diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4213bcd
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/opendnssec-1.4.7.tar.gz
diff --git a/.opendnssec.metadata b/.opendnssec.metadata
new file mode 100644
index 0000000..4bcb647
--- /dev/null
+++ b/.opendnssec.metadata
@@ -0,0 +1 @@
+c8a5808d68a50db8ed7edf806a58f54428ad7aa8 SOURCES/opendnssec-1.4.7.tar.gz
diff --git a/SOURCES/0001-use-system-trang.patch b/SOURCES/0001-use-system-trang.patch
new file mode 100644
index 0000000..127c16f
--- /dev/null
+++ b/SOURCES/0001-use-system-trang.patch
@@ -0,0 +1,24 @@
+diff -r -u3 opendnssec-1.4.6/conf/Makefile.am opendnssec-1.4.6.trang/conf/Makefile.am
+--- opendnssec-1.4.6/conf/Makefile.am 2014-07-21 11:30:06.000000000 +0200
++++ opendnssec-1.4.6.trang/conf/Makefile.am 2014-09-22 22:48:32.000000000 +0200
+@@ -29,7 +29,7 @@
+ .rnc.rng:
+ @test -x "${JAVA}" || \
+ (echo "java is required for converting RelaxNG Compact to RelaxNG"; false)
+- ${JAVA} -jar ${TRANG} $< $@
++ trang $< $@
+
+ regress: $(RNG)
+ @test -x "${XMLLINT}" || \
+diff -r -u3 opendnssec-1.4.6/conf/Makefile.in opendnssec-1.4.6.trang/conf/Makefile.in
+--- opendnssec-1.4.6/conf/Makefile.in 2014-07-21 11:32:01.000000000 +0200
++++ opendnssec-1.4.6.trang/conf/Makefile.in 2014-09-22 22:48:55.000000000 +0200
+@@ -551,7 +617,7 @@
+ .rnc.rng:
+ @test -x "${JAVA}" || \
+ (echo "java is required for converting RelaxNG Compact to RelaxNG"; false)
+- ${JAVA} -jar ${TRANG} $< $@
++ trang $< $@
+
+ regress: $(RNG)
+ @test -x "${XMLLINT}" || \
diff --git a/SOURCES/0002-get-started.patch b/SOURCES/0002-get-started.patch
new file mode 100644
index 0000000..caed0f1
--- /dev/null
+++ b/SOURCES/0002-get-started.patch
@@ -0,0 +1,26 @@
+diff -rNu3 opendnssec-1.4.6/GETSTARTED opendnssec-1.4.6.new/GETSTARTED
+--- opendnssec-1.4.6/GETSTARTED 1970-01-01 01:00:00.000000000 +0100
++++ opendnssec-1.4.6.new/GETSTARTED 2014-09-23 08:20:07.000000000 +0200
+@@ -0,0 +1,22 @@
++For detailed instructions please see
++https://wiki.opendnssec.org/display/DOCS/Getting+Started
++
++Quick start:
++1. Get HSM module with PKCS#11 interface. You can use SoftHSM package.
++
++2. Configure SoftHSM v2:
++2.1. Check /etc/softhsm2.conf and optionally change paths if necessary
++2.2. Make up your own PIN and SO PIN!
