diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..783b970
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/opendnssec-2.1.7.tar.gz
diff --git a/.opendnssec.metadata b/.opendnssec.metadata
new file mode 100644
index 0000000..584ac8f
--- /dev/null
+++ b/.opendnssec.metadata
@@ -0,0 +1 @@
+0277e4f54098bea74809e3d8e6cad1a435570349 SOURCES/opendnssec-2.1.7.tar.gz
diff --git a/SOURCES/conf.xml b/SOURCES/conf.xml
new file mode 100644
index 0000000..8b42a62
--- /dev/null
+++ b/SOURCES/conf.xml
@@ -0,0 +1,87 @@
+
+
+
+
+
+
+
+ /usr/lib64/softhsm/libsofthsm.so
+ OpenDNSSEC
+ 1234
+
+
+
+
+
+
+
+
+
+ local0
+
+
+ /etc/opendnssec/kasp.xml
+ /etc/opendnssec/zonelist.xml
+
+
+
+
+
+
+ ods
+ ods
+
+
+ /var/opendnssec/kasp.db
+
+
+
+
+
+
+
+
+
+ ods
+ ods
+
+
+ /var/opendnssec/tmp
+ 4
+
+
+
+
+
+
+
+
+
diff --git a/SOURCES/ods-enforcerd.service b/SOURCES/ods-enforcerd.service
new file mode 100644
index 0000000..6a629c2
--- /dev/null
+++ b/SOURCES/ods-enforcerd.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenDNSSEC Enforcer daemon
+After=syslog.target network.target
+
+[Service]
+Type=forking
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/enforcerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-enforcerd $ODS_ENFORCERD_OPT
+ExecStartPost=/bin/bash -c 'while [ ! -S /run/opendnssec/enforcer.sock ]; do sleep 1; echo "Waiting for socket"; done'
+TimeoutStartSec=20
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/ods-signerd.service b/SOURCES/ods-signerd.service
new file mode 100644
index 0000000..c2218a8
--- /dev/null
+++ b/SOURCES/ods-signerd.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenDNSSEC signer daemon
+After=syslog.target network.target ods-enforcerd
+
+[Service]
+Type=simple
+User=ods
+Group=ods
+PIDFile=/run/opendnssec/signerd.pid
+EnvironmentFile=-/etc/sysconfig/ods
+ExecStart=/usr/sbin/ods-signerd -d $ODS_SIGNERD_OPT
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SOURCES/ods.sysconfig b/SOURCES/ods.sysconfig
new file mode 100644
index 0000000..1cf67f2
--- /dev/null
+++ b/SOURCES/ods.sysconfig
@@ -0,0 +1,2 @@
+ODS_SIGNERD_OPT=""
+ODS_ENFORCERD_OPT=""
diff --git a/SOURCES/opendnssec-2.1.sqlite_convert.sql b/SOURCES/opendnssec-2.1.sqlite_convert.sql
new file mode 100644
index 0000000..aed4d8f
--- /dev/null
+++ b/SOURCES/opendnssec-2.1.sqlite_convert.sql
@@ -0,0 +1,842 @@
+INSERT INTO databaseVersion VALUES (NULL, 1, 1);
+
+-- ~ ************
+-- ~ ** policy table
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO policy
+SELECT id, 1, name, description,
+0, 0, 0,
+0, 0, 0, 0,
+86400, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0, 0, 0,
+0
+FROM REMOTE.policies;
+
+UPDATE policy
+SET signaturesResign = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 1
+ AND REMOTE.parameters.name = 'resign');
+
+UPDATE policy
+SET signaturesRefresh = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 1
+ AND REMOTE.parameters.name = 'refresh') ;
+
+UPDATE policy
+SET signaturesJitter = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 1
+ AND REMOTE.parameters.name = 'jitter');
+
+UPDATE policy
+SET signaturesInceptionOffset = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 1
+ AND REMOTE.parameters.name = 'clockskew');
+
+UPDATE policy
+SET signaturesValidityDefault = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 1
+ AND REMOTE.parameters.name = 'valdefault');
+
+UPDATE policy
+SET signaturesValidityDenial = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 1
+ AND REMOTE.parameters.name = 'valdenial');
+
+--MaxZoneTTL default 86400
+
+-- We need the following mapping 1.4 -> 2.0 for denialType
+-- 0 -> 1
+-- 3 -> 0
+
+UPDATE policy
+SET denialType = (
+ SELECT (~value)&1
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'version');
+
+-- I'm pretty sure this is not the correct way to do it. It is aweful but
+-- I can't figure it out how it would work for sqlite.
