diff --git a/opendnssec-1.4.13-openssl1.1.patch b/opendnssec-1.4.13-openssl1.1.patch
new file mode 100644
index 0000000..44da95d
--- /dev/null
+++ b/opendnssec-1.4.13-openssl1.1.patch
@@ -0,0 +1,95 @@
+From e2bbb899195ea98b6b5f6c972ab764a53b387789 Mon Sep 17 00:00:00 2001
+From: Yuri Schaeffer <yuri@nlnetlabs.nl>
+Date: Fri, 4 Nov 2016 15:35:06 +0100
+Subject: [PATCH] HMAC_CTX_init deprecated in openssl-1.1.0
+
+---
+ m4/acx_ssl.m4                  | 12 +++++++++---
+ signer/src/Makefile.am         |  4 ++--
+ signer/src/wire/tsig-openssl.c | 15 ++++++++++++---
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/m4/acx_ssl.m4 b/m4/acx_ssl.m4
+index 1dc6e40..3d64626 100644
+--- a/m4/acx_ssl.m4
++++ b/m4/acx_ssl.m4
+@@ -35,12 +35,18 @@ AC_DEFUN([ACX_SSL], [
+             if test x_$ssldir = x_/usr/sfw; then
+                 SSL_LIBS="$SSL_LIBS -R$ssldir/lib";
+             fi
+-            AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+-                    AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+-            ])
++            AC_CHECK_LIB(crypto, HMAC_CTX_reset, [
++                    AC_DEFINE_UNQUOTED([HAVE_SSL_NEW_HMAC], [], [Define if you have the SSL libraries with new HMAC related functions.])
++                    SSL_LIBS="$SSL_LIBS -lcrypto";
++            ], [
++                    AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
++                            AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
++                    ])
++            ] )
+             AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
+         fi
+         AC_SUBST(HAVE_SSL)
++        AC_SUBST(HAVE_SSL_NEW_HMAC)
+         AC_SUBST(SSL_INCLUDES)
+         AC_SUBST(SSL_LIBS)
+     fi
+diff --git a/signer/src/Makefile.am b/signer/src/Makefile.am
+index 60e8877..b39eac8 100644
+--- a/signer/src/Makefile.am
++++ b/signer/src/Makefile.am
+@@ -133,7 +133,7 @@ ods_signer_SOURCES=		ods-signer.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_signer_LDADD=		$(LIBHSM)
+-ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@ @SSL_LIBS@ 
+ ods_signer_LDADD+=		$(LIBCOMPAT)
+ 
+ ods_getconf_SOURCES=		ods-getconf.c \
+@@ -193,5 +193,5 @@ ods_getconf_SOURCES=		ods-getconf.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_getconf_LDADD=		$(LIBHSM)
+-ods_getconf_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_getconf_LDADD+=		@SSL_LIBS@ @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ ods_getconf_LDADD+=		$(LIBCOMPAT)
+diff --git a/signer/src/wire/tsig-openssl.c b/signer/src/wire/tsig-openssl.c
+index c26b1e7..24fd342 100644
+--- a/signer/src/wire/tsig-openssl.c
++++ b/signer/src/wire/tsig-openssl.c
+@@ -131,8 +131,11 @@ static void
+ cleanup_context(void *data)
+ {
+     HMAC_CTX* context = (HMAC_CTX*) data;
++#ifdef HAVE_SSL_NEW_HMAC
++    HMAC_CTX_free(context);
++#else
+     HMAC_CTX_cleanup(context);
+-    return;
++#endif
+ }
+ 
+ static void
+@@ -155,9 +158,15 @@ context_add_cleanup(void* context)
+ static void*
+ create_context(allocator_type* allocator)
+ {
+-    HMAC_CTX* context = (HMAC_CTX*) allocator_alloc(allocator,
+-        sizeof(HMAC_CTX));
++    HMAC_CTX* context;
++#ifdef HAVE_SSL_NEW_HMAC
++    context = HMAC_CTX_new();
++    if (!context) return NULL;
++    HMAC_CTX_reset(context);
++#else
++    context = (HMAC_CTX*) allocator_alloc(allocator, sizeof(HMAC_CTX));
+     HMAC_CTX_init(context);
++#endif
+     context_add_cleanup(context);
+     return context;
+ }
+-- 
+2.9.3
+
diff --git a/opendnssec.spec b/opendnssec.spec
index eca5759..57e32da 100644
--- a/opendnssec.spec
+++ b/opendnssec.spec
@@ -4,7 +4,7 @@
 Summary: DNSSEC key and zone management software
 Name: opendnssec
 Version: 1.4.9
-Release: 4%{?prever}%{?dist}
+Release: 5%{?prever}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
@@ -15,6 +15,9 @@ Source4: conf.xml
 Source5: tmpfiles-opendnssec.conf
 Source6: opendnssec.cron
 
+# https://github.com/opendnssec/opendnssec/commit/cc8f1a06c8e1e8e62107fb70e5291e952fe22eb1
+Patch0:  opendnssec-1.4.13-openssl1.1.patch
+
 Group: Applications/System
 Requires: opencryptoki, softhsm, systemd-units
 Requires: libxml2, libxslt sqlite
@@ -25,6 +28,8 @@ BuildRequires: procps-ng
 BuildRequires: perl
 
 BuildRequires: systemd-units
+# needed only for Patch0, remove this in the future
+Buildrequires: autoconf, automake, libtool
 Requires(pre): shadow-utils
 Requires(post): systemd-units
 Requires(preun): systemd-units
@@ -41,6 +46,8 @@ name server. It requires a PKCS#11 crypto module library, such as softhsm
 
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
+%patch0 -p1 -b .openssl110
+autoreconf -iv .
 # bump default policy ZSK keysize to 2048
 sed -i "s/1024/2048/" conf/kasp.xml.in
 
@@ -129,6 +136,9 @@ ods-ksmutil update all >/dev/null 2>/dev/null ||:
 %systemd_postun_with_restart ods-signerd.service
 
 %changelog
+* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 1.4.9-5
+- Fix FTBFS (#1424019) in order to rebuild against new ldns
+
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild