import opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362

.gitignore

@@ -1 +1 @@
-SOURCES/opendnssec-1.4.14.tar.gz
+SOURCES/opendnssec-2.1.6.tar.gz

.opendnssec.metadata

@@ -1 +1 @@
-3ac11d815572750f604707f87d68db7d593d2e86 SOURCES/opendnssec-1.4.14.tar.gz
+3aca59010c2067578ede0dbc216f15d70f9447e9 SOURCES/opendnssec-2.1.6.tar.gz

SOURCES/conf.xml

@@ -48,7 +48,6 @@
 		</Privileges>
 
 		<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
-		<Interval>PT3600S</Interval>
 		<!-- <ManualKeyGeneration/> -->
 		<!-- <RolloverNotification>P14D</RolloverNotification> -->
 		

SOURCES/ods-enforcerd.service

@@ -4,9 +4,13 @@ After=syslog.target network.target
 
 [Service]
 Type=forking
-PIDFile=/var/run/opendnssec/enforcerd.pid
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/enforcerd.pid
 EnvironmentFile=-/etc/sysconfig/ods
 ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+ExecStartPost=/bin/bash -c 'while [ ! -S /run/opendnssec/enforcer.sock ]; do sleep 1; echo "Waiting for socket"; done'
+TimeoutStartSec=20
 
 [Install]
 WantedBy=multi-user.target

SOURCES/ods-signerd.service

@@ -4,7 +4,9 @@ After=syslog.target network.target ods-enforcerd
 
 [Service]
 Type=simple
-PIDFile=/var/run/opendnssec/signerd.pid
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/signerd.pid
 EnvironmentFile=-/etc/sysconfig/ods
 ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
 

SOURCES/opendnssec-2.1.6-sqlite.patch

@@ -0,0 +1,21 @@
+diff --git a/enforcer/src/ods-migrate.c b/enforcer/src/ods-migrate.c
+index aece5058a..c440a36af 100644
+--- a/enforcer/src/ods-migrate.c
++++ b/enforcer/src/ods-migrate.c
+@@ -97,10 +97,13 @@ dblayer_sqlite3_initialize(void)
+     char const *error;
+ 
+     dlerror();
+-    handle = dlopen("libsqlite3.so", RTLD_NOW);
++    handle = dlopen("libsqlite3.so.0", RTLD_NOW);
+     if ((error = dlerror()) != NULL) {
+-	    printf("Failed to load sqlite3 library. dlerror(): %s\n", error);
+-	    exit(1);
++          handle = dlopen("libsqlite3.so", RTLD_NOW); /* unversioned is a -devel package file on some distros */
++          if ((error = dlerror()) != NULL) {
++             printf("Failed to load sqlite3 library. dlerror(): %s\n", error);
++             exit(1);
++          }
+     }
+ 
+     dblayer_sqlite3.sqlite3_prepare_v2 = (int(*)(sqlite3*, const char*, int, sqlite3_stmt**, const char **))functioncast(dlsym(handle, "sqlite3_prepare_v2"));