+UPDATE policy
+SET denialOptout = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'optout')
+WHERE null != (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'optout');
+
+UPDATE policy
+SET denialTtl = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'ttl')
+WHERE null != (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET denialResalt = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'resalt')
+WHERE null != (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'resalt');
+
+UPDATE policy
+SET denialAlgorithm = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'algorithm')
+WHERE null != (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'algorithm');
+
+UPDATE policy
+SET denialIterations = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'iterations')
+WHERE null != (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'iterations');
+
+UPDATE policy
+SET denialSaltLength = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'saltlength')
+WHERE null != (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 2
+ AND REMOTE.parameters.name = 'saltlength');
+
+-- clumsy salt update. salt is optional in 1.4 but required in 2.0
+-- sqlite is limited in what it can do in an update. I hope there is a
+-- better way for this?
+
+UPDATE policy
+SET denialSalt = (
+ SELECT salt
+ FROM REMOTE.policies
+ WHERE REMOTE.policies.id = policy.id)
+WHERE (
+ SELECT salt
+ FROM REMOTE.policies
+ WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET denialSaltLastChange = (
+ SELECT salt_stamp
+ FROM REMOTE.policies
+ WHERE REMOTE.policies.id = policy.id)
+WHERE (
+ SELECT salt_stamp
+ FROM REMOTE.policies
+ WHERE REMOTE.policies.id = policy.id) != null;
+
+UPDATE policy
+SET keysTtl = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 5
+ AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET keysRetireSafety = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 5
+ AND REMOTE.parameters.name = 'retiresafety');
+
+UPDATE policy
+SET keysPublishSafety = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 5
+ AND REMOTE.parameters.name = 'publishsafety');
+
+UPDATE policy
+SET keysShared = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 5
+ AND REMOTE.parameters.name = 'zones_share_keys');
+
+UPDATE policy
+SET keysPurgeAfter = COALESCE((
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 5
+ AND REMOTE.parameters.name = 'purge'), 0);
+
+UPDATE policy
+SET zonePropagationDelay = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 7
+ AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET zoneSoaTtl = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 7
+ AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET zoneSoaMinimum = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 7
+ AND REMOTE.parameters.name = 'min');
+
+-- Temporary mapping table between 1.4 and 2.0 SOA serial strategy
+CREATE TABLE mapping (
+ soa14 INTEGER,
+ soa20 INTEGER
+);
+INSERT INTO mapping SELECT 1, 2;
+INSERT INTO mapping SELECT 2, 0;
+INSERT INTO mapping SELECT 3, 1;
+INSERT INTO mapping SELECT 4, 3;
+
+UPDATE policy
+SET zoneSoaSerial = (
+ SELECT mapping.soa20
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ INNER JOIN mapping
+ ON REMOTE.parameters_policies.value = mapping.soa14
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 7
+ AND REMOTE.parameters.name = 'serial');
+
+DROP TABLE mapping;
+
+-- parentRegistrationDelay = 0 on 1.4
+
+UPDATE policy
+SET parentPropagationDelay = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 8
+ AND REMOTE.parameters.name = 'propagationdelay');
+
+UPDATE policy
+SET parentDsTtl = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 8
+ AND REMOTE.parameters.name = 'ttlds');
+
+UPDATE policy
+SET parentSoaTtl = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 8
+ AND REMOTE.parameters.name = 'ttl');
+
+UPDATE policy
+SET parentSoaMinimum = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policy.id
+ AND REMOTE.parameters.category_id = 8
+ AND REMOTE.parameters.name = 'min');
+
+-- passthrough = 0
+
+-- ~ ************
+-- ~ ** policyKey table
+-- ~ **
+-- ~ ** For each policy in 1.4 add two keys: KSK and ZSK
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Insert each KSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+ 1, 0, 0,
+ 0, 0, 0,
+ 0, 0, 4
+FROM REMOTE.policies;
+
+-- Insert each ZSK
+INSERT INTO policyKey
+SELECT null, 1, id,
+ 2, 0, 0,
+ 0, 0, 0,
+ 0, 0, 1
+FROM REMOTE.policies;
+
+UPDATE policyKey
+SET algorithm = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 3
+ AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET algorithm = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 4
