*i), "%02x", src[i]);
+     }
+     dst[len*2] = '\0';
+ }
+-- 
+2.39.0
+
--- a/SOURCES/conf.xml
+++ b/SOURCES/conf.xml
@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<Configuration>
+
+	<RepositoryList>
+
+		<Repository name="SoftHSM">
+			<Module>/usr/lib64/softhsm/libsofthsm.so</Module>
+			<TokenLabel>OpenDNSSEC</TokenLabel>
+			<PIN>1234</PIN>
+<!--
+			# Disabled so it stores the public key in the HSM too,
+			# so bind's dnssec-signzone can be used as well
+			<SkipPublicKey/>
+-->
+		</Repository>
+
+<!--
+		<Repository name="sca6000">
+			<Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
+			<TokenLabel>Sun Metaslot</TokenLabel>
+			<PIN>test:1234</PIN>
+			<Capacity>255</Capacity>
+			<RequireBackup/>
+			<SkipPublicKey/>
+		</Repository>
+-->
+
+	</RepositoryList>
+
+	<Common>
+		<Logging>
+			<Syslog><Facility>local0</Facility></Syslog>
+		</Logging>
+		
+		<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
+		<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
+
+	<!--
+		<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
+	-->
+	</Common>
+
+	<Enforcer>
+		<Privileges>
+			<User>ods</User>
+			<Group>ods</Group>
+		</Privileges>
+
+		<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
+		<!-- <ManualKeyGeneration/> -->
+		<!-- <RolloverNotification>P14D</RolloverNotification> -->
+		
+		<!-- the <DelegationSignerSubmitCommand> will get all current
+		     DNSKEYs (as a RRset) on standard input
+		-->
+		<!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
+	</Enforcer>
+
+	<Signer>
+		<Privileges>
+			<User>ods</User>
+			<Group>ods</Group>
+		</Privileges>
+
+		<WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
+		<WorkerThreads>4</WorkerThreads>
+		<!-- <SignerThreads>4</SignerThreads> -->
+
+<!--
+                <Listener>
+                        <Interface><Port>53</Port></Interface>
+                </Listener>
+-->
+
+		<!-- the <NotifyCommmand> will expand the following variables:
+
+		     %zone      the name of the zone that was signed
+		     %zonefile  the filename of the signed zone
+		<NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
+		-->
+<!--
+		<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
+-->
+	</Signer>
+
+</Configuration>
--- a/SOURCES/ods-enforcerd.service
+++ b/SOURCES/ods-enforcerd.service
@ -0,0 +1,16 @@
+[Unit]
+Description=OpenDNSSEC Enforcer daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/enforcerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+ExecStartPost=/bin/bash -c 'while [ ! -S /run/opendnssec/enforcer.sock ]; do sleep 1; echo "Waiting for socket"; done'
+TimeoutStartSec=20
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/ods-signerd.service
+++ b/SOURCES/ods-signerd.service
@ -0,0 +1,14 @@
+[Unit]
+Description=OpenDNSSEC signer daemon
+After=syslog.target network.target ods-enforcerd.service
+
+[Service]
+Type=simple
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/signerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/ods.sysconfig
+++ b/SOURCES/ods.sysconfig
@ -0,0 +1,2 @@
+ODS_SIGNERD_OPT=""
+ODS_ENFORCERD_OPT=""
--- a/SOURCES/opendnssec-2.1.14rc1-gcc14.patch
+++ b/SOURCES/opendnssec-2.1.14rc1-gcc14.patch
@ -0,0 +1,34 @@
+From 17e9e444e052ca43ab31da77e9327f159baf5b9c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 8 Feb 2024 13:10:53 +0200
+Subject: [PATCH] Fix missing include
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+scheduler/task.c: In function ‘task_perform’:
+scheduler/task.c:137:25: error: implicit declaration of function ‘clamp’ [-Wimplicit-function-declaration]
+  137 |         task->backoff = clamp(task->backoff * 2, 60, ODS_SE_MAX_BACKOFF);
+      |                         ^~~~~
+make[2]: *** [Makefile:600: scheduler/task.o] Error 1
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ common/scheduler/task.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/common/scheduler/task.c b/common/scheduler/task.c
+index 4dcf9e900..0dfa496a2 100644
+--- a/common/scheduler/task.c
+++ b/common/scheduler/task.c
+@@ -40,6 +40,7 @@
+ #include "duration.h"
+ #include "file.h"
+ #include "log.h"
+#include "utilities.h"
+ 
+ static const char* task_str = "task";
+ static pthread_mutex_t worklock = PTHREAD_MUTEX_INITIALIZER;
+-- 
+2.43.0
+
--- a/SOURCES/opendnssec-2.1.sqlite_convert.sql
+++ b/SOURCES/opendnssec-2.1.sqlite_convert.sql
@ -0,0 +1,842 @@
+INSERT INTO databaseVersion VALUES (NULL, 1, 1);
+
+-- ~ ************
+-- ~ ** policy table
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO policy 
+SELECT id, 1, name, description,
+0, 0, 0,
+0, 0, 0, 0,
+86400, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0
+FROM REMOTE.policies;
+
+UPDATE policy
+SET signaturesResign = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'resign');
+
+UPDATE policy
+SET signaturesRefresh = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'refresh') ;
+
+UPDATE policy
+SET signaturesJitter = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'jitter');
+
+UPDATE policy
+SET signaturesInceptionOffset = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'clockskew');
+
+UPDATE policy
+SET signaturesValidityDefault = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'valdefault');
+
+UPDATE policy
+SET signaturesValidityDenial = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'valdenial');
+
+--MaxZoneTTL default 86400
+
+-- We need the following mapping 1.4 -> 2.0 for denialType
+-- 0 -> 1
+-- 3 -> 0
+
+UPDATE policy
+SET denialType = (
+	SELECT (~value)&1
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'version');
+
+-- I'm pretty sure this is not the correct way to do it. It is aweful but
+-- I can't figure it out how it would work for sqlite.