SOURCES/opendnssec-2.1.sqlite_convert.sql

@@ -0,0 +1,842 @@
+INSERT INTO databaseVersion VALUES (NULL, 1, 1);
+
+-- ~ ************
+-- ~ ** policy table
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO policy 
+SELECT id, 1, name, description,
+0, 0, 0,
+0, 0, 0, 0,
+86400, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0
+FROM REMOTE.policies;
+
+UPDATE policy
+SET signaturesResign = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'resign');
+
+UPDATE policy
+SET signaturesRefresh = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'refresh') ;
+
+UPDATE policy
+SET signaturesJitter = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'jitter');
+
+UPDATE policy
+SET signaturesInceptionOffset = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'clockskew');
+
+UPDATE policy
+SET signaturesValidityDefault = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'valdefault');
+
+UPDATE policy
+SET signaturesValidityDenial = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'valdenial');
+
+--MaxZoneTTL default 86400
+
+-- We need the following mapping 1.4 -> 2.0 for denialType
+-- 0 -> 1
+-- 3 -> 0
+
+UPDATE policy
+SET denialType = (
+	SELECT (~value)&1
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'version');
+
+-- I'm pretty sure this is not the correct way to do it. It is aweful but
+-- I can't figure it out how it would work for sqlite.
+UPDATE policy
+SET denialOptout = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'optout')
+WHERE null !=  (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'optout');
+
+UPDATE policy
+SET denialTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'ttl')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET denialResalt = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'resalt')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'resalt');
+
+UPDATE policy
+SET denialAlgorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'algorithm');
+
+UPDATE policy
+SET denialIterations = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'iterations')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'iterations');
+
+UPDATE policy
+SET denialSaltLength = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'saltlength')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'saltlength');
+
+-- clumsy salt update. salt is optional in 1.4 but required in 2.0
+-- sqlite is limited in what it can do in an update. I hope there is a
+-- better way for this?
+
+UPDATE policy
+SET denialSalt = (
+	SELECT salt
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id)
+WHERE (
+	SELECT salt
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET denialSaltLastChange = (
+	SELECT salt_stamp
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id)
+WHERE (
+	SELECT salt_stamp
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET keysTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET keysRetireSafety = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'retiresafety');
+
+UPDATE policy
+SET keysPublishSafety = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'publishsafety');
+
+UPDATE policy
+SET keysShared = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'zones_share_keys');
+
+UPDATE policy
+SET keysPurgeAfter = COALESCE((
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'purge'), 0);
+
+UPDATE policy
+SET zonePropagationDelay = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET zoneSoaTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET zoneSoaMinimum = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'min');
+
+-- Temporary mapping table between 1.4 and 2.0 SOA serial strategy
+CREATE TABLE mapping (
+	soa14 INTEGER,
+	soa20 INTEGER
+);
+INSERT INTO mapping SELECT  1, 2;
+INSERT INTO mapping SELECT  2, 0;
+INSERT INTO mapping SELECT  3, 1;
+INSERT INTO mapping SELECT  4, 3;
+
+UPDATE policy
+SET zoneSoaSerial = (
+	SELECT mapping.soa20
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+        INNER JOIN mapping
+        ON REMOTE.parameters_policies.value = mapping.soa14
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'serial');
+
+DROP TABLE mapping;
+
+-- parentRegistrationDelay = 0 on 1.4
+
+UPDATE policy
+SET parentPropagationDelay = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET parentDsTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'ttlds');
+
+UPDATE policy
+SET parentSoaTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET parentSoaMinimum = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'min');
+
+-- passthrough = 0