+ AND REMOTE.parameters.name = 'algorithm')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET bits = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 3
+ AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET bits = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 4
+ AND REMOTE.parameters.name = 'bits')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET lifetime = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 3
+ AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET lifetime = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 4
+ AND REMOTE.parameters.name = 'lifetime')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET repository = (
+ SELECT REMOTE.securitymodules.name
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ INNER JOIN REMOTE.securitymodules
+ ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 3
+ AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET repository = (
+ SELECT REMOTE.securitymodules.name
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ INNER JOIN REMOTE.securitymodules
+ ON REMOTE.parameters_policies.value = REMOTE.securitymodules.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 4
+ AND REMOTE.parameters.name = 'repository')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET standby = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 3
+ AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET standby = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 4
+ AND REMOTE.parameters.name = 'standby')
+WHERE policyKey.role = 2;
+
+UPDATE policyKey
+SET manualRollover = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 3
+ AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 1;
+
+UPDATE policyKey
+SET manualRollover = (
+ SELECT value
+ FROM REMOTE.parameters_policies
+ INNER JOIN REMOTE.parameters
+ ON REMOTE.parameters_policies.parameter_id = REMOTE.parameters.id
+ WHERE REMOTE.parameters_policies.policy_id = policyKey.policyId
+ AND REMOTE.parameters.category_id = 4
+ AND REMOTE.parameters.name = 'manual_rollover')
+WHERE policyKey.role = 2;
+
+-- rfc5011 = 0. 2.0 has no support
+-- minimize already set
+
+-- ~ ************
+-- ~ ** hsmKey table
+-- ~ **
+-- ~ ** get from keypairs and dnsseckeys
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO hsmKey
+SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
+REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
+REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
+CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
+ strftime('%s', REMOTE.keypairs.generate)
+ ELSE strftime("%s", "now") END,
+0,
+1, --only RSA supported
+ REMOTE.securitymodules.name,
+0 --assume no backup
+FROM REMOTE.keypairs
+JOIN REMOTE.dnsseckeys
+ ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
+JOIN REMOTE.securitymodules
+ ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
+
+-- For some policies put the keys in a shared state
+UPDATE hsmKey
+SET state = 3
+WHERE EXISTS
+ (SELECT * FROM hsmKey AS h
+ JOIN policy ON policy.id = h.policyId
+ WHERE policy.keysShared AND hsmKey.id = h.id);
+
+-- ~ ************
+-- ~ ** zone table
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ ************
+
+INSERT INTO zone
+SELECT zones.id, 1, zones.policy_id,
+ zones.name, 1, zones.signconf, 0,
+ 0,0,0,
+ 0,0,0,
+ zones.in_type, zones.input,
+ zones.out_type, zones.output,
+ 0,0,0
+ FROM REMOTE.zones;
+
+-- ~ ************
+-- ~ ** keyData table
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ ************
+
+-- Temporary mapping table between 1.4 states and 2.0 ds_at_parent states
+-- We are ignoring the fact this may set a DS state for a ZSK; We don't care
+CREATE TABLE mapping (
+ state INTEGER,
+ ds_state INTEGER
+);
+INSERT INTO mapping SELECT 1, 0;
+INSERT INTO mapping SELECT 2, 0;
+INSERT INTO mapping SELECT 3, 1;
+INSERT INTO mapping SELECT 4, 3;
+INSERT INTO mapping SELECT 5, 5;
+INSERT INTO mapping SELECT 6, 5;
+INSERT INTO mapping SELECT 7, 5;
+INSERT INTO mapping SELECT 8, 5;
+INSERT INTO mapping SELECT 9, 5;
+INSERT INTO mapping SELECT 10, 5;
+
+INSERT INTO keyData
+SELECT
+ NULL, 1, REMOTE.dnsseckeys.zone_id,
+ REMOTE.dnsseckeys.keypair_id, REMOTE.keypairs.algorithm,
+ CASE WHEN REMOTE.dnsseckeys.publish IS NOT NULL THEN
+ strftime('%s', REMOTE.dnsseckeys.publish)
+ ELSE strftime("%s", "now") END,
+ (~REMOTE.dnsseckeys.keytype&1)+1,
+ REMOTE.dnsseckeys.state <= 4, -- introducing
+ 0, -- should revoke, not used
+ 0, -- standby
+ REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 256, --activeZSK:
+ REMOTE.dnsseckeys.state >= 2 AND REMOTE.dnsseckeys.state <= 5, --publish
+ REMOTE.dnsseckeys.state = 4 AND REMOTE.dnsseckeys.keytype = 257, --activeKSK:
+ mapping.ds_state, --dsatparent
+ 1<<16, --keytag (crap, will 2.0 regenerate this?)