+UPDATE policy
+SET denialOptout = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'optout')
+WHERE null !=  (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'optout');
+
+UPDATE policy
+SET denialTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'ttl')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET denialResalt = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'resalt')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'resalt');
+
+UPDATE policy
+SET denialAlgorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'algorithm');
+
+UPDATE policy
+SET denialIterations = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'iterations')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'iterations');
+
+UPDATE policy
+SET denialSaltLength = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'saltlength')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'saltlength');
+
+-- clumsy salt update. salt is optional in 1.4 but required in 2.0
+-- sqlite is limited in what it can do in an update. I hope there is a
+-- better way for this?
+
+UPDATE policy
+SET denialSalt = (
+	SELECT salt
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id)
+WHERE (
+	SELECT salt
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET denialSaltLastChange = (
+	SELECT salt_stamp
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id)
+WHERE (
+	SELECT salt_stamp
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET keysTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET keysRetireSafety = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'retiresafety');
+
+UPDATE policy
+SET keysPublishSafety = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'publishsafety');
+
+UPDATE policy
+SET keysShared = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'zones_share_keys');
+
+UPDATE policy
+SET keysPurgeAfter = COALESCE((
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'purge'), 0);
+
+UPDATE policy
+SET zonePropagationDelay = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET zoneSoaTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET zoneSoaMinimum = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'min');
+
+-- Temporary mapping table between 1.4 and 2.0 SOA serial strategy
+CREATE TABLE mapping (
+	soa14 INTEGER,
+	soa20 INTEGER
+);
+INSERT INTO mapping SELECT  1, 2;
+INSERT INTO mapping SELECT  2, 0;
+INSERT INTO mapping SELECT  3, 1;
+INSERT INTO mapping SELECT  4, 3;
+
+UPDATE policy
+SET zoneSoaSerial = (
+	SELECT mapping.soa20
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+        INNER JOIN mapping
+        ON REMOTE.parameters_policies.value = mapping.soa14
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'serial');
+
+DROP TABLE mapping;
+
+-- parentRegistrationDelay = 0 on 1.4
+
+UPDATE policy
+SET parentPropagationDelay = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET parentDsTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'ttlds');
+
+UPDATE policy
+SET parentSoaTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET parentSoaMinimum = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'min');
+
+-- passthrough = 0
+
+-- ~ ************
+-- ~ ** policyKey table
+-- ~ **
+-- ~ ** For each policy in 1.4 add two keys: KSK and ZSK
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Insert each KSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+		1, 0, 0,
+		0, 0, 0,
+		0, 0, 4
+FROM REMOTE.policies;
+
+-- Insert each ZSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+		2, 0, 0,
+		0, 0, 0,
+		0, 0, 1
+FROM REMOTE.policies;
+
+UPDATE policyKey
+SET algorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET algorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET bits = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET bits = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET lifetime = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET lifetime = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET repository = (
