commit cf068d63a24190ad050e9de6ccc73445e933ddbb
Author: James Antill <jantill@redhat.com>
Date:   Mon Feb 20 01:58:10 2023 -0500

    Import rpm: d0dd4952a8c2e7fe867eef12fb525e55e6eeb5fc

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..783b970
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/opendnssec-2.1.7.tar.gz
diff --git a/conf.xml b/conf.xml
new file mode 100644
index 0000000..8b42a62
--- /dev/null
+++ b/conf.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<Configuration>
+
+	<RepositoryList>
+
+		<Repository name="SoftHSM">
+			<Module>/usr/lib64/softhsm/libsofthsm.so</Module>
+			<TokenLabel>OpenDNSSEC</TokenLabel>
+			<PIN>1234</PIN>
+<!--
+			# Disabled so it stores the public key in the HSM too,
+			# so bind's dnssec-signzone can be used as well
+			<SkipPublicKey/>
+-->
+		</Repository>
+
+<!--
+		<Repository name="sca6000">
+			<Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
+			<TokenLabel>Sun Metaslot</TokenLabel>
+			<PIN>test:1234</PIN>
+			<Capacity>255</Capacity>
+			<RequireBackup/>
+			<SkipPublicKey/>
+		</Repository>
+-->
+
+	</RepositoryList>
+
+	<Common>
+		<Logging>
+			<Syslog><Facility>local0</Facility></Syslog>
+		</Logging>
+		
+		<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
+		<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
+
+	<!--
+		<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
+	-->
+	</Common>
+
+	<Enforcer>
+		<Privileges>
+			<User>ods</User>
+			<Group>ods</Group>
+		</Privileges>
+
+		<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
+		<!-- <ManualKeyGeneration/> -->
+		<!-- <RolloverNotification>P14D</RolloverNotification> -->
+		
+		<!-- the <DelegationSignerSubmitCommand> will get all current
+		     DNSKEYs (as a RRset) on standard input
+		-->
+		<!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
+	</Enforcer>
+
+	<Signer>
+		<Privileges>
+			<User>ods</User>
+			<Group>ods</Group>
+		</Privileges>
+
+		<WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
+		<WorkerThreads>4</WorkerThreads>
+		<!-- <SignerThreads>4</SignerThreads> -->
+
+<!--
+                <Listener>
+                        <Interface><Port>53</Port></Interface>
+                </Listener>
+-->
+
+		<!-- the <NotifyCommmand> will expand the following variables:
+
+		     %zone      the name of the zone that was signed
+		     %zonefile  the filename of the signed zone
+		<NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
+		-->
+<!--
+		<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
+-->
+	</Signer>
+
+</Configuration>
diff --git a/gating.yaml b/gating.yaml
new file mode 100644
index 0000000..6ab516d
--- /dev/null
+++ b/gating.yaml
@@ -0,0 +1,7 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
diff --git a/ods-enforcerd.init b/ods-enforcerd.init
new file mode 100644
index 0000000..c131e77
--- /dev/null
+++ b/ods-enforcerd.init
@@ -0,0 +1,106 @@
+#!/bin/bash
+#
+# ods-enforcerd:         Starts the OpenDNSSEC Enforcer Daemon
+#
+# chkconfig: - 13 87
+# description:  ods-enforcerd is the OpenDNSSEC DNSSEC policy enforcer daemon
+# processname: /usr/sbin/ods-enforcerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-enforcerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart| OpenDNSSEC Enforcer Daemon
+# Description: control OpenDNSSEC enforcer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_ENFORCERD_CONF="/etc/opendnssec/conf.xml"
+ODS_ENFORCERD_OPT=""
+ODS_ENFORCERD_PROG="/usr/sbin/ods-enforcerd"
+ODS_ENFORCERD_PIDFILE="/var/run/opendnssec/enforcerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+  # Source networking configuration.
+  [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+  # Check that networking is up
+  [ "${NETWORKING}" = "no" ] && exit 1
+
+  # Sanity checks.
+  [ -f $ODS_ENFORCERD_CONF ] || exit 5
+  [ -x $ODS_ENFORCERD_PROG ] || exit 5
+  # /var/run could (and should) be tmpfs
+  [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+  echo -n $"Starting ods-enforcerd:"
+  $ODS_ENFORCERD_PROG -c $ODS_ENFORCERD_CONF $ODS_ENFORCERD_OPT
+  RETVAL=$?
+        if [ $RETVAL -eq 0 ]; then
+           touch /var/lock/subsys/ods-enforcerd;
+           success
+           echo
+        else
+           failure
+           echo
+           exit 7;
+        fi
+  return 0;
+}
+
+stop() {
+  echo -n $"Stopping ods-enforcerd: "
+    killproc -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+    retval=$?
+    if [ $retval -eq 0 ] ; then
+       rm -f $ODS_ENFORCERD_PIDFILE
+       rm -f /var/lock/subsys/ods-enforcerd
+       success
+    else
+       failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+	stop
+	start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	restart
+	;;
+  condrestart)
+        [ -f /var/lock/subsys/ods-enforcerd ] && restart || :
+	;;
+  status)
+	status -p $ODS_ENFORCERD_PIDFILE $ODS_ENFORCERD_PROG
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+	exit 1
+esac
+
+exit $?
diff --git a/ods-enforcerd.service b/ods-enforcerd.service
new file mode 100644
index 0000000..6a629c2
--- /dev/null
+++ b/ods-enforcerd.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenDNSSEC Enforcer daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/enforcerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+ExecStartPost=/bin/bash -c 'while [ ! -S /run/opendnssec/enforcer.sock ]; do sleep 1; echo "Waiting for socket"; done'
+TimeoutStartSec=20
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ods-signerd.init b/ods-signerd.init
new file mode 100644
index 0000000..4e3289d
--- /dev/null
+++ b/ods-signerd.init
@@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# ods-signerd:         Starts the OpenDNSSEC Signer Daemon
+#
+# chkconfig: - 13 87
+# description:  ods-signerd is the OpenDNSSEC DNSSEC zone signer daemon
+# processname: /usr/sbin/ods-signerd
+# config: /etc/opendnssec/conf.xml
+#
+### BEGIN INIT INFO
+# Provides: ods-signerd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $network $syslog
+# Default-Stop: 0 11 89
+# Short-Description: start|stop|status|restart|try-restart|reload|force-reload OpenDNSSEC Signer Daemon
+# Description: control OpenDNSSEC signer daemon
+### END INIT INFO
+
+# Init script default settings
+ODS_SIGNERD_CONF="/etc/opendnssec/conf.xml"
+ODS_SIGNERD_OPT=""
+ODS_SIGNERD_PROG="/usr/sbin/ods-signerd"
+ODS_SIGNER_PROG="/usr/sbin/ods-signer"
+ODS_SIGNERD_PIDFILE="/var/run/opendnssec/signerd.pid"
+PIDDIR="/var/run/opendnssec"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+[ -r /etc/sysconfig/ods ] && . /etc/sysconfig/ods
+
+# Check that networking is configured.