+ (REMOTE.dnsseckeys.keytype&1)*3+1 --minimize
+FROM REMOTE.dnsseckeys
+JOIN REMOTE.keypairs
+ ON REMOTE.dnsseckeys.keypair_id = REMOTE.keypairs.id
+JOIN mapping
+ ON REMOTE.dnsseckeys.state = mapping.state
+WHERE EXISTS(select REMOTE.zones.id FROM REMOTE.zones WHERE REMOTE.zones.id = REMOTE.dnsseckeys.zone_id);
+
+-- Everything that is just a ZSK must not have dsatparent set.
+UPDATE keyData
+SET dsatparent = 0
+WHERE role = 2;
+
+DROP TABLE mapping;
+
+-- If a active time is set for a ready KSK dsAtParent is submitted
+-- instead of submit
+UPDATE keyData
+SET dsatparent = 2
+WHERE keyData.dsAtParent = 1 AND keyData.id IN (
+ SELECT keyData.id
+ FROM keyData
+ JOIN REMOTE.dnsseckeys
+ ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+ WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+
+-- ~ ************
+-- ~ ** Keystate table
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ **
+-- ~ ************
+
+CREATE TABLE mapping (
+ state INTEGER,
+ ds INTEGER,
+ dk INTEGER,
+ ks INTEGER,
+ rs INTEGER
+);
+INSERT INTO mapping SELECT 1, 0, 0, 0, 0;
+INSERT INTO mapping SELECT 2, 0, 1, 1, 1;
+INSERT INTO mapping SELECT 3, 0, 2, 2, 1;
+INSERT INTO mapping SELECT 4, 2, 2, 2, 1;
+INSERT INTO mapping SELECT 5, 3, 2, 2, 3;
+INSERT INTO mapping SELECT 6, 0, 3, 3, 0;
+INSERT INTO mapping SELECT 7, 3, 0, 0, 0;
+INSERT INTO mapping SELECT 8, 3, 0, 0, 0;
+INSERT INTO mapping SELECT 9, 3, 0, 0, 0;
+INSERT INTO mapping SELECT 10, 3, 0, 0, 0;
+
+-- DS RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 0, mapping.ds, strftime("%s", "now"), (keyData.minimize>>2)&1, policy.parentDsTtl
+FROM keyData
+JOIN zone
+ ON zone.id = keyData.zoneId
+JOIN policy
+ ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+ ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+ ON mapping.state = REMOTE.dnsseckeys.state;
+
+UPDATE keyState
+SET state = 1
+WHERE keyState.state = 0 AND keyState.type = 0 AND keyState.id IN (
+ SELECT keyState.id
+ FROM keyState
+ JOIN keyData
+ ON keyData.id = keyState.keydataId
+ JOIN REMOTE.dnsseckeys
+ ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+ WHERE REMOTE.dnsseckeys.active IS NOT NULL);
+
+-- DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 2, mapping.dk, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+ ON zone.id = keyData.zoneId
+JOIN policy
+ ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+ ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+ ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG DNSKEY RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 3, mapping.ks, strftime("%s", "now"), (keyData.minimize>>1)&1, policy.keysTtl
+FROM keyData
+JOIN zone
+ ON zone.id = keyData.zoneId
+JOIN policy
+ ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+ ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+ ON mapping.state = REMOTE.dnsseckeys.state;
+
+-- RRSIG RECORDS
+INSERT INTO keyState
+SELECT NULL, 1, keyData.id, 1, mapping.rs, strftime("%s", "now"), (keyData.minimize>>0)&1, policy.signaturesMaxZoneTtl
+FROM keyData
+JOIN zone
+ ON zone.id = keyData.zoneId
+JOIN policy
+ ON policy.id = zone.policyId
+JOIN REMOTE.dnsseckeys
+ ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+JOIN mapping
+ ON mapping.state = REMOTE.dnsseckeys.state;
+
