diff --git a/.gitignore b/.gitignore
index e69de29..94829cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,18 @@
+/opendnssec-1.4.0a1.tar.gz
+/opendnssec-1.4.0a2.tar.gz
+/opendnssec-1.4.0b1.tar.gz
+/opendnssec-1.4.0b2.tar.gz
+/opendnssec-1.4.0rc1.tar.gz
+/opendnssec-1.4.0rc2.tar.gz
+/opendnssec-1.4.0rc3.tar.gz
+/opendnssec-1.4.0.tar.gz
+/opendnssec-1.4.1.tar.gz
+/opendnssec-1.4.2.tar.gz
+/opendnssec-1.4.3.tar.gz
+/opendnssec-1.4.4.tar.gz
+/opendnssec-1.4.5.tar.gz
+/opendnssec-1.4.6.tar.gz
+/opendnssec-1.4.7.tar.gz
+/opendnssec-1.4.9.tar.gz
+/opendnssec-1.4.14.tar.gz
+/opendnssec-2.1.6.tar.gz
diff --git a/conf.xml b/conf.xml
new file mode 100644
index 0000000..8b42a62
--- /dev/null
+++ b/conf.xml
@@ -0,0 +1,87 @@
+
+
+
+
+
+
+
+ /usr/lib64/softhsm/libsofthsm.so
+ OpenDNSSEC
+ 1234
+
+
+
+
+
+
+
+
+
+ local0
+
+
+ /etc/opendnssec/kasp.xml
+ /etc/opendnssec/zonelist.xml
+
+
+
+
+
+
+ ods
+ ods
+
+
+ /var/opendnssec/kasp.db
+
+
+
+
+
+
+
+
+
+ ods
+ ods
+
+
+ /var/opendnssec/tmp
+ 4
+
+
+
+
+
+
+
+
+
diff --git a/ods-enforcerd.init b/ods-enforcerd.init
new file mode 100644
index 0000000..c131e77
--- /dev/null
+++ b/ods-enforcerd.init
@@ -0,0 +1,106 @@
+#!/bin/bash
+#
+# ods-enforcerd: Starts the OpenDNSSEC Enforcer Daemon
+#
+# chkconfig: - 13 87
+# description: ods-enforcerd is the OpenDNSSEC DNSSEC policy enforcer daemon
+# processname: /usr/sbin/ods-enforcerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-enforcerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart| OpenDNSSEC Enforcer Daemon
+# Description: control OpenDNSSEC enforcer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_ENFORCERD_CONF="/etc/opendnssec/conf.xml"
+ODS_ENFORCERD_OPT=""
+ODS_ENFORCERD_PROG="/usr/sbin/ods-enforcerd"
+ODS_ENFORCERD_PIDFILE="/var/run/opendnssec/enforcerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+ # Source networking configuration.
+ [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+ # Check that networking is up
+ [ "${NETWORKING}" = "no" ] && exit 1
+
+ # Sanity checks.
+ [ -f $ODS_ENFORCERD_CONF ] || exit 5
+ [ -x $ODS_ENFORCERD_PROG ] || exit 5
+ # /var/run could (and should) be tmpfs
+ [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+ echo -n $"Starting ods-enforcerd:"
+ $ODS_ENFORCERD_PROG -c $ODS_ENFORCERD_CONF $ODS_ENFORCERD_OPT
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ]; then
+ touch /var/lock/subsys/ods-enforcerd;
+ success
+ echo
+ else
+ failure
+ echo
+ exit 7;
+ fi
+ return 0;
+}
+
+stop() {
+ echo -n $"Stopping ods-enforcerd: "
+ killproc -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+ retval=$?