+[ "${NETWORKING}" = "no" ] && exit 0
+
+start() {
+  # Source networking configuration.
+  [ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
+
+  # Check that networking is up
+  [ "${NETWORKING}" = "no" ] && exit 1
+
+  # Sanity checks.
+  [ -f $ODS_SIGNERD_CONF ] || exit 5
+  [ -x $ODS_SIGNERD_PROG ] || exit 5
+  # /var/run could (and should) be tmpfs
+  [ -d $PIDDIR ] || mkdir -p $PIDDIR
+
+  echo -n $"Starting ods-signerd:"
+# ods-signerd is lying about supporting -c conf.file option :(
+#  $ODS_SIGNERD_PROG -c $ODS_SIGNERD_CONF $ODS_SIGNERD_OPT
+  $ODS_SIGNERD_PROG $ODS_SIGNERD_OPT
+  RETVAL=$?
+        if [ $RETVAL -eq 0 ]; then
+           touch /var/lock/subsys/ods-signerd;
+           success
+           echo
+        else
+           failure
+           echo
+           exit 7;
+        fi
+  return 0;
+}
+
+stop() {
+  echo -n $"Stopping ods-signerd: "
+  #$ODS_SIGNER_PROG -c $ODS_SIGNERD_CONF stop
+  # seems that this loses our settings :(
+  /usr/sbin/ods-signer stop
+  RETVAL=$?
+  [ "$RETVAL" -eq 0 ] || killproc $ODS_SIGNERD_PROG -TERM >/dev/null 2>&1
+  if [ $RETVAL -eq 0 ] ; then
+     rm -f $ODS_SIGNERD_PIDFILE
+     rm -f /var/lock/subsys/ods-signerd
+     success
+  else
+     failure
+  fi
+  echo
+  return $RETVAL
+}
+
+restart() {
+	stop
+	start
+}
+
+RETVAL=0
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	restart
+	;;
+  condrestart)
+        [ -f /var/lock/subsys/ods-signerd ] && restart || :
+	;;
+  status)
+	status -p $ODS_SIGNERD_PIDFILE $ODS_SIGNERD_PROG
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+	exit 1
+esac
+
+exit $?
diff --git a/ods-signerd.service b/ods-signerd.service
new file mode 100644
index 0000000..c2218a8
--- /dev/null
+++ b/ods-signerd.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenDNSSEC signer daemon
+After=syslog.target network.target ods-enforcerd
+
+[Service]
+Type=simple
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/signerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ods.sysconfig b/ods.sysconfig
new file mode 100644
index 0000000..1cf67f2
--- /dev/null
+++ b/ods.sysconfig
@@ -0,0 +1,2 @@
+ODS_SIGNERD_OPT=""
+ODS_ENFORCERD_OPT=""
diff --git a/opendnssec-1.4.13-openssl1.1.patch b/opendnssec-1.4.13-openssl1.1.patch
new file mode 100644
index 0000000..44da95d
--- /dev/null
+++ b/opendnssec-1.4.13-openssl1.1.patch
@@ -0,0 +1,95 @@
+From e2bbb899195ea98b6b5f6c972ab764a53b387789 Mon Sep 17 00:00:00 2001
+From: Yuri Schaeffer <yuri@nlnetlabs.nl>
+Date: Fri, 4 Nov 2016 15:35:06 +0100
+Subject: [PATCH] HMAC_CTX_init deprecated in openssl-1.1.0
+
+---
+ m4/acx_ssl.m4                  | 12 +++++++++---
+ signer/src/Makefile.am         |  4 ++--
+ signer/src/wire/tsig-openssl.c | 15 ++++++++++++---
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/m4/acx_ssl.m4 b/m4/acx_ssl.m4
+index 1dc6e40..3d64626 100644
+--- a/m4/acx_ssl.m4
++++ b/m4/acx_ssl.m4
+@@ -35,12 +35,18 @@ AC_DEFUN([ACX_SSL], [
+             if test x_$ssldir = x_/usr/sfw; then
+                 SSL_LIBS="$SSL_LIBS -R$ssldir/lib";
+             fi
+-            AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
+-                    AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
+-            ])
++            AC_CHECK_LIB(crypto, HMAC_CTX_reset, [
++                    AC_DEFINE_UNQUOTED([HAVE_SSL_NEW_HMAC], [], [Define if you have the SSL libraries with new HMAC related functions.])