+--Set to OMN if Tactive + Dttl < Tnow
+UPDATE keyState
+SET state = 2
+WHERE keyState.state = 1 AND keyState.type = 1 AND keyState.id IN (
+ SELECT keyState.id
+ FROM keyState
+ JOIN keyData
+ ON keyData.id = keyState.keydataId
+ JOIN REMOTE.dnsseckeys
+ ON REMOTE.dnsseckeys.keypair_id = keyData.hsmkeyid
+ JOIN zone
+ ON keyData.zoneId = zone.id
+ JOIN policy
+ ON policy.id = zone.policyId
+ WHERE CAST(strftime("%s", REMOTE.dnsseckeys.active) + policy.signaturesValidityDefault as INTEGER) < strftime("%s", "now"));
+
+--Force the RRSIG state in omnipresent if rumoured and there is no old ZSK
+-- unretentive
+UPDATE keyState
+SET state = 2
+WHERE keyState.id IN (
+SELECT rs.id FROM keyState AS rs
+JOIN keystate AS dk ON dk.keyDataId == rs.keyDataId
+WHERE rs.type == 1 AND dk.type == 2 AND rs.state == 1 AND dk.state == 2
+AND NOT EXISTS(
+ SELECT* FROM keystate AS rs2
+ JOIN keystate AS dk2 ON dk2.keyDataId == rs2.keyDataId
+ WHERE rs2.type == 1 AND dk2.type == 2 AND rs2.state == 3 AND dk2.state == 2
+));
+
+DROP TABLE mapping;
+
+-- We need to create records in the keydependency table in case we are in a
+-- rollover. Only done for ZSK. For every introducing ZSK with RRSIG rumoured
+-- that has an outroducing ZSK with RRSIG unretentive, we add a record.
+INSERT INTO keyDependency
+SELECT NULL, 0, keyData.zoneID, SUB.IDout, keyData.id, 1
+FROM keyData
+JOIN keyState AS KS1
+ ON KS1.keyDataId == keyData.id
+JOIN keyState AS KS2
+ ON KS2.keyDataId == keyData.id
+JOIN (
+ SELECT keyData.id AS IDout, keyData.zoneID
+ FROM keyData
+ JOIN keyState AS KS1
+ ON KS1.keyDataId == keyData.id
+ JOIN keyState AS KS2
+ ON KS2.keyDataId == keyData.id
+ WHERE KS1.type == 2
+ AND ks1.state = 2
+ AND KS2.type == 1
+ AND KS2.state == 3
+ AND keyData.introducing == 0
+ AND keyData.role == 2
+) AS SUB
+ ON SUB.zoneId == keyData.zoneId
+WHERE
+ KS1.type == 2
+ AND ks1.state = 2
+ AND KS2.type == 1
+ AND KS2.state == 1
+ AND keyData.introducing == 1
+ AND keyData.role == 2;
+
+-- ZSK
+UPDATE keyState
+SET state = 4
+WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN (
+ SELECT keyData.id
+ FROM keyData
+ WHERE keyData.role = 2);
+
+--KSK
+UPDATE keyState
+SET state = 4
+WHERE keyState.type = 1 AND keyDataId IN (
+ SELECT keyData.id
+ FROM keyData
+ WHERE keyData.role = 1);
+
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+ major INTEGER,
+ minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+
diff --git a/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql b/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql
new file mode 100644
index 0000000..4107157
--- /dev/null
+++ b/SOURCES/opendnssec-2.1.sqlite_rpmversion.sql
@@ -0,0 +1,7 @@
+-- For rpm based systems to see if db was migrated already. store opendnssec major minor version
+CREATE TABLE rpm_migration (
+ major INTEGER,
+ minor INTEGER
+);
+INSERT INTO rpm_migration VALUES(2, 1);
+
diff --git a/SOURCES/opendnssec.cron b/SOURCES/opendnssec.cron
new file mode 100644
index 0000000..776de9b
--- /dev/null
+++ b/SOURCES/opendnssec.cron
@@ -0,0 +1,4 @@
+# Ensure multiple ods-enforcerd's on different system roll at the same time
+# independant of when the daemon was started. Since TLDs often update their
+# zone "on the hour" we do the key rollover checks just before the hour.