+ if [ $retval -eq 0 ] ; then
+ rm -f $ODS_ENFORCERD_PIDFILE
+ rm -f /var/lock/subsys/ods-enforcerd
+ success
+ else
+ failure
+ fi
+ echo
+ return $retval
+}
+
+restart() {
+ stop
+ start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ condrestart)
+ [ -f /var/lock/subsys/ods-enforcerd ] && restart || :
+ ;;
+ status)
+ status -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+ exit 1
+esac
+
+exit $?
diff --git a/ods-enforcerd.service b/ods-enforcerd.service
new file mode 100644
index 0000000..0a3d95b
--- /dev/null
+++ b/ods-enforcerd.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenDNSSEC Enforcer daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/enforcerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ods-signerd.init b/ods-signerd.init
new file mode 100644
index 0000000..4e3289d
--- /dev/null
+++ b/ods-signerd.init
@@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# ods-signerd: Starts the OpenDNSSEC Signer Daemon
+#
+# chkconfig: - 13 87
+# description: ods-signerd is the OpenDNSSEC DNSSEC zone signer daemon
+# processname: /usr/sbin/ods-signerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-signerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart|reload|force-reload OpenDNSSEC Signer Daemon
+# Description: control OpenDNSSEC signer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_SIGNERD_CONF="/etc/opendnssec/conf.xml"
+ODS_SIGNERD_OPT=""
+ODS_SIGNERD_PROG="/usr/sbin/ods-signerd"
+ODS_SIGNER_PROG="/usr/sbin/ods-signer"
+ODS_SIGNERD_PIDFILE="/var/run/opendnssec/signerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+ # Source networking configuration.
+ [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+ # Check that networking is up
+ [ "${NETWORKING}" = "no" ] && exit 1
+
+ # Sanity checks.
+ [ -f $ODS_SIGNERD_CONF ] || exit 5
+ [ -x $ODS_SIGNERD_PROG ] || exit 5
+ # /var/run could (and should) be tmpfs
+ [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+ echo -n $"Starting ods-signerd:"
+# ods-signerd is lying about supporting -c conf.file option :(
+# $ODS_SIGNERD_PROG -c $ODS_SIGNERD_CONF $ODS_SIGNERD_OPT
+ $ODS_SIGNERD_PROG $ODS_SIGNERD_OPT
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ]; then
+ touch /var/lock/subsys/ods-signerd;
+ success
+ echo
+ else
+ failure
+ echo
+ exit 7;
+ fi
+ return 0;
+}
+
+stop() {
+ echo -n $"Stopping ods-signerd: "
+ #$ODS_SIGNER_PROG -c $ODS_SIGNERD_CONF stop
+ # seems that this loses our settings :(
+ /usr/sbin/ods-signer stop
+ RETVAL=$?
+ [ "$RETVAL" -eq 0 ] || killproc $ODS_SIGNERD_PROG -TERM >/dev/null 2>&1
+ if [ $RETVAL -eq 0 ] ; then
+ rm -f $ODS_SIGNERD_PIDFILE
+ rm -f /var/lock/subsys/ods-signerd
+ success
+ else
+ failure
+ fi
+ echo
+ return $RETVAL
+}
+
+restart() {
+ stop
+ start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ condrestart)
+ [ -f /var/lock/subsys/ods-signerd ] && restart || :
+ ;;
+ status)
+ status -p $ODS_SIGNERD_PIDFILE $ODS_SIGNERD_PROG
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+ exit 1
+esac
+
+exit $?