+	SELECT REMOTE.securitymodules.name
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	INNER JOIN REMOTE.securitymodules
+	ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET repository = (
+	SELECT REMOTE.securitymodules.name
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	INNER JOIN REMOTE.securitymodules
+	ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET standby = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET standby = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET manualRollover = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET manualRollover = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 2;
+
+-- rfc5011 = 0. 2.0 has no support
+-- minimize already set
+
+-- ~ ************
+-- ~ ** hsmKey table
+-- ~ **
+-- ~ ** get from keypairs and dnsseckeys
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO hsmKey
+SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
+REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size, 
+REMOTE.keypairs.algorithm,  (~(REMOTE.dnsseckeys.keytype)&1)+1, 
+CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN 
+	strftime('%s', REMOTE.keypairs.generate) 
+	ELSE strftime("%s", "now") END, 
+0, 
+1, --only RSA supported
+ REMOTE.securitymodules.name, 
+0 --assume no backup 
+FROM REMOTE.keypairs
+JOIN REMOTE.dnsseckeys 
+	ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
+JOIN REMOTE.securitymodules 
+	ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
+
+-- For some policies put the keys in a shared state
+UPDATE hsmKey 
+SET state = 3
+WHERE EXISTS 
+	(SELECT * FROM hsmKey AS h 
+	JOIN policy ON policy.id = h.policyId 
+	WHERE policy.keysShared AND hsmKey.id = h.id);
+
+-- ~ ************
+-- ~ ** zone table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO zone
+SELECT zones.id, 1, zones.policy_id, 
+	zones.name, 1, zones.signconf, 0,  
+	0,0,0, 
+	0,0,0,
+	zones.in_type, zones.input,
+	zones.out_type, zones.output,
+	0,0,0
+	FROM REMOTE.zones;
+
+-- ~ ************
+-- ~ ** keyData table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Temporary mapping table between 1.4 states and 2.0 ds_at_parent states
+-- We are ignoring the fact this may set a DS state for a ZSK; We don't care
+CREATE TABLE mapping (
+	state INTEGER,
+	ds_state INTEGER
+);
+INSERT INTO mapping SELECT  1, 0;
+INSERT INTO mapping SELECT  2, 0;
+INSERT INTO mapping SELECT  3, 1;
+INSERT INTO mapping SELECT  4, 3;
+INSERT INTO mapping SELECT  5, 5;
+INSERT INTO mapping SELECT  6, 5;
+INSERT INTO mapping SELECT  7, 5;
+INSERT INTO mapping SELECT  8, 5;
+INSERT INTO mapping SELECT  9, 5;
+INSERT INTO mapping SELECT 10, 5;
+
+INSERT INTO keyData
+SELECT 
+	NULL, 1, REMOTE.dnsseckeys.zone_id,
+	REMOTE.dnsseckeys.keypair_id, REMOTE.keypairs.algorithm,
+	CASE WHEN REMOTE.dnsseckeys.publish IS NOT NULL THEN 
+		strftime('%s', REMOTE.dnsseckeys.publish) 
+		ELSE strftime("%s", "now") END, 
+	(~REMOTE.dnsseckeys.keytype&1)+1,
+	REMOTE.dnsseckeys.state <= 4, -- introducing
+	0, -- should revoke, not used
+	0, -- standby
+	REMOTE.dnsseckeys.state  = 4 AND REMOTE.dnsseckeys.keytype = 256, --activeZSK: 
+	REMOTE.dnsseckeys.state >= 2 AND REMOTE.dnsseckeys.state <= 5, --publish
+	REMOTE.dnsseckeys.state  = 4 AND REMOTE.dnsseckeys.keytype = 257, --activeKSK: 
+	mapping.ds_state, --dsatparent
+	1<<16, --keytag (crap, will 2.0 regenerate this?)
+	(REMOTE.dnsseckeys.keytype&1)*3+1 --minimize
+FROM REMOTE.dnsseckeys
+JOIN REMOTE.keypairs 
+	ON REMOTE.dnsseckeys.keypair_id = REMOTE.keypairs.id
+JOIN mapping 
+	ON REMOTE.dnsseckeys.state = mapping.state
+WHERE EXISTS(select REMOTE.zones.id FROM REMOTE.zones WHERE REMOTE.zones.id = REMOTE.dnsseckeys.zone_id);
+
+-- Everything that is just a ZSK must not have dsatparent set.