+50,20 * * * * root test -f /var/lock/subsys/ods-enforcerd && kill -s SIGHUP `cat /var/run/opendnssec/enforcerd.pid` > /dev/null 2> /dev/null
diff --git a/SOURCES/tmpfiles-opendnssec.conf b/SOURCES/tmpfiles-opendnssec.conf
new file mode 100644
index 0000000..56795e1
--- /dev/null
+++ b/SOURCES/tmpfiles-opendnssec.conf
@@ -0,0 +1 @@
+D /run/opendnssec 0755 ods ods -
diff --git a/SPECS/opendnssec.spec b/SPECS/opendnssec.spec
new file mode 100644
index 0000000..88b2320
--- /dev/null
+++ b/SPECS/opendnssec.spec
@@ -0,0 +1,362 @@
+#global prever rcX
+%global _hardened_build 1
+
+Summary: DNSSEC key and zone management software
+Name: opendnssec
+Version: 2.1.7
+Release: 1%{?prever}%{?dist}
+License: BSD
+Url: http://www.opendnssec.org/
+Source0: http://www.opendnssec.org/files/source/%{?prever:testing/}%{name}-%{version}%{?prever}.tar.gz
+Source1: ods-enforcerd.service
+Source2: ods-signerd.service
+Source3: ods.sysconfig
+Source4: conf.xml
+Source5: tmpfiles-opendnssec.conf
+Source6: opendnssec.cron
+Source7: opendnssec-2.1.sqlite_convert.sql
+Source8: opendnssec-2.1.sqlite_rpmversion.sql
+
+Requires: opencryptoki, softhsm >= 2.5.0 , systemd-units
+Requires: libxml2, libxslt sqlite
+BuildRequires: gcc
+BuildRequires: ldns-devel >= 1.6.12, sqlite-devel >= 3.0.0, openssl-devel
+BuildRequires: libxml2-devel CUnit-devel, doxygen
+# It tests for pkill/killall and would use /bin/false if not found
+BuildRequires: procps-ng
+BuildRequires: perl-interpreter
+BuildRequires: libmicrohttpd-devel jansson-devel libyaml-devel
+
+BuildRequires: systemd-units
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+%if 0%{?prever:1}
+# For building development snapshots
+Buildrequires: autoconf, automake, libtool, java
+%endif
+
+%description
+OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
+It secures zone data just before it is published in an authoritative
+name server. It requires a PKCS#11 crypto module library, such as softhsm
+
+%prep
+%setup -q -n %{name}-%{version}%{?prever}
+# bump default policy ZSK keysize to 2048
+sed -i "s/1024/2048/" conf/kasp.xml.in
+
+%build
+#export LDFLAGS="-Wl,-z,relro,-z,now -pie -specs=/usr/lib/rpm/redhat/redhat-hardened-ld"
+#export CFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wextra -Wformat -Wformat-nonliteral -Wformat-security"
+#export CXXFLAGS="$RPM_OPT_FLAGS -fPIE -pie -Wformat-nonliteral -Wformat-security"
+%if 0%{?prever:1}
+# for development snapshots
+sh ./autogen.sh
+%endif
+%configure --with-ldns=%{_libdir}
+make %{?_smp_mflags}
+
+%check
+# Requires sample db not shipped with upstream
+# make check
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+mkdir -p %{buildroot}%{_localstatedir}/opendnssec/{tmp,signed,signconf,enforcer}
+install -d -m 0755 %{buildroot}%{_initrddir} %{buildroot}%{_sysconfdir}/cron.d/
+install -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/cron.d/opendnssec
+rm -f %{buildroot}/%{_sysconfdir}/opendnssec/*.sample
+install -d -m 0755 %{buildroot}/%{_sysconfdir}/sysconfig
+install -d -m 0755 %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/
+install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/ods
+install -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/opendnssec/
+mkdir -p %{buildroot}%{_tmpfilesdir}/
+install -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/opendnssec.conf
+mkdir -p %{buildroot}%{_localstatedir}/run/opendnssec
+mkdir -p %{buildroot}%{_datadir}/opendnssec/