diff --git a/ods-signerd.service b/ods-signerd.service
new file mode 100644
index 0000000..49b50b5
--- /dev/null
+++ b/ods-signerd.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenDNSSEC signer daemon
+After=syslog.target network.target ods-enforcerd.service
+
+[Service]
+Type=simple
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/signerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ods.sysconfig b/ods.sysconfig
new file mode 100644
index 0000000..1cf67f2
--- /dev/null
+++ b/ods.sysconfig
@@ -0,0 +1,2 @@
+ODS_SIGNERD_OPT=""
+ODS_ENFORCERD_OPT=""
diff --git a/opendnssec-1.4.13-openssl1.1.patch b/opendnssec-1.4.13-openssl1.1.patch
new file mode 100644
index 0000000..44da95d
--- /dev/null
+++ b/opendnssec-1.4.13-openssl1.1.patch
@@ -0,0 +1,95 @@
+From e2bbb899195ea98b6b5f6c972ab764a53b387789 Mon Sep 17 00:00:00 2001
+From: Yuri Schaeffer
+Date: Fri, 4 Nov 2016 15:35:06 +0100
+Subject: [PATCH] HMAC_CTX_init deprecated in openssl-1.1.0
+
+---
+ m4/acx_ssl.m4 | 12 +++++++++---
+ signer/src/Makefile.am | 4 ++--
+ signer/src/wire/tsig-openssl.c | 15 ++++++++++++---
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/m4/acx_ssl.m4 b/m4/acx_ssl.m4
+index 1dc6e40..3d64626 100644
+--- a/m4/acx_ssl.m4
++++ b/m4/acx_ssl.m4
+@@ -35,12 +35,18 @@ AC_DEFUN([ACX_SSL], [
+ if test x_$ssldir = x_/usr/sfw; then
+ SSL_LIBS="$SSL_LIBS -R$ssldir/lib";
+ fi
+- AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+- AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+- ])
++ AC_CHECK_LIB(crypto, HMAC_CTX_reset, [
++ AC_DEFINE_UNQUOTED([HAVE_SSL_NEW_HMAC], [], [Define if you have the SSL libraries with new HMAC related functions.])
++ SSL_LIBS="$SSL_LIBS -lcrypto";
++ ], [
++ AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
++ AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
++ ])
++ ] )
+ AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
+ fi
+ AC_SUBST(HAVE_SSL)
++ AC_SUBST(HAVE_SSL_NEW_HMAC)
+ AC_SUBST(SSL_INCLUDES)
+ AC_SUBST(SSL_LIBS)
+ fi
+diff --git a/signer/src/Makefile.am b/signer/src/Makefile.am
+index 60e8877..b39eac8 100644
+--- a/signer/src/Makefile.am
++++ b/signer/src/Makefile.am
+@@ -133,7 +133,7 @@ ods_signer_SOURCES= ods-signer.c \
+ wire/xfrd.c wire/xfrd.h
+
+ ods_signer_LDADD= $(LIBHSM)
+-ods_signer_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_signer_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@ @SSL_LIBS@
+ ods_signer_LDADD+= $(LIBCOMPAT)
+
+ ods_getconf_SOURCES= ods-getconf.c \
+@@ -193,5 +193,5 @@ ods_getconf_SOURCES= ods-getconf.c \
+ wire/xfrd.c wire/xfrd.h
+
+ ods_getconf_LDADD= $(LIBHSM)
+-ods_getconf_LDADD+= @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_getconf_LDADD+= @SSL_LIBS@ @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ ods_getconf_LDADD+= $(LIBCOMPAT)
+diff --git a/signer/src/wire/tsig-openssl.c b/signer/src/wire/tsig-openssl.c
+index c26b1e7..24fd342 100644
+--- a/signer/src/wire/tsig-openssl.c
++++ b/signer/src/wire/tsig-openssl.c
+@@ -131,8 +131,11 @@ static void
+ cleanup_context(void *data)
+ {
+ HMAC_CTX* context = (HMAC_CTX*) data;
++#ifdef HAVE_SSL_NEW_HMAC
++ HMAC_CTX_free(context);
++#else
+ HMAC_CTX_cleanup(context);
+- return;
++#endif
+ }
+
+ static void
+@@ -155,9 +158,15 @@ context_add_cleanup(void* context)
+ static void*
+ create_context(allocator_type* allocator)
+ {
+- HMAC_CTX* context = (HMAC_CTX*) allocator_alloc(allocator,
+- sizeof(HMAC_CTX));
++ HMAC_CTX* context;
++#ifdef HAVE_SSL_NEW_HMAC
++ context = HMAC_CTX_new();
++ if (!context) return NULL;
++ HMAC_CTX_reset(context);
++#else
++ context = (HMAC_CTX*) allocator_alloc(allocator, sizeof(HMAC_CTX));