++2.3. Initialize SoftHSM token:
++$ softhsm2-util --init-token --slot 0 --label "OpenDNSSEC" \
++ --pin 5678 --so-pin 9012
++2.4. Allow OpenDNSSEC user to access SoftHSM data:
++ $ chown -R ods: <path from /etc/softhsm2.conf>
++
++3. Configure OpenDNSSEC:
++3.1. Write token PIN to /etc/opendnssec/conf.xml
++3.2. Review and modify Key and Signing Policy in /etc/opendnssec/kasp.xml
++3.3. Initialize OpenDNSSEC database:
++ $ ods-ksmutil setup
++
++4. Use OpenDNSSEC - see man ods-ksmutil
diff --git a/SOURCES/conf.xml b/SOURCES/conf.xml
new file mode 100644
index 0000000..2a3a92e
--- /dev/null
+++ b/SOURCES/conf.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<Configuration>
+
+ <RepositoryList>
+
+ <Repository name="SoftHSM">
+ <Module>/usr/lib64/pkcs11/libsofthsm2.so</Module>
+ <TokenLabel>OpenDNSSEC</TokenLabel>
+ <PIN>1234</PIN>
+<!--
+ # Disabled so it stores the public key in the HSM too,
+ # so bind's dnssec-signzone can be used as well
+ <SkipPublicKey/>
+-->
+ </Repository>
+
+<!--
+ <Repository name="sca6000">
+ <Module>/usr/lib64/opencryptoki/PKCS11_API.so</Module>
+ <TokenLabel>Sun Metaslot</TokenLabel>
+ <PIN>test:1234</PIN>
+ <Capacity>255</Capacity>
+ <RequireBackup/>
+ <SkipPublicKey/>
+ </Repository>
+-->
+
+ </RepositoryList>
+
+ <Common>
+ <Logging>
+ <Syslog><Facility>local0</Facility></Syslog>
+ </Logging>
+
+ <PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
+ <ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
+
+ <!--
+ <ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
+ -->
+ </Common>
+
+ <Enforcer>
+ <Privileges>
+ <User>ods</User>
+ <Group>ods</Group>
+ </Privileges>
+
+ <Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
+ <Interval>PT3600S</Interval>
+ <!-- <ManualKeyGeneration/> -->
+ <!-- <RolloverNotification>P14D</RolloverNotification> -->
+
+ <!-- the <DelegationSignerSubmitCommand> will get all current
+ DNSKEYs (as a RRset) on standard input
+ -->
+ <!-- <DelegationSignerSubmitCommand>/usr/sbin/eppclient</DelegationSignerSubmitCommand> -->
+ </Enforcer>
+
+ <Signer>
+ <Privileges>
+ <User>ods</User>
+ <Group>ods</Group>
+ </Privileges>
+
+ <WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
+ <WorkerThreads>4</WorkerThreads>
+<!--
+ <SignerThreads>4</SignerThreads>
+-->
+
+ <!-- the <NotifyCommmand> will expand the following variables:
+
+ %zone the name of the zone that was signed
+ %zonefile the filename of the signed zone
+ <NotifyCommand>sudo systemctl reload nsd.service</NotifyCommand>
+ -->
+<!--
+ <NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
+-->
+ </Signer>
+
+</Configuration>
diff --git a/SOURCES/ods-enforcerd.service b/SOURCES/ods-enforcerd.service
new file mode 100644
index 0000000..b660d86
--- /dev/null
+++ b/SOURCES/ods-enforcerd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenDNSSEC Enforcer daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/opendnssec/enforcerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/ods-signerd.service b/SOURCES/ods-signerd.service
new file mode 100644
index 0000000..a7b7034
--- /dev/null
+++ b/SOURCES/ods-signerd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=OpenDNSSEC signer daemon
+After=syslog.target network.target ods-enforcerd
+
+[Service]
+Type=simple
+PIDFile=/var/run/opendnssec/signerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/ods.sysconfig b/SOURCES/ods.sysconfig
new file mode 100644
index 0000000..1cf67f2
--- /dev/null
+++ b/SOURCES/ods.sysconfig
@@ -0,0 +1,2 @@
+ODS_SIGNERD_OPT=""
+ODS_ENFORCERD_OPT=""
diff --git a/SOURCES/opendnssec-1.4.7-1204100-extract.patch b/SOURCES/opendnssec-1.4.7-1204100-extract.patch
new file mode 100644
index 0000000..dddc030
--- /dev/null
+++ b/SOURCES/opendnssec-1.4.7-1204100-extract.patch
@@ -0,0 +1,156 @@
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
+--- opendnssec-1.4.7-orig/conf/conf.rnc 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rnc 2014-12-08 22:49:16.100212010 -0500
+@@ -50,7 +50,10 @@
+ element RequireBackup { empty }?,
+
+ # Do not maintain public keys in the repository (optional)
+- element SkipPublicKey { empty }?
++ element SkipPublicKey { empty }?,
++
++ # Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
++ element AllowExtraction { empty }?
+ }*
+ },
+
+diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
+--- opendnssec-1.4.7-orig/conf/conf.rng 2014-12-04 10:18:39.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.rng 2014-12-08 22:49:16.105212137 -0500
+@@ -71,6 +71,12 @@
+ <empty/>
+ </element>
+ </optional>
++ <optional>
++ <!-- Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional) -->
++ <element name="AllowExtraction">
++ <empty/>
++ </element>
++ </optional>
+ </element>
+ </zeroOrMore>
+ </element>
+diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
+--- opendnssec-1.4.7-orig/conf/conf.xml.in 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/conf/conf.xml.in 2014-12-08 22:49:16.101212036 -0500
+@@ -9,6 +9,9 @@
+ <TokenLabel>OpenDNSSEC</TokenLabel>
+ <PIN>1234</PIN>
+ <SkipPublicKey/>
++ <!--
++ <AllowExtraction/>
++ -->
+ </Repository>
+
+ <!--
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c 2014-12-08 22:49:16.102212061 -0500
+@@ -504,6 +504,7 @@
+ hsm_config_default(hsm_config_t *config)
+ {
+ config->use_pubkey = 1;
++ config->allow_extract = 0;
+ }
+
+ /* creates a session_t structure, and automatically adds and initializes
+@@ -2054,6 +2055,8 @@
+ module_pin = (char *) xmlNodeGetContent(curNode);
+ if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
+ module_config.use_pubkey = 0;
++ if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
++ module_config.allow_extract = 1;
+ curNode = curNode->next;
+ }
+
+@@ -2341,10 +2344,12 @@
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
+ CK_BBOOL ctoken = CK_TRUE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+ do {
+@@ -2380,7 +2385,7 @@
+ { CKA_SENSITIVE, &ctrue, sizeof (ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof (ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof (ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof (cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
+@@ -2420,6 +2425,7 @@
+ CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ /* ids we create are 16 bytes of data */
+ unsigned char id[16];
+@@ -2466,12 +2472,13 @@
+ { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof(ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+
+@@ -2533,6 +2540,7 @@
+ CK_OBJECT_HANDLE publicKey, privateKey;
+ CK_BBOOL ctrue = CK_TRUE;
+ CK_BBOOL cfalse = CK_FALSE;
++ CK_BBOOL cextractable = CK_FALSE;
+
+ /* ids we create are 16 bytes of data */
+ unsigned char id[16];
+@@ -2569,12 +2577,13 @@
+ { CKA_SENSITIVE, &ctrue, sizeof(ctrue) },
+ { CKA_TOKEN, &ctrue, sizeof(ctrue) },
+ { CKA_PRIVATE, &ctrue, sizeof(ctrue) },
+- { CKA_EXTRACTABLE, &cfalse, sizeof(cfalse) }
++ { CKA_EXTRACTABLE, &cextractable, sizeof (cextractable) }
+ };
+
+ if (!ctx) ctx = _hsm_ctx;
+ session = hsm_find_repository_session(ctx, repository);
+ if (!session) return NULL;
++ cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
+
+ /* check whether this key doesn't happen to exist already */
+
+diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
+--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h 2014-12-08 22:49:16.102212061 -0500
+@@ -75,6 +75,7 @@
+ /*! HSM configuration */
+ typedef struct {
+ unsigned int use_pubkey; /*!< Maintain public keys in HSM */
++ unsigned int allow_extract; /*!< Generate CKA_EXTRACTABLE private keys */
+ } hsm_config_t;
+
+ /*! Data type to describe an HSM */
+diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
+--- opendnssec-1.4.7-orig/NEWS 2014-12-04 10:17:40.000000000 -0500
++++ opendnssec-1.4.7/NEWS 2014-12-08 22:50:00.560342544 -0500
+@@ -1,3 +1,9 @@
++
++
++* Enforcer: New repository option <AllowExtraction/> allows to generate keys
++ with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
++ and extracted from HSM.
++
+ OpenDNSSEC 1.4.7 - 2014-12-04
+
+ Bugfixes:
diff --git a/SOURCES/opendnssec.cron b/SOURCES/opendnssec.cron
new file mode 100644
index 0000000..776de9b
--- /dev/null
+++ b/SOURCES/opendnssec.cron
@@ -0,0 +1,4 @@
+# Ensure multiple ods-enforcerd's on different system roll at the same time
+# independant of when the daemon was started. Since TLDs often update their
+# zone "on the hour" we do the key rollover checks just before the hour.