+cp -a enforcer/utils %{buildroot}%{_datadir}/opendnssec/migration
+cp -a enforcer/src/db/schema.* %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/
+# fixup path for mysql/sqlite. Use our replacement sqlite_convert.sql to detect previous migration
+cp -a %{SOURCE7} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql
+cp -a %{SOURCE8} %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+sed -i "s:^SCHEMA=.*schema:SCHEMA=%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/schema:" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:find_problematic_zones.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/find_problematic_zones.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_mysql
+sed -i "s:sqlite_convert.sql:%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/sqlite_convert.sql:g" %{buildroot}%{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite
+
+
+%files
+%{_unitdir}/ods-enforcerd.service
+%{_unitdir}/ods-signerd.service
+%config(noreplace) %{_tmpfilesdir}/opendnssec.conf
+%attr(0770,root,ods) %dir %{_sysconfdir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/tmp
+%attr(0775,root,ods) %dir %{_localstatedir}/opendnssec/signed
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/signconf
+%attr(0770,root,ods) %dir %{_localstatedir}/opendnssec/enforcer
+%attr(0660,root,ods) %config(noreplace) %{_sysconfdir}/opendnssec/*.xml
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ods
+%attr(0770,root,ods) %dir %{_localstatedir}/run/opendnssec
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/opendnssec
+%doc NEWS README.md
+%license LICENSE
+%{_mandir}/*/*
+%{_sbindir}/*
+%{_bindir}/*
+%attr(0755,root,root) %dir %{_datadir}/opendnssec
+%{_datadir}/opendnssec/*
+
+%pre
+getent group ods >/dev/null || groupadd -r ods
+getent passwd ods >/dev/null || \
+useradd -r -g ods -d /etc/opendnssec -s /sbin/nologin \
+-c "opendnssec daemon account" ods
+exit 0
+
+%post
+# Initialise a slot on the softhsm on first install
+if [ "$1" -eq 1 ]; then
+ %{_sbindir}/runuser -u ods -- %{_bindir}/softhsm2-util --init-token \
+ --free --label "OpenDNSSEC" --pin 1234 --so-pin 1234
+ if [ ! -s %{_localstatedir}/opendnssec/kasp.db ]; then
+ echo y | %{_sbindir}/ods-enforcer-db-setup
+ %{_bindir}/sqlite3 -batch %{_localstatedir}/opendnssec/kasp.db < %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/rpmversion.sql
+ fi
+
+elif [ -z "$(%{_bindir}/sqlite3 %{_localstatedir}/opendnssec/kasp.db 'select * from rpm_migration;')" ]; then
+ # Migrate version 1.4 db to version 2.1 db
+ if [ -e %{_localstatedir}/opendnssec/rpm-migration-in-progress ]; then
+ echo "previous (partial?) migration found - human intervention is needed"
+ else
+ echo "opendnssec 1.4 database found, migrating to 2.x"
+ touch %{_localstatedir}/opendnssec/rpm-migration-in-progress
+ mv -n %{_localstatedir}/opendnssec/kasp.db %{_localstatedir}/opendnssec/kasp.db-1.4
+ echo "migrating conf.xml from 1.4 to 2.1 schema"
+ cp -n %{_sysconfdir}/opendnssec/conf.xml %{_sysconfdir}/opendnssec/conf.xml-1.4
+ # fixup incompatibilities inflicted upon us by upstream :(
+ sed -i "/.*Interval>/d" %{_sysconfdir}/opendnssec/conf.xml
+ echo "Converting kasp.db"
+ ERR=""
+ %{_datadir}/opendnssec/migration/1.4-2.0_db_convert/convert_sqlite -i %{_localstatedir}/opendnssec/kasp.db-1.4 -o %{_localstatedir}/opendnssec/kasp.db || ERR="convert_sqlite error"
+ chown ods.ods %{_localstatedir}/opendnssec/kasp.db