++                    SSL_LIBS="$SSL_LIBS -lcrypto";
++            ], [
++                    AC_CHECK_LIB(crypto, HMAC_CTX_init,, [
++                            AC_MSG_ERROR([OpenSSL found in $ssldir, but version 0.9.7 or higher is required])
++                    ])
++            ] )
+             AC_CHECK_FUNCS([EVP_sha1 EVP_sha256])
+         fi
+         AC_SUBST(HAVE_SSL)
++        AC_SUBST(HAVE_SSL_NEW_HMAC)
+         AC_SUBST(SSL_INCLUDES)
+         AC_SUBST(SSL_LIBS)
+     fi
+diff --git a/signer/src/Makefile.am b/signer/src/Makefile.am
+index 60e8877..b39eac8 100644
+--- a/signer/src/Makefile.am
++++ b/signer/src/Makefile.am
+@@ -133,7 +133,7 @@ ods_signer_SOURCES=		ods-signer.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_signer_LDADD=		$(LIBHSM)
+-ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_signer_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@ @SSL_LIBS@ 
+ ods_signer_LDADD+=		$(LIBCOMPAT)
+ 
+ ods_getconf_SOURCES=		ods-getconf.c \
+@@ -193,5 +193,5 @@ ods_getconf_SOURCES=		ods-getconf.c \
+ 				wire/xfrd.c wire/xfrd.h
+ 
+ ods_getconf_LDADD=		$(LIBHSM)
+-ods_getconf_LDADD+=		@LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
++ods_getconf_LDADD+=		@SSL_LIBS@ @LDNS_LIBS@ @XML2_LIBS@ @RT_LIBS@
+ ods_getconf_LDADD+=		$(LIBCOMPAT)
+diff --git a/signer/src/wire/tsig-openssl.c b/signer/src/wire/tsig-openssl.c
+index c26b1e7..24fd342 100644
+--- a/signer/src/wire/tsig-openssl.c
++++ b/signer/src/wire/tsig-openssl.c
+@@ -131,8 +131,11 @@ static void
+ cleanup_context(void *data)
+ {
+     HMAC_CTX* context = (HMAC_CTX*) data;
++#ifdef HAVE_SSL_NEW_HMAC
++    HMAC_CTX_free(context);
++#else
+     HMAC_CTX_cleanup(context);
+-    return;
++#endif
+ }
+ 
+ static void
+@@ -155,9 +158,15 @@ context_add_cleanup(void* context)
+ static void*
+ create_context(allocator_type* allocator)
+ {
+-    HMAC_CTX* context = (HMAC_CTX*) allocator_alloc(allocator,
+-        sizeof(HMAC_CTX));
++    HMAC_CTX* context;
++#ifdef HAVE_SSL_NEW_HMAC
++    context = HMAC_CTX_new();
++    if (!context) return NULL;
++    HMAC_CTX_reset(context);
++#else
++    context = (HMAC_CTX*) allocator_alloc(allocator, sizeof(HMAC_CTX));
+     HMAC_CTX_init(context);
++#endif
+     context_add_cleanup(context);
+     return context;
+ }
+-- 
+2.9.3
+
diff --git a/opendnssec-1.4.5-serial0.patch b/opendnssec-1.4.5-serial0.patch
new file mode 100644
index 0000000..b587e04
--- /dev/null
+++ b/opendnssec-1.4.5-serial0.patch
@@ -0,0 +1,13 @@
+diff -Naur opendnssec-1.4.5-orig/signer/src/adapter/addns.c opendnssec-1.4.5/signer/src/adapter/addns.c
+--- opendnssec-1.4.5-orig/signer/src/adapter/addns.c	2014-03-25 06:45:44.000000000 +0000
++++ opendnssec-1.4.5/signer/src/adapter/addns.c	2014-04-18 16:26:39.079974120 +0000
+@@ -243,7 +243,8 @@
+             tmp_serial =
+                 ldns_rdf2native_int32(ldns_rr_rdf(rr, SE_SOA_RDATA_SERIAL));
+             old_serial = adapi_get_serial(zone);
+-            if (!util_serial_gt(tmp_serial, old_serial)) {
++            if (!util_serial_gt(tmp_serial, old_serial)
++		&& zone->db->is_initialized) {
+                 ods_log_info("[%s] zone %s is already up to date, have "
+                     "serial %u, got serial %u", adapter_str, zone->name,
+                     old_serial, tmp_serial);
diff --git a/opendnssec-1.4.6-extract.patch b/opendnssec-1.4.6-extract.patch
new file mode 100644
index 0000000..6213d38
--- /dev/null
+++ b/opendnssec-1.4.6-extract.patch
@@ -0,0 +1,168 @@
+commit 672d2c75ccd3cd5f2317bb76af4c9cc4e5aa4a37
+Author: Petr Spacek <pspacek@redhat.com>
+Date:   Fri Jul 18 16:19:36 2014 +0200
+
+    add libhsm configuration option <AllowExtraction/>
+    
+    This option allows user to generate private keys with CKA_EXTRACTABLE
+    flag set to TRUE. Defaults to FALSE.
+
+diff --git a/NEWS b/NEWS
+index 4db7038..2efa176 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,8 @@
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++  and extracted from HSM.
++
++
+ OpenDNSSEC 1.4.6 - 2014-07-21
+ 
+ * Signer Engine: Print secondary server address when logging notify reply
+diff --git a/conf/conf.rnc b/conf/conf.rnc
+index 71d527f..65f837e 100644
+--- a/conf/conf.rnc
++++ b/conf/conf.rnc
+@@ -50,7 +50,10 @@ start = element Configuration {
+ 			element RequireBackup { empty }?,
+ 
+ 			# Do not maintain public keys in the repository (optional)
+-			element SkipPublicKey { empty }?
++			element SkipPublicKey { empty }?,
++
++			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++			element AllowExtraction { empty }?
+ 		}*
+ 	},
+ 
+diff --git a/conf/conf.xml.in b/conf/conf.xml.in
+index 0ef2ab9..0536681 100644
+--- a/conf/conf.xml.in
++++ b/conf/conf.xml.in
+@@ -9,6 +9,9 @@
+ 			<TokenLabel>OpenDNSSEC</TokenLabel>
+ 			<PIN>1234</PIN>
+ 			<SkipPublicKey/>
++			<!--
++			<AllowExtraction/>
++			-->
+ 		</Repository>
+ 
+ <!--
+diff --git a/libhsm/src/lib/libhsm.c b/libhsm/src/lib/libhsm.c
+index d723b31..1f9720e 100644
+--- a/libhsm/src/lib/libhsm.c
++++ b/libhsm/src/lib/libhsm.c
+@@ -504,6 +504,7 @@ static void
+ hsm_config_default(hsm_config_t *config)
+ {
+     config->use_pubkey = 1;
++    config->allow_extract = 0;
+ }
+ 
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@ hsm_open(const char *config,
+                     module_pin = (char *) xmlNodeGetContent(curNode);
+                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+                     module_config.use_pubkey = 0;
++                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++                    module_config.allow_extract = 1;
+                 curNode = curNode->next;
+             }
+ 
+@@ -2341,10 +2344,12 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+     CK_BBOOL ctoken = CK_TRUE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+     do {
+@@ -2380,7 +2385,7 @@ hsm_generate_rsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
+         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
+         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
+-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2466,12 +2472,13 @@ hsm_generate_dsa_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+@@ -2533,6 +2540,7 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+     CK_OBJECT_HANDLE publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2569,12 +2577,13 @@ hsm_generate_gost_key(hsm_ctx_t *ctx,
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+diff --git a/libhsm/src/lib/libhsm.h b/libhsm/src/lib/libhsm.h
+index 45d110a..08224b8 100644
+--- a/libhsm/src/lib/libhsm.h
++++ b/libhsm/src/lib/libhsm.h
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
++    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+ 
+ /*! Data type to describe an HSM */
+--- a/conf/conf.rng
++++ b/conf/conf.rng
+@@ -71,6 +71,12 @@
+                 <empty/>
+               </element>
+             </optional>
++            <optional>
++              <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
++              <element name="AllowExtraction">
++                <empty/>
++              </element>
++            </optional>
+           </element>
+         </zeroOrMore>
+       </element>
diff --git a/opendnssec-1.4.7-extract.patch b/opendnssec-1.4.7-extract.patch
new file mode 100644
index 0000000..2b96715
--- /dev/null
+++ b/opendnssec-1.4.7-extract.patch
@@ -0,0 +1,156 @@
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
+--- opendnssec-1.4.7-orig/conf/conf.rnc	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rnc	2014-12-08 22:49:16.100212010 -0500
+@@ -50,7 +50,10 @@
+ 			element RequireBackup { empty }?,
+ 
+ 			# Do not maintain public keys in the repository (optional)
+-			element SkipPublicKey { empty }?
++			element SkipPublicKey { empty }?,
++
++			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++			element AllowExtraction { empty }?
+ 		}*
+ 	},
+ 
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
+--- opendnssec-1.4.7-orig/conf/conf.rng	2014-12-04 10:18:39.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rng	2014-12-08 22:49:16.105212137 -0500
+@@ -71,6 +71,12 @@
+                 <empty/>
+               </element>
+             </optional>
++            <optional>
++              <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
++              <element name="AllowExtraction">
++                <empty/>
++              </element>
++            </optional>
+           </element>
+         </zeroOrMore>
+       </element>
+diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
+--- opendnssec-1.4.7-orig/conf/conf.xml.in	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.xml.in	2014-12-08 22:49:16.101212036 -0500
+@@ -9,6 +9,9 @@
+ 			<TokenLabel>OpenDNSSEC</TokenLabel>
+ 			<PIN>1234</PIN>
+ 			<SkipPublicKey/>
++			<!--
++			<AllowExtraction/>
++			-->
+ 		</Repository>
+ 
+ <!--
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c	2014-12-08 22:49:16.102212061 -0500
+@@ -504,6 +504,7 @@
+ hsm_config_default(hsm_config_t *config)
+ {
+     config->use_pubkey = 1;
++    config->allow_extract = 0;
+ }
+ 
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@
+                     module_pin = (char *) xmlNodeGetContent(curNode);
+                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+                     module_config.use_pubkey = 0;
++                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++                    module_config.allow_extract = 1;
+                 curNode = curNode->next;
+             }
+ 
+@@ -2341,10 +2344,12 @@
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
+     CK_BBOOL ctoken = CK_TRUE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+     do {
+@@ -2380,7 +2385,7 @@
+         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
+         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
+         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
+-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@
+     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2466,12 +2472,13 @@
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+@@ -2533,6 +2540,7 @@
+     CK_OBJECT_HANDLE publicKey, privateKey;
+     CK_BBOOL ctrue = CK_TRUE;
+     CK_BBOOL cfalse = CK_FALSE;
++    CK_BBOOL cextractable = CK_FALSE;
+ 
+     /* ids we create are 16 bytes of data */
+     unsigned char id[16];
+@@ -2569,12 +2577,13 @@
+         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
+         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
+         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
+-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
++        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
+     };
+ 
+     if (!ctx) ctx = _hsm_ctx;
+     session = hsm_find_repository_session(ctx, repository);
+     if (!session) return NULL;
++    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+ 
+     /* check whether this key doesn't happen to exist already */
+ 
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h	2014-12-08 22:49:16.102212061 -0500
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
++    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+ 
+ /*! Data type to describe an HSM */
+diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
+--- opendnssec-1.4.7-orig/NEWS	2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/NEWS	2014-12-08 22:50:00.560342544 -0500
+@@ -1,3 +1,9 @@
++
++Fedora patch:
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++  and extracted from HSM.
++
+ OpenDNSSEC 1.4.7 - 2014-12-04
+ 
+ Bugfixes:
diff --git a/opendnssec-2.1.sqlite_convert.sql b/opendnssec-2.1.sqlite_convert.sql
new file mode 100644
index 0000000..aed4d8f
--- /dev/null
+++ b/opendnssec-2.1.sqlite_convert.sql
@@ -0,0 +1,842 @@
+INSERT INTO databaseVersion VALUES (NULL, 1, 1);
+
+-- ~ ************
+-- ~ ** policy table
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO policy 
+SELECT id, 1, name, description,
+0, 0, 0,
+0, 0, 0, 0,
+86400, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0
+FROM REMOTE.policies;
+
+UPDATE policy
+SET signaturesResign = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'resign');
+
+UPDATE policy
+SET signaturesRefresh = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'refresh') ;
+
+UPDATE policy
+SET signaturesJitter = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'jitter');
+
+UPDATE policy
+SET signaturesInceptionOffset = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'clockskew');
+
+UPDATE policy
+SET signaturesValidityDefault = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'valdefault');
+
+UPDATE policy
+SET signaturesValidityDenial = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 1
+		AND REMOTE.parameters.name = 'valdenial');
+
+--MaxZoneTTL default 86400
+
+-- We need the following mapping 1.4 -> 2.0 for denialType
+-- 0 -> 1
+-- 3 -> 0
+
+UPDATE policy
+SET denialType = (
+	SELECT (~value)&1
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'version');
+
+-- I'm pretty sure this is not the correct way to do it. It is aweful but
+-- I can't figure it out how it would work for sqlite.
+UPDATE policy
+SET denialOptout = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'optout')
+WHERE null !=  (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'optout');
+
+UPDATE policy
+SET denialTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'ttl')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET denialResalt = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'resalt')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'resalt');
+
+UPDATE policy
+SET denialAlgorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'algorithm');
+
+UPDATE policy
+SET denialIterations = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'iterations')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'iterations');
+
+UPDATE policy
+SET denialSaltLength = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'saltlength')
+WHERE null != (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 2
+		AND REMOTE.parameters.name = 'saltlength');
+
+-- clumsy salt update. salt is optional in 1.4 but required in 2.0
+-- sqlite is limited in what it can do in an update. I hope there is a
+-- better way for this?