+50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null
diff --git a/SOURCES/tmpfiles-opendnssec.conf b/SOURCES/tmpfiles-opendnssec.conf
new file mode 100644
index 0000000..aa50e89
--- /dev/null
+++ b/SOURCES/tmpfiles-opendnssec.conf
@@ -0,0 +1 @@
+D /var/run/opendnssec 0700 ods ods -
diff --git a/SPECS/opendnssec.spec b/SPECS/opendnssec.spec
new file mode 100644
index 0000000..d691cb1
--- /dev/null
+++ b/SPECS/opendnssec.spec
@@ -0,0 +1,152 @@
+#global prever rcX
+%global _hardened_build 1
+
+Summary: DNSSEC key and zone management software
+Name: opendnssec
+Version: 1.4.7
+Release: 4%{?prever}%{?dist}
+License: BSD
+Url: http://www.opendnssec.org/
+Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
+Source1: ods-enforcerd.service
+Source2: ods-signerd.service
+Source3: ods.sysconfig
+Source4: conf.xml
+Source5: tmpfiles-opendnssec.conf
+Source6: opendnssec.cron
+
+Patch0: opendnssec-1.4.7-1204100-extract.patch
+Patch1: 0001-use-system-trang.patch
+Patch2: 0002-get-started.patch
+
+Group: Applications/System
+Requires: opencryptoki, softhsm >= 2.0.0b1-2, systemd-units
+BuildRequires: libxml2, libxslt
+Requires: libxml2, libxslt
+BuildRequires: ldns-devel >= 1.6.12, sqlite-devel , openssl-devel
+BuildRequires: libxml2-devel, doxygen, trang
+# It tests for pkill/killall and would use /bin/false if not found
+BuildRequires: procps-ng
+BuildRequires: systemd-units
+BuildRequires: sed
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+%if 0%{?prever:1}
+#For building snapshots
+Buildrequires: autoconf, automake, libtool, java
+%endif
+
+%description
+OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
+It secures zone data just before it is published in an authoritative
+name server. It requires a PKCS#11 crypto module library, such as softhsm.
+
+This package is only supported for use with IdM.
+
+%prep
+%setup -q -n %{name}-%{version}%{?prever}
+# bump default policy ZSK keysize to 2048
+sed -i "s/1024/2048/" conf/kasp.xml.in
+%patch0 -p1 -b .p0.allow_extraction
+%patch1 -p1 -b .p0.system_trang
+%patch2 -p1
+# fix platform-specific paths in conf.xml
+sed -i 's:<Module>/usr/lib64:<Module>%{_libdir}:' %{SOURCE4}
+
+%build
+export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+%configure --with-ldns=%{_libdir} --without-cunit
+make %{?_smp_mflags}
+
+%check
+# Requires sample db not shipped with upstream
+# It also requires CUnit-devel package which is not in RHEL
+# make check
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+mkdir -p %{buildroot}/var/opendnssec/{tmp,signed,signconf}
+install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
+install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
+rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
+install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
+install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
+
+%files
+%{_unitdir}/ods-enforcerd.service
+%{_unitdir}/ods-signerd.service
+%config(noreplace) %{_tmpfilesdir}/opendnssec.conf
+%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
+%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
+%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
+%doc NEWS README.md LICENSE GETSTARTED
+%{_mandir}/*/*
+%{_sbindir}/*
+%{_bindir}/*
+%attr(0770,root,ods) %dir %{_datadir}/%{name}
+%{_datadir}/%{name}/*
+
+%pre
+getent group ods >/dev/null || groupadd -r ods
+getent passwd ods >/dev/null || \
+useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
+-c "opendnssec daemon account" ods
+exit 0
+
+%post
+# in case we update any xml conf file
+ods-ksmutil update all >/dev/null 2>/dev/null ||:
+%systemd_post ods-enforcerd.service
+%systemd_post ods-signerd.service
+
+
+%preun
+%systemd_preun ods-enforcerd.service
+%systemd_preun ods-signerd.service
+
+%postun
+%systemd_postun_with_restart ods-enforcerd.service
+%systemd_postun_with_restart ods-signerd.service
+
+%changelog
+* Tue Apr 11 2017 Paul Wouters <pwouters@redhat.com> - 1.4.7-4
+- Resolves: rhbz#1258740 Opendnssec is installing files under /etc/tmpfiles.d
+
+* Thu Sep 10 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-3
+- Resolves: rhbz#1261530 /etc/opendnssec is not writeable by ods user
+
+* Thu Jun 11 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-2
+- Resolves: rhbz#1230287 ods-signerd.service Unknown lvalue 'After'
+
+* Tue Mar 31 2015 Paul Wouters <pwouters@redhat.com> - 1.4.7-1
+- Resolves: rhbz#1204100 Rebase to opendnssec 1.4.7+
+
+* Tue Sep 30 2014 Petr Spacek <pspacek@redhat.com> - 1.4.6-3
+- Updated spec to build platform-indepent conf.xml
+
+* Tue Sep 30 2014 Paul Wouters <pwouters@redhat.com> - 1.4.6-2
+- Changed conf.xml to reference softhsm at /usr/lib64/pkcs11/libsofthsm2.so
+- Updated Requires: to softhsm >= 2.0.0b1-2
+
+* Mon Sep 22 2014 Petr Spacek <pspacek redhat com> - 1.4.6-1
+- Imported version 1.4.6
+- Added patch which adds configuration option <AllowExtraction/>
+