+
+-- ~ ************
+-- ~ ** policyKey table
+-- ~ **
+-- ~ ** For each policy in 1.4 add two keys: KSK and ZSK
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Insert each KSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+		1, 0, 0,
+		0, 0, 0,
+		0, 0, 4
+FROM REMOTE.policies;
+
+-- Insert each ZSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+		2, 0, 0,
+		0, 0, 0,
+		0, 0, 1
+FROM REMOTE.policies;
+
+UPDATE policyKey
+SET algorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET algorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET bits = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET bits = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET lifetime = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET lifetime = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET repository = (
+	SELECT REMOTE.securitymodules.name
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	INNER JOIN REMOTE.securitymodules
+	ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET repository = (
+	SELECT REMOTE.securitymodules.name
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	INNER JOIN REMOTE.securitymodules
+	ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET standby = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET standby = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET manualRollover = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET manualRollover = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 2;
+
+-- rfc5011 = 0. 2.0 has no support
+-- minimize already set
+
+-- ~ ************
+-- ~ ** hsmKey table
+-- ~ **
+-- ~ ** get from keypairs and dnsseckeys
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO hsmKey
+SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
+REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size, 
+REMOTE.keypairs.algorithm,  (~(REMOTE.dnsseckeys.keytype)&1)+1, 
+CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN 
+	strftime('%s', REMOTE.keypairs.generate) 
+	ELSE strftime("%s", "now") END, 
+0, 
+1, --only RSA supported
+ REMOTE.securitymodules.name, 
+0 --assume no backup 
+FROM REMOTE.keypairs
+JOIN REMOTE.dnsseckeys 
+	ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
+JOIN REMOTE.securitymodules 
+	ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
+
+-- For some policies put the keys in a shared state
+UPDATE hsmKey 
+SET state = 3
+WHERE EXISTS 
+	(SELECT * FROM hsmKey AS h 
+	JOIN policy ON policy.id = h.policyId 
+	WHERE policy.keysShared AND hsmKey.id = h.id);
+
+-- ~ ************
+-- ~ ** zone table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO zone
+SELECT zones.id, 1, zones.policy_id, 
+	zones.name, 1, zones.signconf, 0,  
+	0,0,0, 
+	0,0,0,
+	zones.in_type, zones.input,
+	zones.out_type, zones.output,
+	0,0,0
+	FROM REMOTE.zones;
+
+-- ~ ************
+-- ~ ** keyData table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Temporary mapping table between 1.4 states and 2.0 ds_at_parent states
+-- We are ignoring the fact this may set a DS state for a ZSK; We don't care
+CREATE TABLE mapping (
+	state INTEGER,
+	ds_state INTEGER
+);
+INSERT INTO mapping SELECT  1, 0;
+INSERT INTO mapping SELECT  2, 0;
+INSERT INTO mapping SELECT  3, 1;
+INSERT INTO mapping SELECT  4, 3;
+INSERT INTO mapping SELECT  5, 5;
+INSERT INTO mapping SELECT  6, 5;
+INSERT INTO mapping SELECT  7, 5;
+INSERT INTO mapping SELECT  8, 5;
+INSERT INTO mapping SELECT  9, 5;
+INSERT INTO mapping SELECT 10, 5;
+
+INSERT INTO keyData
+SELECT 
+	NULL, 1, REMOTE.dnsseckeys.zone_id,
+	REMOTE.dnsseckeys.keypair_id, REMOTE.keypairs.algorithm,
+	CASE WHEN REMOTE.dnsseckeys.publish IS NOT NULL THEN 
+		strftime('%s', REMOTE.dnsseckeys.publish) 
+		ELSE strftime("%s", "now") END, 
+	(~REMOTE.dnsseckeys.keytype&1)+1,
+	REMOTE.dnsseckeys.state <= 4, -- introducing
+	0, -- should revoke, not used
+	0, -- standby
+	REMOTE.dnsseckeys.state  = 4 AND REMOTE.dnsseckeys.keytype = 256, --activeZSK: 
+	REMOTE.dnsseckeys.state >= 2 AND REMOTE.dnsseckeys.state <= 5, --publish
+	REMOTE.dnsseckeys.state  = 4 AND REMOTE.dnsseckeys.keytype = 257, --activeKSK: 
+	mapping.ds_state, --dsatparent
+	1<<16, --keytag (crap, will 2.0 regenerate this?)
+	(REMOTE.dnsseckeys.keytype&1)*3+1 --minimize
+FROM REMOTE.dnsseckeys
+JOIN REMOTE.keypairs 
+	ON REMOTE.dnsseckeys.keypair_id = REMOTE.keypairs.id
+JOIN mapping 
+	ON REMOTE.dnsseckeys.state = mapping.state
+WHERE EXISTS(select REMOTE.zones.id FROM REMOTE.zones WHERE REMOTE.zones.id = REMOTE.dnsseckeys.zone_id);
+