+UPDATE keyData
+SET dsatparent = 0
+WHERE role = 2;
+
+DROP TABLE mapping;
+
+-- If a active time is set for a ready KSK dsAtParent is submitted 
+-- instead of submit
+UPDATE keyData
+SET dsatparent = 2
+WHERE keyData.dsAtParent = 1 AND keyData.id IN (
+	SELECT keyData.id
+	FROM keyData
+	JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+	WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+
+-- ~ ************
+-- ~ ** Keystate table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+CREATE TABLE mapping (
+	state INTEGER,
+	ds INTEGER,
+	dk INTEGER,
+	ks INTEGER,
+	rs INTEGER
+);
+INSERT INTO mapping SELECT  1, 0, 0, 0, 0;
+INSERT INTO mapping SELECT  2, 0, 1, 1, 1;
+INSERT INTO mapping SELECT  3, 0, 2, 2, 1;
+INSERT INTO mapping SELECT  4, 2, 2, 2, 1;
+INSERT INTO mapping SELECT  5, 3, 2, 2, 3;
+INSERT INTO mapping SELECT  6, 0, 3, 3, 0;
+INSERT INTO mapping SELECT  7, 3, 0, 0, 0;
+INSERT INTO mapping SELECT  8, 3, 0, 0, 0;
+INSERT INTO mapping SELECT  9, 3, 0, 0, 0;
+INSERT INTO mapping SELECT 10, 3, 0, 0, 0;
+
+-- DS RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 0, mapping.ds, strftime("%s", "now"), (keyData.minimize>>2)&1, policy.parentDsTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+UPDATE keyState
+SET state = 1
+WHERE keyState.state = 0 AND keyState.type = 0 AND keyState.id IN (
+	SELECT keyState.id
+	FROM keyState
+	JOIN keyData
+		ON keyData.id = keyState.keydataId
+	JOIN REMOTE.dnsseckeys
+		ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+	WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+-- DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 2, mapping.dk, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 3, mapping.ks, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 1, mapping.rs, strftime("%s", "now"), (keyData.minimize>>0)&1, policy.signaturesMaxZoneTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+--Set to OMN if Tactive + Dttl < Tnow
+UPDATE keyState
+SET state = 2
+WHERE keyState.state = 1 AND keyState.type = 1 AND keyState.id IN (
+        SELECT keyState.id
+        FROM keyState
+        JOIN keyData
+                ON keyData.id = keyState.keydataId
+        JOIN REMOTE.dnsseckeys
+                ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+        JOIN zone
+                ON keyData.zoneId = zone.id
+        JOIN policy
+                ON policy.id = zone.policyId
+        WHERE CAST(strftime("%s", REMOTE.dnsseckeys.active) + policy.signaturesValidityDefault as INTEGER) < strftime("%s", "now"));
+
+--Force the RRSIG state in omnipresent if rumoured and there is no old ZSK
+-- unretentive
+UPDATE keyState 
+SET state = 2
+WHERE keyState.id IN (
+SELECT rs.id FROM keyState AS rs 
+JOIN keystate AS dk ON dk.keyDataId == rs.keyDataId
+WHERE rs.type == 1 AND dk.type == 2 AND rs.state == 1 AND dk.state == 2
+AND NOT EXISTS(
+	SELECT* FROM keystate AS rs2
+	JOIN keystate AS dk2 ON dk2.keyDataId == rs2.keyDataId
+	WHERE rs2.type == 1 AND dk2.type == 2 AND rs2.state == 3 AND dk2.state == 2
+));
+
+DROP TABLE mapping;
+
+-- We need to create records in the keydependency table in case we are in a
+-- rollover. Only done for ZSK. For every introducing ZSK with RRSIG rumoured
+-- that has an outroducing ZSK with RRSIG unretentive, we add a record.
+INSERT INTO keyDependency
+SELECT NULL, 0, keyData.zoneID, SUB.IDout, keyData.id, 1
+FROM keyData
+JOIN keyState AS KS1 
+	ON KS1.keyDataId == keyData.id
+JOIN keyState AS KS2 
+	ON KS2.keyDataId == keyData.id
+JOIN (
+	SELECT keyData.id AS IDout, keyData.zoneID 
+	FROM keyData
+	JOIN keyState AS KS1 
+		ON KS1.keyDataId == keyData.id
+	JOIN keyState AS KS2 
+		ON KS2.keyDataId == keyData.id
+	WHERE KS1.type == 2 
+		AND ks1.state = 2 
+		AND KS2.type == 1 
+		AND KS2.state == 3
+		AND keyData.introducing == 0 
+		AND keyData.role == 2
+) AS SUB
+	ON SUB.zoneId == keyData.zoneId
+WHERE 
+	KS1.type == 2 
+	AND ks1.state = 2 
+	AND KS2.type == 1 
+	AND KS2.state == 1
+	AND keyData.introducing == 1 
+	AND keyData.role == 2;
+
+-- ZSK
+UPDATE keyState
+SET state = 4
+WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN (
+	SELECT keyData.id
+	FROM keyData
+	WHERE keyData.role = 2);
+
+--KSK
+UPDATE keyState
+SET state = 4
+WHERE keyState.type = 1 AND keyDataId IN (
+	SELECT keyData.id
+	FROM keyData
+	WHERE keyData.role = 1);
+
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+        major INTEGER,
+        minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+
--- a/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql
+++ b/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql
@ -0,0 +1,7 @@
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+        major INTEGER,
+        minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+
--- a/SOURCES/opendnssec-c99-2.patch
+++ b/SOURCES/opendnssec-c99-2.patch
@ -0,0 +1,20 @@
+commit 5422819c17c02e6069328b2f5e4bef6fe5c179df
+Author: Mathieu Mirmont <mat@parad0x.org>
+Date:   Sun Dec 1 17:57:36 2019 +0100
+
+    enforcer: remove remove strptime build warning
+
+diff --git a/enforcer/src/daemon/time_leap_cmd.c b/enforcer/src/daemon/time_leap_cmd.c
+index f1ee21b87529c136..5baef1b6ff7c4cc2 100644
+--- a/enforcer/src/daemon/time_leap_cmd.c
+++ b/enforcer/src/daemon/time_leap_cmd.c
+@@ -26,8 +26,8 @@
+  *
+  */
+ 
+-#include <getopt.h>
+ #include "config.h"
+#include <getopt.h>
+ 
+ #include "file.h"
+ #include "duration.h"
--- a/SOURCES/opendnssec-configure-c99.patch
+++ b/SOURCES/opendnssec-configure-c99.patch
@ -0,0 +1,45 @@
+Include <unistd.h> for the setresuid and setresgid functions,
+to avoid an implicit function declaration.
