diff --git a/.gitignore b/.gitignore
index 1469b59..cb8e425 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 /opendnssec-1.4.0b2.tar.gz
 /opendnssec-1.4.0rc1.tar.gz
 /opendnssec-1.4.0rc2.tar.gz
+/opendnssec-1.4.0rc3.tar.gz
diff --git a/opendnssec.spec b/opendnssec.spec
index a5d7c5c..c59bdb6 100644
--- a/opendnssec.spec
+++ b/opendnssec.spec
@@ -1,8 +1,10 @@
-%global prever rc2
+%global prever rc3
+%global _hardened_build 1
+
 Summary: DNSSEC key and zone management software
 Name: opendnssec
 Version: 1.4.0
-Release: 0.7.%{?prever}%{?dist}
+Release: 0.8.%{?prever}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@@ -37,6 +39,9 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
 %setup -q -n %{name}-%{version}%{?prever}
 
 %build
+export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
 %configure --with-ldns=%{_libdir}
 make %{?_smp_mflags}
 
@@ -111,6 +116,10 @@ fi
 %systemd_postun_with_restart ods-signerd.service
 
 %changelog
+* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-0.8.rc3
+- Updated to 1.4.0rc3
+- Enabled hardened compile, full relzo/pie
+
 * Fri Jan 25 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.7.rc2
 - Updated to 1.4.0rc2, which includes svn r6952
 
diff --git a/sources b/sources
index a502c90..dd596f0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-b9f39643c1f7cee1cd53ff3a5386ea63  opendnssec-1.4.0rc2.tar.gz
+f3a7e52f0a4c644e4200ec5a1c6b67cf  opendnssec-1.4.0rc3.tar.gz