+-- Everything that is just a ZSK must not have dsatparent set.
+UPDATE keyData
+SET dsatparent = 0
+WHERE role = 2;
+
+DROP TABLE mapping;
+
+-- If a active time is set for a ready KSK dsAtParent is submitted 
+-- instead of submit
+UPDATE keyData
+SET dsatparent = 2
+WHERE keyData.dsAtParent = 1 AND keyData.id IN (
+	SELECT keyData.id
+	FROM keyData
+	JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+	WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+
+-- ~ ************
+-- ~ ** Keystate table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+CREATE TABLE mapping (
+	state INTEGER,
+	ds INTEGER,
+	dk INTEGER,
+	ks INTEGER,
+	rs INTEGER
+);
+INSERT INTO mapping SELECT  1, 0, 0, 0, 0;
+INSERT INTO mapping SELECT  2, 0, 1, 1, 1;
+INSERT INTO mapping SELECT  3, 0, 2, 2, 1;
+INSERT INTO mapping SELECT  4, 2, 2, 2, 1;
+INSERT INTO mapping SELECT  5, 3, 2, 2, 3;
+INSERT INTO mapping SELECT  6, 0, 3, 3, 0;
+INSERT INTO mapping SELECT  7, 3, 0, 0, 0;
+INSERT INTO mapping SELECT  8, 3, 0, 0, 0;
+INSERT INTO mapping SELECT  9, 3, 0, 0, 0;
+INSERT INTO mapping SELECT 10, 3, 0, 0, 0;
+
+-- DS RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 0, mapping.ds, strftime("%s", "now"), (keyData.minimize>>2)&1, policy.parentDsTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+UPDATE keyState
+SET state = 1
+WHERE keyState.state = 0 AND keyState.type = 0 AND keyState.id IN (
+	SELECT keyState.id
+	FROM keyState
+	JOIN keyData
+		ON keyData.id = keyState.keydataId
+	JOIN REMOTE.dnsseckeys
+		ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+	WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+-- DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 2, mapping.dk, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 3, mapping.ks, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 1, mapping.rs, strftime("%s", "now"), (keyData.minimize>>0)&1, policy.signaturesMaxZoneTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+--Set to OMN if Tactive + Dttl < Tnow
+UPDATE keyState
+SET state = 2
+WHERE keyState.state = 1 AND keyState.type = 1 AND keyState.id IN (
+        SELECT keyState.id
+        FROM keyState
+        JOIN keyData
+                ON keyData.id = keyState.keydataId
+        JOIN REMOTE.dnsseckeys
+                ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+        JOIN zone
+                ON keyData.zoneId = zone.id
+        JOIN policy
+                ON policy.id = zone.policyId
+        WHERE CAST(strftime("%s", REMOTE.dnsseckeys.active) + policy.signaturesValidityDefault as INTEGER) < strftime("%s", "now"));
+
+--Force the RRSIG state in omnipresent if rumoured and there is no old ZSK
+-- unretentive
+UPDATE keyState 
+SET state = 2
+WHERE keyState.id IN (
+SELECT rs.id FROM keyState AS rs 
+JOIN keystate AS dk ON dk.keyDataId == rs.keyDataId
+WHERE rs.type == 1 AND dk.type == 2 AND rs.state == 1 AND dk.state == 2
+AND NOT EXISTS(
+	SELECT* FROM keystate AS rs2
+	JOIN keystate AS dk2 ON dk2.keyDataId == rs2.keyDataId
+	WHERE rs2.type == 1 AND dk2.type == 2 AND rs2.state == 3 AND dk2.state == 2
+));
+
+DROP TABLE mapping;
+
+-- We need to create records in the keydependency table in case we are in a
+-- rollover. Only done for ZSK. For every introducing ZSK with RRSIG rumoured
+-- that has an outroducing ZSK with RRSIG unretentive, we add a record.
+INSERT INTO keyDependency
+SELECT NULL, 0, keyData.zoneID, SUB.IDout, keyData.id, 1
+FROM keyData
+JOIN keyState AS KS1 
+	ON KS1.keyDataId == keyData.id
+JOIN keyState AS KS2 
+	ON KS2.keyDataId == keyData.id
+JOIN (
+	SELECT keyData.id AS IDout, keyData.zoneID 
+	FROM keyData
+	JOIN keyState AS KS1 
+		ON KS1.keyDataId == keyData.id
+	JOIN keyState AS KS2 
+		ON KS2.keyDataId == keyData.id
+	WHERE KS1.type == 2 
+		AND ks1.state = 2 
+		AND KS2.type == 1 
+		AND KS2.state == 3
+		AND keyData.introducing == 0 
+		AND keyData.role == 2
+) AS SUB
+	ON SUB.zoneId == keyData.zoneId
+WHERE 
+	KS1.type == 2 
+	AND ks1.state = 2 
+	AND KS2.type == 1 
+	AND KS2.state == 1
+	AND keyData.introducing == 1 
+	AND keyData.role == 2;
+
+-- ZSK
+UPDATE keyState
+SET state = 4
+WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN (
+	SELECT keyData.id
+	FROM keyData
+	WHERE keyData.role = 2);
+
+--KSK
+UPDATE keyState
+SET state = 4
+WHERE keyState.type = 1 AND keyDataId IN (
+	SELECT keyData.id
+	FROM keyData
+	WHERE keyData.role = 1);
+
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+        major INTEGER,
+        minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+