+
+Submitted upstream: <https://github.com/opendnssec/opendnssec/pull/843>
+
+diff --git a/configure b/configure
+index bf515cde3d4fab71..52d2885d6a6ef546 100755
+--- a/configure
+++ b/configure
+@@ -21101,6 +21101,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -21143,6 +21144,7 @@ else
+   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h.  */
+ 
+#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+diff --git a/m4/acx_broken_setres.m4 b/m4/acx_broken_setres.m4
+index 374cee0b0b8ef196..467db9170a319170 100644
+--- a/m4/acx_broken_setres.m4
+++ b/m4/acx_broken_setres.m4
+@@ -4,6 +4,7 @@ AC_DEFUN([ACX_BROKEN_SETRES],[
+ 		AC_MSG_CHECKING(if setresuid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
+#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+@@ -20,6 +21,7 @@ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
+ 		AC_MSG_CHECKING(if setresgid seems to work)
+ 		AC_RUN_IFELSE(
+ 			[AC_LANG_SOURCE([[
+#include <unistd.h>
+ #include <stdlib.h>
+ #include <errno.h>
+ int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);}
--- a/SOURCES/opendnssec-implicit-declarations.patch
+++ b/SOURCES/opendnssec-implicit-declarations.patch
@ -0,0 +1,48 @@
+From 7060607ef359162d5b0aef62a4b8440fd42c9d28 Mon Sep 17 00:00:00 2001
+From: Yaakov Selkowitz <yselkowi@redhat.com>
+Date: Tue, 26 Dec 2023 14:09:12 -0500
+Subject: [PATCH] Fix implicit function declarations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+utils/kaspcheck.c:101:33: error: implicit declaration of function ‘exit’
+utils/kaspcheck.c:136:17: error: implicit declaration of function ‘free’
+utils/kc_helper.c:47:40: error: implicit declaration of function ‘free’
+utils/kc_helper.c:519:85: error: implicit declaration of function ‘atoi’
+utils/kc_helper.c:569:83: error: implicit declaration of function ‘malloc’
+utils/kc_helper.c:1122:28: error: implicit declaration of function ‘strtol’
+utils/kc_helper.c:1274:25: error: implicit declaration of function ‘exit’
+utils/kc_helper.c:1375:21: error: implicit declaration of function ‘calloc’
+---
+ enforcer/src/utils/kaspcheck.c | 1 +
+ enforcer/src/utils/kc_helper.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/enforcer/src/utils/kaspcheck.c b/enforcer/src/utils/kaspcheck.c
+index 9bac3b796..b3b808598 100644
+--- a/enforcer/src/utils/kaspcheck.c
+++ b/enforcer/src/utils/kaspcheck.c
+@@ -26,6 +26,7 @@
+ #define _GNU_SOURCE
+ #include <stdio.h>
+ #include <getopt.h>
+#include <stdlib.h>
+ #include <string.h>
+ #include <syslog.h>
+ 
+diff --git a/enforcer/src/utils/kc_helper.c b/enforcer/src/utils/kc_helper.c
+index 89e56c61e..e1704f6f9 100644
+--- a/enforcer/src/utils/kc_helper.c
+++ b/enforcer/src/utils/kc_helper.c
+@@ -27,6 +27,7 @@
+ #include <syslog.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+#include <stdlib.h>
+ #include <string.h>
+ #include <sys/stat.h>
+ #include <errno.h>
+-- 
+2.43.0
+
--- a/SOURCES/opendnssec.cron
+++ b/SOURCES/opendnssec.cron
@ -0,0 +1,4 @@
+# Ensure multiple ods-enforcerd's on different system roll at the same time
+# independant of when the daemon was started. Since TLDs often update their
+# zone "on the hour" we do the key rollover checks just before the hour.