+ HMAC_CTX_init(context);
++#endif
+ context_add_cleanup(context);
+ return context;
+ }
+--
+2.9.3
+
diff --git a/opendnssec-1.4.5-serial0.patch b/opendnssec-1.4.5-serial0.patch
new file mode 100644
index 0000000..b587e04
--- /dev/null
+++ b/opendnssec-1.4.5-serial0.patch
@@ -0,0 +1,13 @@
+diff -Naur opendnssec-1.4.5-orig/signer/src/adapter/addns.c opendnssec-1.4.5/signer/src/adapter/addns.c
+--- opendnssec-1.4.5-orig/signer/src/adapter/addns.c 2014-03-25 06:45:44.000000000 +0000
++++ opendnssec-1.4.5/signer/src/adapter/addns.c 2014-04-18 16:26:39.079974120 +0000
+@@ -243,7 +243,8 @@
+ tmp_serial =
+ ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
+ old_serial = adapi_get_serial(zone);
+- if (!util_serial_gt(tmp_serial, old_serial)) {
++ if (!util_serial_gt(tmp_serial, old_serial)
++ && zone->db->is_initialized) {
+ ods_log_info("[%s] zone %s is already up to date, have "
+ "serial %u, got serial %u", adapter_str, zone->name,
+ old_serial, tmp_serial);
diff --git a/opendnssec-1.4.6-extract.patch b/opendnssec-1.4.6-extract.patch
new file mode 100644
index 0000000..6213d38
--- /dev/null
+++ b/opendnssec-1.4.6-extract.patch
@@ -0,0 +1,168 @@
+commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
+Author: Petr Spacek
+Date: Fri Jul 18 16:19:36 2014 +0200
+
+ add libhsm configuration option
+
+ This option allows user to generate private keys with CKA_EXTRACTABLE
+ flag set to TRUE. Defaults to FALSE.
+
+diff --git a/NEWS b/NEWS
+index 4db7038..2efa176 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,8 @@
++* Enforcer: New repository option allows to generate keys
++ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++ and extracted from HSM.
++
++
+ OpenDNSSEC 1.4.6 - 2014-07-21
+
+ * Signer Engine: Print secondary server address when logging notify reply
+diff --git a/conf/conf.rnc b/conf/conf.rnc
+index 71d527f..65f837e 100644
+--- a/conf/conf.rnc
++++ b/conf/conf.rnc
+@@ -50,7 +50,10 @@ start = element Configuration {
+ element RequireBackup { empty }?,
+
+ # Do not maintain public keys in the repository (optional)
+- element SkipPublicKey { empty }?
++ element SkipPublicKey { empty }?,
++
++ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++ element AllowExtraction { empty }?
+ }*
+ },
+
+diff --git a/conf/conf.xml.in b/conf/conf.xml.in
+index 0ef2ab9..0536681 100644
+--- a/conf/conf.xml.in
++++ b/conf/conf.xml.in
+@@ -9,6 +9,9 @@
+ OpenDNSSEC
+ 1234
+
++
+
+
+
++
++
++
++
+
+
+
diff --git a/opendnssec-1.4.7-extract.patch b/opendnssec-1.4.7-extract.patch
new file mode 100644
index 0000000..2b96715
--- /dev/null
+++ b/opendnssec-1.4.7-extract.patch
@@ -0,0 +1,156 @@
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
+--- opendnssec-1.4.7-orig/conf/conf.rnc 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rnc 2014-12-08 22:49:16.100212010 -0500
+@@ -50,7 +50,10 @@
+ element RequireBackup { empty }?,
+
+ # Do not maintain public keys in the repository (optional)
+- element SkipPublicKey { empty }?
++ element SkipPublicKey { empty }?,
++
++ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++ element AllowExtraction { empty }?
+ }*
+ },
+
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
+--- opendnssec-1.4.7-orig/conf/conf.rng 2014-12-04 10:18:39.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rng 2014-12-08 22:49:16.105212137 -0500
+@@ -71,6 +71,12 @@
+
+
+
++
++
++
++
++
++
+
+
+
+diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
+--- opendnssec-1.4.7-orig/conf/conf.xml.in 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.xml.in 2014-12-08 22:49:16.101212036 -0500
+@@ -9,6 +9,9 @@
+ OpenDNSSEC
+ 1234
+
++
+
+
+