+
+UPDATE policy
+SET denialSalt = (
+	SELECT salt
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id)
+WHERE (
+	SELECT salt
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET denialSaltLastChange = (
+	SELECT salt_stamp
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id)
+WHERE (
+	SELECT salt_stamp
+	FROM  REMOTE.policies
+	WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET keysTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET keysRetireSafety = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'retiresafety');
+
+UPDATE policy
+SET keysPublishSafety = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'publishsafety');
+
+UPDATE policy
+SET keysShared = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'zones_share_keys');
+
+UPDATE policy
+SET keysPurgeAfter = COALESCE((
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 5
+		AND REMOTE.parameters.name = 'purge'), 0);
+
+UPDATE policy
+SET zonePropagationDelay = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET zoneSoaTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET zoneSoaMinimum = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'min');
+
+-- Temporary mapping table between 1.4 and 2.0 SOA serial strategy
+CREATE TABLE mapping (
+	soa14 INTEGER,
+	soa20 INTEGER
+);
+INSERT INTO mapping SELECT  1, 2;
+INSERT INTO mapping SELECT  2, 0;
+INSERT INTO mapping SELECT  3, 1;
+INSERT INTO mapping SELECT  4, 3;
+
+UPDATE policy
+SET zoneSoaSerial = (
+	SELECT mapping.soa20
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+        INNER JOIN mapping
+        ON REMOTE.parameters_policies.value = mapping.soa14
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 7
+		AND REMOTE.parameters.name = 'serial');
+
+DROP TABLE mapping;
+
+-- parentRegistrationDelay = 0 on 1.4
+
+UPDATE policy
+SET parentPropagationDelay = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET parentDsTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'ttlds');
+
+UPDATE policy
+SET parentSoaTtl = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET parentSoaMinimum = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id 
+	WHERE REMOTE.parameters_policies.policy_id = policy.id 
+		AND REMOTE.parameters.category_id = 8
+		AND REMOTE.parameters.name = 'min');
+
+-- passthrough = 0
+
+-- ~ ************
+-- ~ ** policyKey table
+-- ~ **
+-- ~ ** For each policy in 1.4 add two keys: KSK and ZSK
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Insert each KSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+		1, 0, 0,
+		0, 0, 0,
+		0, 0, 4
+FROM REMOTE.policies;
+
+-- Insert each ZSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+		2, 0, 0,
+		0, 0, 0,
+		0, 0, 1
+FROM REMOTE.policies;
+
+UPDATE policyKey
+SET algorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET algorithm = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET bits = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET bits = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET lifetime = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET lifetime = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET repository = (
+	SELECT REMOTE.securitymodules.name
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	INNER JOIN REMOTE.securitymodules
+	ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET repository = (
+	SELECT REMOTE.securitymodules.name
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	INNER JOIN REMOTE.securitymodules
+	ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET standby = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET standby = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET manualRollover = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 3
+		AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET manualRollover = (
+	SELECT value
+	FROM  REMOTE.parameters_policies
+	INNER JOIN REMOTE.parameters
+	ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+	WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+		AND REMOTE.parameters.category_id = 4
+		AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 2;
+
+-- rfc5011 = 0. 2.0 has no support
+-- minimize already set
+
+-- ~ ************
+-- ~ ** hsmKey table
+-- ~ **
+-- ~ ** get from keypairs and dnsseckeys
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO hsmKey
+SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
+REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size, 
+REMOTE.keypairs.algorithm,  (~(REMOTE.dnsseckeys.keytype)&1)+1, 
+CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN 
+	strftime('%s', REMOTE.keypairs.generate) 
+	ELSE strftime("%s", "now") END, 
+0, 
+1, --only RSA supported
+ REMOTE.securitymodules.name, 
+0 --assume no backup 
+FROM REMOTE.keypairs
+JOIN REMOTE.dnsseckeys 
+	ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
+JOIN REMOTE.securitymodules 
+	ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
+
+-- For some policies put the keys in a shared state
+UPDATE hsmKey 
+SET state = 3
+WHERE EXISTS 
+	(SELECT * FROM hsmKey AS h 
+	JOIN policy ON policy.id = h.policyId 
+	WHERE policy.keysShared AND hsmKey.id = h.id);
+
+-- ~ ************
+-- ~ ** zone table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO zone
+SELECT zones.id, 1, zones.policy_id, 
+	zones.name, 1, zones.signconf, 0,  
+	0,0,0, 
+	0,0,0,
+	zones.in_type, zones.input,
+	zones.out_type, zones.output,
+	0,0,0
+	FROM REMOTE.zones;
+
+-- ~ ************
+-- ~ ** keyData table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Temporary mapping table between 1.4 states and 2.0 ds_at_parent states
+-- We are ignoring the fact this may set a DS state for a ZSK; We don't care
+CREATE TABLE mapping (
+	state INTEGER,
+	ds_state INTEGER
+);
+INSERT INTO mapping SELECT  1, 0;
+INSERT INTO mapping SELECT  2, 0;
+INSERT INTO mapping SELECT  3, 1;
+INSERT INTO mapping SELECT  4, 3;
+INSERT INTO mapping SELECT  5, 5;
+INSERT INTO mapping SELECT  6, 5;
+INSERT INTO mapping SELECT  7, 5;
+INSERT INTO mapping SELECT  8, 5;
+INSERT INTO mapping SELECT  9, 5;
+INSERT INTO mapping SELECT 10, 5;
+
+INSERT INTO keyData
+SELECT 
+	NULL, 1, REMOTE.dnsseckeys.zone_id,
+	REMOTE.dnsseckeys.keypair_id, REMOTE.keypairs.algorithm,
+	CASE WHEN REMOTE.dnsseckeys.publish IS NOT NULL THEN 
+		strftime('%s', REMOTE.dnsseckeys.publish) 
+		ELSE strftime("%s", "now") END, 
+	(~REMOTE.dnsseckeys.keytype&1)+1,
+	REMOTE.dnsseckeys.state <= 4, -- introducing
+	0, -- should revoke, not used
+	0, -- standby
+	REMOTE.dnsseckeys.state  = 4 AND REMOTE.dnsseckeys.keytype = 256, --activeZSK: 
+	REMOTE.dnsseckeys.state >= 2 AND REMOTE.dnsseckeys.state <= 5, --publish
+	REMOTE.dnsseckeys.state  = 4 AND REMOTE.dnsseckeys.keytype = 257, --activeKSK: 
+	mapping.ds_state, --dsatparent
+	1<<16, --keytag (crap, will 2.0 regenerate this?)
+	(REMOTE.dnsseckeys.keytype&1)*3+1 --minimize
+FROM REMOTE.dnsseckeys
+JOIN REMOTE.keypairs 
+	ON REMOTE.dnsseckeys.keypair_id = REMOTE.keypairs.id
+JOIN mapping 
+	ON REMOTE.dnsseckeys.state = mapping.state
+WHERE EXISTS(select REMOTE.zones.id FROM REMOTE.zones WHERE REMOTE.zones.id = REMOTE.dnsseckeys.zone_id);
+
+-- Everything that is just a ZSK must not have dsatparent set.
+UPDATE keyData
+SET dsatparent = 0
+WHERE role = 2;
+
+DROP TABLE mapping;
+
+-- If a active time is set for a ready KSK dsAtParent is submitted 
+-- instead of submit
+UPDATE keyData
+SET dsatparent = 2
+WHERE keyData.dsAtParent = 1 AND keyData.id IN (
+	SELECT keyData.id
+	FROM keyData
+	JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+	WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+
+-- ~ ************
+-- ~ ** Keystate table
+-- ~ **
+-- ~ ** 
+-- ~ **
+-- ~ **
+-- ~ ************
+
+CREATE TABLE mapping (
+	state INTEGER,
+	ds INTEGER,
+	dk INTEGER,
+	ks INTEGER,
+	rs INTEGER
+);
+INSERT INTO mapping SELECT  1, 0, 0, 0, 0;
+INSERT INTO mapping SELECT  2, 0, 1, 1, 1;
+INSERT INTO mapping SELECT  3, 0, 2, 2, 1;
+INSERT INTO mapping SELECT  4, 2, 2, 2, 1;
+INSERT INTO mapping SELECT  5, 3, 2, 2, 3;
+INSERT INTO mapping SELECT  6, 0, 3, 3, 0;
+INSERT INTO mapping SELECT  7, 3, 0, 0, 0;
+INSERT INTO mapping SELECT  8, 3, 0, 0, 0;
+INSERT INTO mapping SELECT  9, 3, 0, 0, 0;
+INSERT INTO mapping SELECT 10, 3, 0, 0, 0;
+
+-- DS RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 0, mapping.ds, strftime("%s", "now"), (keyData.minimize>>2)&1, policy.parentDsTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+UPDATE keyState
+SET state = 1
+WHERE keyState.state = 0 AND keyState.type = 0 AND keyState.id IN (
+	SELECT keyState.id
+	FROM keyState
+	JOIN keyData
+		ON keyData.id = keyState.keydataId
+	JOIN REMOTE.dnsseckeys
+		ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+	WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+-- DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 2, mapping.dk, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 3, mapping.ks, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 1, mapping.rs, strftime("%s", "now"), (keyData.minimize>>0)&1, policy.signaturesMaxZoneTtl
+FROM keyData
+JOIN zone
+	ON zone.id = keyData.zoneId
+JOIN policy
+	ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+	ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+	ON mapping.state = REMOTE.dnsseckeys.state;
+
+--Set to OMN if Tactive + Dttl < Tnow
+UPDATE keyState
+SET state = 2
+WHERE keyState.state = 1 AND keyState.type = 1 AND keyState.id IN (
+        SELECT keyState.id
+        FROM keyState
+        JOIN keyData
+                ON keyData.id = keyState.keydataId
+        JOIN REMOTE.dnsseckeys
+                ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+        JOIN zone
+                ON keyData.zoneId = zone.id
+        JOIN policy
+                ON policy.id = zone.policyId
+        WHERE CAST(strftime("%s", REMOTE.dnsseckeys.active) + policy.signaturesValidityDefault as INTEGER) < strftime("%s", "now"));
+
+--Force the RRSIG state in omnipresent if rumoured and there is no old ZSK
+-- unretentive
+UPDATE keyState 
+SET state = 2
+WHERE keyState.id IN (
+SELECT rs.id FROM keyState AS rs 
+JOIN keystate AS dk ON dk.keyDataId == rs.keyDataId
+WHERE rs.type == 1 AND dk.type == 2 AND rs.state == 1 AND dk.state == 2
+AND NOT EXISTS(
+	SELECT* FROM keystate AS rs2
+	JOIN keystate AS dk2 ON dk2.keyDataId == rs2.keyDataId
+	WHERE rs2.type == 1 AND dk2.type == 2 AND rs2.state == 3 AND dk2.state == 2
+));
+
+DROP TABLE mapping;
+
+-- We need to create records in the keydependency table in case we are in a
+-- rollover. Only done for ZSK. For every introducing ZSK with RRSIG rumoured
+-- that has an outroducing ZSK with RRSIG unretentive, we add a record.
+INSERT INTO keyDependency
+SELECT NULL, 0, keyData.zoneID, SUB.IDout, keyData.id, 1
+FROM keyData
+JOIN keyState AS KS1 
+	ON KS1.keyDataId == keyData.id
+JOIN keyState AS KS2 
+	ON KS2.keyDataId == keyData.id
+JOIN (
+	SELECT keyData.id AS IDout, keyData.zoneID 
+	FROM keyData
+	JOIN keyState AS KS1 
+		ON KS1.keyDataId == keyData.id
+	JOIN keyState AS KS2 
+		ON KS2.keyDataId == keyData.id
+	WHERE KS1.type == 2 
+		AND ks1.state = 2 
+		AND KS2.type == 1 
+		AND KS2.state == 3
+		AND keyData.introducing == 0 
+		AND keyData.role == 2
+) AS SUB
+	ON SUB.zoneId == keyData.zoneId
+WHERE 
+	KS1.type == 2 
+	AND ks1.state = 2 
+	AND KS2.type == 1 
+	AND KS2.state == 1
+	AND keyData.introducing == 1 
+	AND keyData.role == 2;
+
+-- ZSK
+UPDATE keyState
+SET state = 4
+WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN (
+	SELECT keyData.id
+	FROM keyData
+	WHERE keyData.role = 2);
+
+--KSK
+UPDATE keyState
+SET state = 4
+WHERE keyState.type = 1 AND keyDataId IN (
+	SELECT keyData.id
+	FROM keyData
+	WHERE keyData.role = 1);
+
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+        major INTEGER,
+        minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+
diff --git a/opendnssec-2.1.sqlite_rpmversion.sql b/opendnssec-2.1.sqlite_rpmversion.sql
new file mode 100644
index 0000000..4107157
--- /dev/null
+++ b/opendnssec-2.1.sqlite_rpmversion.sql
@@ -0,0 +1,7 @@
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+        major INTEGER,
+        minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+
diff --git a/opendnssec-LICENSE b/opendnssec-LICENSE
new file mode 100644
index 0000000..2cadc1e
--- /dev/null
+++ b/opendnssec-LICENSE
@@ -0,0 +1,25 @@
+$Id: LICENSE 6226 2012-03-26 17:25:52Z jakob $
+
+Copyright (c) 2012 OpenDNSSEC AB (svb). All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/opendnssec.cron b/opendnssec.cron
new file mode 100644
index 0000000..776de9b
--- /dev/null
+++ b/opendnssec.cron
@@ -0,0 +1,4 @@
+# Ensure multiple ods-enforcerd's on different system roll at the same time
+# independant of when the daemon was started. Since TLDs often update their
+# zone "on the hour" we do the key rollover checks just before the hour.