+50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null
--- a/SOURCES/tmpfiles-opendnssec.conf
+++ b/SOURCES/tmpfiles-opendnssec.conf
@ -0,0 +1 @@
+D /run/opendnssec 0755 ods ods -
--- a/SPECS/opendnssec.spec
+++ b/SPECS/opendnssec.spec
@ -0,0 +1,476 @@
+%global prever rc1
+%global _hardened_build 1
+
+Summary: DNSSEC key and zone management software
+Name: opendnssec
+Version: 2.1.14
+Release: 0.2rc1%{?dist}
+License: BSD-2-Clause
+Url: http://www.opendnssec.org/
+Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
+Source10: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz.sig
+Source1: ods-enforcerd.service
+Source2: ods-signerd.service
+Source3: ods.sysconfig
+Source4: conf.xml
+Source5: tmpfiles-opendnssec.conf
+Source6: opendnssec.cron
+Source7: opendnssec-2.1.sqlite_convert.sql
+Source8: opendnssec-2.1.sqlite_rpmversion.sql
+Patch1: 0001-Pass-right-remaining-buffer-size-in-hsm_hex_unparse-.patch
+Patch2: opendnssec-configure-c99.patch
+Patch3: opendnssec-2.1.14rc1-gcc14.patch
+Patch4: opendnssec-c99-2.patch
+Patch5: opendnssec-implicit-declarations.patch
+
+Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
+Requires: libxml2, libxslt sqlite
+BuildRequires: make
+BuildRequires:  gcc
+BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
+BuildRequires: libxml2-devel CUnit-devel, doxygen
+# It tests for pkill/killall and would use /bin/false if not found
+BuildRequires: procps-ng
+BuildRequires: perl-interpreter
+BuildRequires: libmicrohttpd-devel jansson-devel libyaml-devel
+
+BuildRequires: systemd-units
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+%if 0%{?prever:1}
+# For building development snapshots
+Buildrequires: autoconf, automake, libtool
+%ifarch %{java_arches}
+Buildrequires: java
+%endif
+%endif
+
+%description
+OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
+It secures zone data just before it is published in an authoritative
+name server. It requires a PKCS#11 crypto module library, such as softhsm
+
+%prep
+%setup -q -n %{name}-%{version}%{?prever}
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
+
+# Prevent re-running autoconf.
+touch -r aclocal.m4 configure* m4/*
+
+# bump default policy ZSK keysize to 2048
+sed -i "s/1024/2048/" conf/kasp.xml.in
+
+%build
+export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+%if 0%{?prever:1}
+# for development snapshots
+autoreconf
+%endif
+%configure --with-ldns=%{_libdir}
+%make_build
+
+%check
+# Requires sample db not shipped with upstream
+# make check
+
+%install
+rm -rf %{buildroot}
+%make_install
+mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
+install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
+install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
+rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
+install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
+install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
+mkdir -p %{buildroot}%{_tmpfilesdir}/
+install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
+mkdir -p %{buildroot}%{_datadir}/opendnssec/
+cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
+cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
+# fixup path for mysql/sqlite. Use our replacement sqlite_convert.sql to detect previous migration
+cp -a %{SOURCE7} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql
+cp -a %{SOURCE8} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+
+
+%files
+%{_unitdir}/ods-enforcerd.service
+%{_unitdir}/ods-signerd.service
+%config(noreplace) %{_tmpfilesdir}/opendnssec.conf
+%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
+%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
+%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
+%doc NEWS README.md
+%license LICENSE
+%{_mandir}/*/*
+%{_sbindir}/*
+%{_bindir}/*
+%attr(0755,root,root) %dir %{_datadir}/opendnssec
+%{_datadir}/opendnssec/*
+
+%pre