SOURCES/opendnssec-2.1.sqlite_rpmversion.sql

@@ -0,0 +1,7 @@
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+        major INTEGER,
+        minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+

SOURCES/tmpfiles-opendnssec.conf

@@ -1 +1 @@
-D /var/run/opendnssec 0755 ods ods -
+D /run/opendnssec 0755 ods ods -

SPECS/opendnssec.spec

@@ -3,8 +3,8 @@
 
 Summary: DNSSEC key and zone management software
 Name: opendnssec
-Version: 1.4.14
-Release: 1%{?prever}%{?dist}
+Version: 2.1.6
+Release: 2%{?prever}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@@ -14,15 +14,21 @@ Source3: ods.sysconfig
 Source4: conf.xml
 Source5: tmpfiles-opendnssec.conf
 Source6: opendnssec.cron
+Source7: opendnssec-2.1.sqlite_convert.sql
+Source8: opendnssec-2.1.sqlite_rpmversion.sql
 
-Group: Applications/System
-Requires: opencryptoki, softhsm, systemd-units
+Patch1: opendnssec-2.1.6-gcc10-fixups.patch
+Patch2: opendnssec-2.1.6-sqlite.patch
+
+Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
 Requires: libxml2, libxslt sqlite
-BuildRequires: ldns-devel >= 1.6.12, sqlite-devel , openssl-devel
+BuildRequires:  gcc
+BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
 BuildRequires: libxml2-devel CUnit-devel, doxygen
 # It tests for pkill/killall and would use /bin/false if not found
 BuildRequires: procps-ng
 BuildRequires: perl-interpreter
+BuildRequires: libmicrohttpd-devel jansson-devel libyaml-devel
 
 BuildRequires: systemd-units
 Requires(pre): shadow-utils
@@ -30,7 +36,7 @@ Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 %if 0%{?prever:1}
-#For building snapshots
+# For building development snapshots
 Buildrequires: autoconf, automake, libtool, java
 %endif
 
@@ -43,11 +49,17 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
 %setup -q -n %{name}-%{version}%{?prever}
 # bump default policy ZSK keysize to 2048
 sed -i "s/1024/2048/" conf/kasp.xml.in
+%patch1 -p1
+%patch2 -p1
 
 %build
-export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
-export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
-export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+#export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+#export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+#export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+%if 0%{?prever:1}
+# for development snapshots
+sh ./autogen.sh
+%endif
 %configure --with-ldns=%{_libdir}
 make %{?_smp_mflags}
 
@@ -58,7 +70,7 @@ make %{?_smp_mflags}
 %install
 rm -rf %{buildroot}
 make DESTDIR=%{buildroot} install
-mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf}
+mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
 install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
 install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
 rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
@@ -71,7 +83,18 @@ install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
 mkdir -p %{buildroot}%{_tmpfilesdir}/
 install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
 mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
-cp enforcer/utils/migrate_1_4_8.sqlite3 %{buildroot}%{_datadir}/%{name}/
+mkdir -p %{buildroot}%{_datadir}/opendnssec/
+cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
+cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
+# fixup path for mysql/sqlite. Use our replacement sqlite_convert.sql to detect previous migration
+cp -a %{SOURCE7} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql
+cp -a %{SOURCE8} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+
 
 %files
 %{_unitdir}/ods-enforcerd.service
@@ -82,6 +105,7 @@ cp enforcer/utils/migrate_1_4_8.sqlite3 %{buildroot}%{_datadir}/%{name}/
 %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
 %attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
 %attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
 %attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
 %attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
@@ -91,8 +115,8 @@ cp enforcer/utils/migrate_1_4_8.sqlite3 %{buildroot}%{_datadir}/%{name}/
 %{_mandir}/*/*
 %{_sbindir}/*
 %{_bindir}/*
-%attr(0755,root,root) %dir %{_datadir}/%{name}
-%{_datadir}/%{name}/*
+%attr(0755,root,root) %dir %{_datadir}/opendnssec
+%{_datadir}/opendnssec/*
 