+50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null
diff --git a/opendnssec.spec b/opendnssec.spec
new file mode 100644
index 0000000..88b2320
--- /dev/null
+++ b/opendnssec.spec
@@ -0,0 +1,362 @@
+#global prever rcX
+%global _hardened_build 1
+
+Summary: DNSSEC key and zone management software
+Name: opendnssec
+Version: 2.1.7
+Release: 1%{?prever}%{?dist}
+License: BSD
+Url: http://www.opendnssec.org/
+Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
+Source1: ods-enforcerd.service
+Source2: ods-signerd.service
+Source3: ods.sysconfig
+Source4: conf.xml
+Source5: tmpfiles-opendnssec.conf
+Source6: opendnssec.cron
+Source7: opendnssec-2.1.sqlite_convert.sql
+Source8: opendnssec-2.1.sqlite_rpmversion.sql
+
+Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
+Requires: libxml2, libxslt sqlite
+BuildRequires:  gcc
+BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
+BuildRequires: libxml2-devel CUnit-devel, doxygen
+# It tests for pkill/killall and would use /bin/false if not found
+BuildRequires: procps-ng
+BuildRequires: perl-interpreter
+BuildRequires: libmicrohttpd-devel jansson-devel libyaml-devel
+
+BuildRequires: systemd-units
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+%if 0%{?prever:1}
+# For building development snapshots
+Buildrequires: autoconf, automake, libtool, java
+%endif
+
+%description
+OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
+It secures zone data just before it is published in an authoritative
+name server. It requires a PKCS#11 crypto module library, such as softhsm
+
+%prep
+%setup -q -n %{name}-%{version}%{?prever}
+# bump default policy ZSK keysize to 2048
+sed -i "s/1024/2048/" conf/kasp.xml.in
+
+%build
+#export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+#export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+#export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+%if 0%{?prever:1}
+# for development snapshots
+sh ./autogen.sh
+%endif
+%configure --with-ldns=%{_libdir}
+make %{?_smp_mflags}
+
+%check
+# Requires sample db not shipped with upstream
+# make check
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
+install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
+install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
+rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
+install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
+install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
+mkdir -p %{buildroot}%{_tmpfilesdir}/
+install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
+mkdir -p %{buildroot}%{_datadir}/opendnssec/
+cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
+cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
+# fixup path for mysql/sqlite. Use our replacement sqlite_convert.sql to detect previous migration
+cp -a %{SOURCE7} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql
+cp -a %{SOURCE8} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+
+
+%files
+%{_unitdir}/ods-enforcerd.service
+%{_unitdir}/ods-signerd.service
+%config(noreplace) %{_tmpfilesdir}/opendnssec.conf
+%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
+%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
+%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
+%doc NEWS README.md
+%license LICENSE
+%{_mandir}/*/*
+%{_sbindir}/*
+%{_bindir}/*
+%attr(0755,root,root) %dir %{_datadir}/opendnssec
+%{_datadir}/opendnssec/*
+
+%pre
+getent group ods >/dev/null || groupadd -r ods
+getent passwd ods >/dev/null || \
+useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
+-c "opendnssec daemon account" ods
+exit 0
+
+%post
+# Initialise a slot on the softhsm on first install
+if [ "$1" -eq 1 ]; then
+   %{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \
+                --free --label "OpenDNSSEC" --pin 1234 --so-pin 1234
+   if [ ! -s %{_localstatedir}/opendnssec/kasp.db ]; then
+      echo y | %{_sbindir}/ods-enforcer-db-setup
+      %{_bindir}/sqlite3 -batch %{_localstatedir}/opendnssec/kasp.db < %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+   fi
+
+elif [ -z "$(%{_bindir}/sqlite3 %{_localstatedir}/opendnssec/kasp.db 'select * from rpm_migration;')" ]; then
+   # Migrate version 1.4 db to version 2.1 db
+   if [ -e %{_localstatedir}/opendnssec/rpm-migration-in-progress ]; then
+      echo "previous (partial?) migration found - human intervention is needed"
+   else
+      echo "opendnssec 1.4 database found, migrating to 2.x"
+      touch %{_localstatedir}/opendnssec/rpm-migration-in-progress
+      mv -n %{_localstatedir}/opendnssec/kasp.db %{_localstatedir}/opendnssec/kasp.db-1.4
+      echo "migrating conf.xml from 1.4 to 2.1 schema"
+      cp -n %{_sysconfdir}/opendnssec/conf.xml %{_sysconfdir}/opendnssec/conf.xml-1.4
+      # fixup incompatibilities inflicted upon us by upstream :(
+      sed -i "/<Interval>.*Interval>/d" %{_sysconfdir}/opendnssec/conf.xml
+      echo "Converting kasp.db"
+      ERR=""
+      %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite -i %{_localstatedir}/opendnssec/kasp.db-1.4 -o %{_localstatedir}/opendnssec/kasp.db || ERR="convert_sqlite error"
+      chown ods.ods %{_localstatedir}/opendnssec/kasp.db
+      cp -n %{_sysconfdir}/opendnssec/zonelist.xml %{_localstatedir}/opendnssec/enforcer/zones.xml
+      if [ -z "$ERR" ]; then
+         echo "calling ods-migrate"
+         ods-migrate || ERR="ods-migrate failed"
+         if [ -z "$ERR" ]; then
+            echo "opendnssec 1.4 to 2.x migration completed"
+            rm %{_localstatedir}/opendnssec/rpm-migration-in-progress
+         else
+            echo "ods-migrate process failed - human intervention is needed"
+         fi
+      else
+         echo "%{_localstatedir}/opendnssec/kasp.db conversion failed - not calling ods-migrate to complete migration. human intervention is needed"
+      fi
+   fi
+fi
+
+# in case we update any xml conf file
+ods-enforcer update all >/dev/null 2>/dev/null ||:
+
+%systemd_post ods-enforcerd.service
+%systemd_post ods-signerd.service
+
+%preun
+%systemd_preun ods-enforcerd.service
+%systemd_preun ods-signerd.service
+
+%postun
+%systemd_postun_with_restart ods-enforcerd.service
+%systemd_postun_with_restart ods-signerd.service
+
+%changelog
+* Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.7-1
+- Upstream release 2.1.7
+- Resolves: rhbz#1904484
+
+* Fri May 08 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-2
+- Resolves: rhbz#1831732 AVC avc: denied { dac_override } for comm="ods-enforcerd
+
+* Wed Apr 15 2020 Paul Wouters <pwouters@redhat.com> - 2.1.6-1
+- Resolves: rhbz#1759888 Rebase OpenDNSSEC to 2.1
+
+* Tue Dec 12 2017 Paul Wouters <pwouters@redhat.com> - 1.4.14-1