+getent group ods >/dev/null || groupadd -r ods
+getent passwd ods >/dev/null || \
+useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
+-c "opendnssec daemon account" ods
+exit 0
+
+%post
+# Initialise a slot on the softhsm on first install
+if [ "$1" -eq 1 ]; then
+   %{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \
+                --free --label "OpenDNSSEC" --pin 1234 --so-pin 1234
+   if [ ! -s %{_localstatedir}/opendnssec/kasp.db ]; then
+      echo y | %{_sbindir}/ods-enforcer-db-setup
+      %{_bindir}/sqlite3 -batch %{_localstatedir}/opendnssec/kasp.db < %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+   fi
+
+elif [ -z "$(%{_bindir}/sqlite3 %{_localstatedir}/opendnssec/kasp.db 'select * from rpm_migration;')" ]; then
+   # Migrate version 1.4 db to version 2.1 db
+   if [ -e %{_localstatedir}/opendnssec/rpm-migration-in-progress ]; then
+      echo "previous (partial?) migration found - human intervention is needed"
+   else
+      echo "opendnssec 1.4 database found, migrating to 2.x"
+      touch %{_localstatedir}/opendnssec/rpm-migration-in-progress
+      mv -n %{_localstatedir}/opendnssec/kasp.db %{_localstatedir}/opendnssec/kasp.db-1.4
+      echo "migrating conf.xml from 1.4 to 2.1 schema"
+      cp -n %{_sysconfdir}/opendnssec/conf.xml %{_sysconfdir}/opendnssec/conf.xml-1.4
+      # fixup incompatibilities inflicted upon us by upstream :(
+      sed -i "/<Interval>.*Interval>/d" %{_sysconfdir}/opendnssec/conf.xml
+      echo "Converting kasp.db"
+      ERR=""
+      %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite -i %{_localstatedir}/opendnssec/kasp.db-1.4 -o %{_localstatedir}/opendnssec/kasp.db || ERR="convert_sqlite error"
+      chown ods.ods %{_localstatedir}/opendnssec/kasp.db
+      cp -n %{_sysconfdir}/opendnssec/zonelist.xml %{_localstatedir}/opendnssec/enforcer/zones.xml
+      if [ -z "$ERR" ]; then
+         echo "calling ods-migrate"
+         ods-migrate || ERR="ods-migrate failed"
+         if [ -z "$ERR" ]; then
+            echo "opendnssec 1.4 to 2.x migration completed"
+            rm %{_localstatedir}/opendnssec/rpm-migration-in-progress
+         else
+            echo "ods-migrate process failed - human intervention is needed"
+         fi
+      else
+         echo "%{_localstatedir}/opendnssec/kasp.db conversion failed - not calling ods-migrate to complete migration. human intervention is needed"
+      fi
+   fi
+fi
+
+# in case we update any xml conf file
+ods-enforcer update all >/dev/null 2>/dev/null ||:
+
+%systemd_post ods-enforcerd.service
+%systemd_post ods-signerd.service
+
+%preun
+%systemd_preun ods-enforcerd.service
+%systemd_preun ods-signerd.service
+
+%postun
+%systemd_postun_with_restart ods-enforcerd.service
+%systemd_postun_with_restart ods-signerd.service
+
+%changelog
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.1.14-0.2rc1
+- Bump release for June 2024 mass rebuild
+
+* Thu Feb 08 2024 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.14-0.1rc1
+- Upstream release 2.1.14RC1
+- Fix build with gcc 14
+- Resolves: rhbz#2261421
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Feb 24 2023 Florian Weimer <fweimer@redhat.com> - 2.1.10-6
+- Port to C99
+
+* Mon Jan 30 2023 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.10-5
+- Fix fortification issues leading to crash in FreeIPA setup
+  Upstream PR: https://github.com/opendnssec/opendnssec/pull/842
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Oct 18 2021 François Cami <fcami@redhat.com> - 2.1.10-1
+- Update to 2.1.10 (rhbz#2003250).
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.1.9-3
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jul 06 2021 François Cami <fcami@redhat.com> - 2.1.9-1
+- Update to 2.1.9 (rhbz#1956561). Solves OPENDNSSEC-955 and OPENDNSSEC-956.
+- Known issue: OPENDNSSEC-957: Signer daemon stops with failure exit code even when no error occured.