 %pre
 getent group ods >/dev/null || groupadd -r ods
@@ -105,19 +129,47 @@ exit 0
 # Initialise a slot on the softhsm on first install
 if [ "$1" -eq 1 ]; then
    %{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \
-                --slot 0 --label "OpenDNSSEC" --pin 1234 --so-pin 1234
-   if [ ! -s %{_localstatedir}opendnssec/kasp.db ]; then
-      echo y | %{_bindir}/ods-ksmutil setup
+                --free --label "OpenDNSSEC" --pin 1234 --so-pin 1234
+   if [ ! -s %{_localstatedir}/opendnssec/kasp.db ]; then
+      echo y | %{_sbindir}/ods-enforcer-db-setup
+      %{_bindir}/sqlite3 -batch %{_localstatedir}/opendnssec/kasp.db < %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+   fi
+
+elif [ -z "$(%{_bindir}/sqlite3 %{_localstatedir}/opendnssec/kasp.db 'select * from rpm_migration;')" ]; then
+   # Migrate version 1.4 db to version 2.1 db
+   if [ -e %{_localstatedir}/opendnssec/rpm-migration-in-progress ]; then
+      echo "previous (partial?) migration found - human intervention is needed"
+   else
+      echo "opendnssec 1.4 database found, migrating to 2.x"
+      touch %{_localstatedir}/opendnssec/rpm-migration-in-progress
+      mv -n %{_localstatedir}/opendnssec/kasp.db %{_localstatedir}/opendnssec/kasp.db-1.4
+      echo "migrating conf.xml from 1.4 to 2.1 schema"
+      cp -n %{_sysconfdir}/opendnssec/conf.xml %{_sysconfdir}/opendnssec/conf.xml-1.4
+      # fixup incompatibilities inflicted upon us by upstream :(
+      sed -i "/<Interval>.*Interval>/d" %{_sysconfdir}/opendnssec/conf.xml
+      echo "Converting kasp.db"
+      ERR=""
+      %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite -i %{_localstatedir}/opendnssec/kasp.db-1.4 -o %{_localstatedir}/opendnssec/kasp.db || ERR="convert_sqlite error"
+      chown ods.ods %{_localstatedir}/opendnssec/kasp.db
+      cp -n %{_sysconfdir}/opendnssec/zonelist.xml %{_localstatedir}/opendnssec/enforcer/zones.xml
+      if [ -z "$ERR" ]; then
+         echo "calling ods-migrate"
+         ods-migrate || ERR="ods-migrate failed"
+         if [ -z "$ERR" ]; then
+            echo "opendnssec 1.4 to 2.x migration completed"
+            rm %{_localstatedir}/opendnssec/rpm-migration-in-progress
+         else
+            echo "ods-migrate process failed - human intervention is needed"
+         fi
+      else
+         echo "%{_localstatedir}/opendnssec/kasp.db conversion failed - not calling ods-migrate to complete migration. human intervention is needed"
+      fi
    fi
 fi
 
-# Migrate version 3 db to version 4 db
-if [ "`%{_bindir}/sqlite3 %{_localstatedir}/%{name}/kasp.db 'select version from dbadmin;'`" != "4" ]; then
-   %{_bindir}/sqlite3 %{_localstatedir}/%{name}/kasp.db < %{_datadir}/%{name}/migrate_1_4_8.sqlite3
-fi
-
 # in case we update any xml conf file
-ods-ksmutil update all >/dev/null 2>/dev/null ||:
+ods-enforcer update all >/dev/null 2>/dev/null ||:
+
 %systemd_post ods-enforcerd.service
 %systemd_post ods-signerd.service
 
@@ -130,6 +182,12 @@ ods-ksmutil update all >/dev/null 2>/dev/null ||:
 %systemd_postun_with_restart ods-signerd.service
 
 %changelog
+* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
+- Resolves: rhbz#1831732 AVC avc: denied { dac_override } for comm="ods-enforcerd
+
+* Wed Apr 15 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-1
+- Resolves: rhbz#1759888 Rebase OpenDNSSEC to 2.1
+
 * Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
 - Update to 1.4.14 as first steop to migrating to 2.x
 - Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license