+- Update to 1.4.14 as first steop to migrating to 2.x
+- Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar 08 2017 Tomas Hozza <thozza@redhat.com> - 1.4.9-5
+- Fix FTBFS (#1424019) in order to rebuild against new ldns
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 18 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-3
+- Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations
+- On initial install, after token init, also run ods-ksmutil setup
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Feb 01 2016 Paul Wouters <pwouters@redhat.com> - 1.4.9-1
+- Updated to 1.4.9
+- Removed merged in patch
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 09 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-2
+- Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service
+- Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install
+
+* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.7-1
+- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)
+
+* Wed Oct 15 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-4
+- Change /etc/opendnssec to be ods group writable
+
+* Wed Oct 08 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-3
+- Added Petr Spacek's patch that adds the config option <AllowExtraction/> (rhbz#1123354)
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Mon Jul 28 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-1
+- Updated to 1.4.6
+- Removed incorporated patch upstream
+- Remove Wants= from ods-signerd.service (rhbz#1098205)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Apr 18 2014 Paul Wouters <pwouters@redhat.com> - 1.4.5-2
+- Updated to 1.4.5
+- Added patch for serial 0 bug in XFR adapter
+
+* Tue Apr 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-3
+- Add buildrequires for ods-kasp2html (rhbz#1073313)
+
+* Sat Mar 29 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-2
+- Add requires for ods-kasp2html (rhbz#1073313)
+
+* Thu Mar 27 2014 Paul Wouters <pwouters@redhat.com> - 1.4.4-1
+- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441)
+- Change the default ZSK policy from 1024 to 2048 bit RSA keys
+- Fix post to be quiet when upgrading opendnssec
+
+* Thu Jan 09 2014 Paul Wouters <pwouters@redhat.com> - 1.4.3-1
+- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements
+- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file
+
+* Wed Sep 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.2-1
+- Updated to 1.4.2, bugfix release
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Jun 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.1-1
+- Updated to 1.4.1. NSEC3 handling and serial number handling fixes
+- Add BuildRequire for systemd-units
+
+* Sat May 11 2013 Paul Wouters <pwouters@redhat.com> - 1.4.0-1
+- Updated to 1.4.0
+
+* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-0.8.rc3
+- Updated to 1.4.0rc3
+- Enabled hardened compile, full relzo/pie
+
+* Fri Jan 25 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.7.rc2
+- Updated to 1.4.0rc2, which includes svn r6952
+
+* Fri Jan 18 2013 Patrick Uiterwijk <puiterwijk@gmail.com> - 1.4.0-0.6.rc1
+- Updated to 1.4.0rc1
+- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)
+
+* Tue Dec 18 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.5.b2
+- Updated to 1.4.0b2
+- All patches have been merged upstream
+- cron job should be marked as config file
+
+* Tue Oct 30 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.4.b1
+- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
+- Change RRSIG inception offset to -2h to avoid possible
+  daylight saving issues on resolvers
+- Patch to prevent removal of occluded data
+
+* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.3.b1
+- Just an EVR fix to the proper standard
+- Cleanup of spec file
+- Introduce new systemd-rpm macros (rhbz#850242)
+
+* Wed Sep 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.b1.1
+- Updated to 1.4.0b1
+- Patch for NSEC3PARAM TTL
+- Cron job to assist narrowing ods-enforcerd timing differences
+
+* Wed Aug 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a3.1
+- Updated to 1.4.0a3
+- Patch to more aggressively try to resign
+- Patch to fix locking issue eating up cpu
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.0-0.a2.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jun 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a2.1
+- Updated to 1.4.0a2
+- ksm-utils patch for ods-ksmutil to die sooner when it can't lock
+  the HSM.
+
+* Wed May 16 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.3
+- Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains
+
+* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.2
+- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
+
+* Mon Mar 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1.1
+- Fix macros in comment
+- Added missing -m to install target
+
+* Sun Mar 25 2012 Paul Wouters <pwouters@redhat.com> - 1.4.0-0.a1
+- The 1.4.x branch no longer needs ruby, as the auditor has been removed
+- Added missing openssl-devel BuildRequire
+- Comment out <SkipPublicKey/> so keys generated by ods can be used by bind
+
+* Fri Feb 24 2012 Paul Wouters <pwouters@redhat.com> - 1.3.6-3
+- Requires rubygem-soap4r when using ruby-1.9
+- Don't ghost /var/run/opendnssec
+- Converted initd to systemd
+
+* Thu Nov 24 2011 root - 1.3.2-6
+- Added rubygem-dnsruby requires as rpm does not pick it up automatically
+
+* Tue Nov 22 2011 root - 1.3.2-5
+- Added /var/opendnssec/signconf/ /as this temp dir is needed
+
+* Mon Nov 21 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-4
+- Added /var/opendnssec/signed/ as this is the default output dir
+
+* Sun Nov 20 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-3
+- Add ods user for opendnssec tasks
+- Added initscripts and services for ods-signerd and ods-enforcerd
+- Initialise OpenDNSSEC softhsm token on first install
+
+* Wed Oct 05 2011 Paul Wouters <paul@xelerance.com> - 1.3.2-1
+- Updated to 1.3.2
+- Added dependancies on opencryptoki and softhsm
+- Don't install duplicate unreadable .sample files
+- Fix upstream conf.xml to point to actually used library paths
+
+* Thu Mar  3 2011 Paul Wouters <paul@xelerance.com> - 1.2.0-1
+- Initial package for Fedora
diff --git a/sources b/sources
new file mode 100644
index 0000000..bc53382
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+SHA1 (opendnssec-2.1.7.tar.gz) = 0277e4f54098bea74809e3d8e6cad1a435570349
diff --git a/tmpfiles-opendnssec.conf b/tmpfiles-opendnssec.conf
new file mode 100644
index 0000000..56795e1
--- /dev/null
+++ b/tmpfiles-opendnssec.conf
@@ -0,0 +1 @@
+D /run/opendnssec 0755 ods ods -