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.1.8-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Sat Feb 20 2021 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.1.8-1
+- Update to 2.1.8 (#1931143)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Dec 19 10:13:50 PST 2020 awilliam@redhat.com - 2.1.7-3
+- Rebuild for libldns soname bump
+
+* Tue Dec  8 21:09:23 EST 2020 Paul Wouters <pwouters@redhat.com> - 2.1.7-2
+- Resolves rhbz#1826233 ods-enforcerd.service should wait until socket is ready
+
+* Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.7-1
+- Upstream release 2.1.7
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.6-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 2.1.6-7
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Thu May 28 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-6
+- Resolves: rhbz#1833718 ods-signerd.service missing .service
+
+* Mon Apr 20 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-5
+- Resolves: rhbz#1825812 AVC avc: denied { dac_override } for comm="ods-enforcerd
+
+* Wed Mar 11 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-4
+- Fix migration check to not attempt to check on first install with no db
+
+* Tue Mar 03 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.6-3
+- Create and manage /var/opendnssec/enforcer directory
+- Resolves rhbz#1809492
+
+* Wed Feb 19 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
+- Update to 2.1.6 (major upgrade, supports migration from 1.4.x)
+- gcc10 compile fixups
+- Fix trying to use unversioned libsqlite3.so file
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
+- Update to 1.4.14 as first steop to migrating to 2.x
+- Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 1.4.9-5
+- Fix FTBFS (#1424019) in order to rebuild against new ldns
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 18 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-3
+- Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations
+- On initial install, after token init, also run ods-ksmutil setup
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Feb 01 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-1
+- Updated to 1.4.9
+- Removed merged in patch
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 09 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-2
+- Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service
+- Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install
+
+* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.7-1
+- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)
+
+* Wed Oct 15 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-4
+- Change /etc/opendnssec to be ods group writable
+
+* Wed Oct 08 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-3
+- Added Petr Spacek's patch that adds the config option <AllowExtraction/> (rhbz#1123354)
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Mon Jul 28 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-1
+- Updated to 1.4.6
+- Removed incorporated patch upstream
+- Remove Wants= from ods-signerd.service (rhbz#1098205)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
+- Updated to 1.4.5
+- Added patch for serial 0 bug in XFR adapter
+
+* Tue Apr 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-3
+- Add buildrequires for ods-kasp2html (rhbz#1073313)
+
+* Sat Mar 29 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-2
+- Add requires for ods-kasp2html (rhbz#1073313)
+
+* Thu Mar 27 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-1
+- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441)
+- Change the default ZSK policy from 1024 to 2048 bit RSA keys
+- Fix post to be quiet when upgrading opendnssec
+
+* Thu Jan 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.3-1
+- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements
+- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file
+
+* Wed Sep 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.2-1
+- Updated to 1.4.2, bugfix release
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Jun 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.1-1
+- Updated to 1.4.1. NSEC3 handling and serial number handling fixes
+- Add BuildRequire for systemd-units
+
+* Sat May 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-1
+- Updated to 1.4.0
+
+* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-0.8.rc3
+- Updated to 1.4.0rc3
+- Enabled hardened compile, full relzo/pie
+
+* Fri Jan 25 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.7.rc2
+- Updated to 1.4.0rc2, which includes svn r6952
+
+* Fri Jan 18 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.6.rc1
+- Updated to 1.4.0rc1
+- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)
+
+* Tue Dec 18 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b2
+- Updated to 1.4.0b2
+- All patches have been merged upstream
+- cron job should be marked as config file
+
+* Tue Oct 30 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.4.b1
+- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
+- Change RRSIG inception offset to -2h to avoid possible
+  daylight saving issues on resolvers
+- Patch to prevent removal of occluded data
+
+* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.3.b1
+- Just an EVR fix to the proper standard
+- Cleanup of spec file
+- Introduce new systemd-rpm macros (rhbz#850242)
+
+* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1
+- Updated to 1.4.0b1
+- Patch for NSEC3PARAM TTL
+- Cron job to assist narrowing ods-enforcerd timing differences
+
+* Wed Aug 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.1
+- Updated to 1.4.0a3
+- Patch to more aggressively try to resign
+- Patch to fix locking issue eating up cpu
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-0.a2.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jun 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a2.1
+- Updated to 1.4.0a2
+- ksm-utils patch for ods-ksmutil to die sooner when it can't lock
+  the HSM.
+
+* Wed May 16 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.3
+- Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains
+
+* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.2
+- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
+
+* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.1
+- Fix macros in comment
+- Added missing -m to install target
+
+* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1
+- The 1.4.x branch no longer needs ruby, as the auditor has been removed
+- Added missing openssl-devel BuildRequire
+- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind
+
+* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3
+- Requires rubygem-soap4r when using ruby-1.9
+- Don't ghost /var/run/opendnssec
+- Converted initd to systemd
+
+* Thu Nov 24 2011 root - 1.3.2-6
+- Added rubygem-dnsruby requires as rpm does not pick it up automatically
+
+* Tue Nov 22 2011 root - 1.3.2-5
+- Added /var/opendnssec/signconf/ /as this temp dir is needed
+
+* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4
+- Added /var/opendnssec/signed/ as this is the default output dir
+
+* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3
+- Add ods user for opendnssec tasks
+- Added initscripts and services for ods-signerd and ods-enforcerd
+- Initialise OpenDNSSEC softhsm token on first install
+
+* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-1
+- Updated to 1.3.2
+- Added dependancies on opencryptoki and softhsm
+- Don't install duplicate unreadable .sample files
+- Fix upstream conf.xml to point to actually used library paths
+
+* Thu Mar  3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
+- Initial package for Fedora