+ cp -n %{_sysconfdir}/opendnssec/zonelist.xml %{_localstatedir}/opendnssec/enforcer/zones.xml
+ if [ -z "$ERR" ]; then
+ echo "calling ods-migrate"
+ ods-migrate || ERR="ods-migrate failed"
+ if [ -z "$ERR" ]; then
+ echo "opendnssec 1.4 to 2.x migration completed"
+ rm %{_localstatedir}/opendnssec/rpm-migration-in-progress
+ else
+ echo "ods-migrate process failed - human intervention is needed"
+ fi
+ else
+ echo "%{_localstatedir}/opendnssec/kasp.db conversion failed - not calling ods-migrate to complete migration. human intervention is needed"
+ fi
+ fi
+fi
+
+# in case we update any xml conf file
+ods-enforcer update all >/dev/null 2>/dev/null ||:
+
+%systemd_post ods-enforcerd.service
+%systemd_post ods-signerd.service
+
+%preun
+%systemd_preun ods-enforcerd.service
+%systemd_preun ods-signerd.service
+
+%postun
+%systemd_postun_with_restart ods-enforcerd.service
+%systemd_postun_with_restart ods-signerd.service
+
+%changelog
+* Fri Dec 04 2020 Alexander Bokovoy - 2.1.7-1
+- Upstream release 2.1.7
+- Resolves: rhbz#1904484
+
+* Fri May 08 2020 Paul Wouters - 2.1.6-2
+- Resolves: rhbz#1831732 AVC avc: denied { dac_override } for comm="ods-enforcerd
+
+* Wed Apr 15 2020 Paul Wouters - 2.1.6-1
+- Resolves: rhbz#1759888 Rebase OpenDNSSEC to 2.1
+
+* Tue Dec 12 2017 Paul Wouters - 1.4.14-1
+- Update to 1.4.14 as first steop to migrating to 2.x
+- Resolves: rhbz#1413254 Move tmpfiles.d config to %%{_tmpfilesdir}, install LICENSE as %%license
+
+* Thu Aug 03 2017 Fedora Release Engineering - 1.4.9-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering - 1.4.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Mar 08 2017 Tomas Hozza - 1.4.9-5
+- Fix FTBFS (#1424019) in order to rebuild against new ldns
+
+* Sat Feb 11 2017 Fedora Release Engineering - 1.4.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 18 2016 Paul Wouters - 1.4.9-3
+- Resolves: rbz#1303965 upgrade to opendnssec-1.4.9-1.fc23 breaks old installations
+- On initial install, after token init, also run ods-ksmutil setup
+
+* Thu Feb 04 2016 Fedora Release Engineering - 1.4.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Feb 01 2016 Paul Wouters - 1.4.9-1
+- Updated to 1.4.9
+- Removed merged in patch
+
+* Wed Jun 17 2015 Fedora Release Engineering - 1.4.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 09 2015 Paul Wouters - 1.4.7-2
+- Resolves rhbz#1219746 ods-signerd.service misplaced After= in section Service
+- Resolves rhbz#1220443 OpenDNSSEC fails to initialise a slot in softhsm on first install
+
+* Tue Dec 09 2014 Paul Wouters - 1.4.7-1
+- Updated to 1.4.7 (fix zone update can get stuck, crash on retransfer cmd)
+
+* Wed Oct 15 2014 Paul Wouters - 1.4.6-4
+- Change /etc/opendnssec to be ods group writable
+
+* Wed Oct 08 2014 Paul Wouters - 1.4.6-3
+- Added Petr Spacek's patch that adds the config option (rhbz#1123354)
+
+* Sun Aug 17 2014 Fedora Release Engineering - 1.4.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Mon Jul 28 2014 Paul Wouters - 1.4.6-1
+- Updated to 1.4.6
+- Removed incorporated patch upstream
+- Remove Wants= from ods-signerd.service (rhbz#1098205)
+
+* Sat Jun 07 2014 Fedora Release Engineering - 1.4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri Apr 18 2014 Paul Wouters - 1.4.5-2
+- Updated to 1.4.5
+- Added patch for serial 0 bug in XFR adapter
+
+* Tue Apr 01 2014 Paul Wouters - 1.4.4-3
+- Add buildrequires for ods-kasp2html (rhbz#1073313)
+
+* Sat Mar 29 2014 Paul Wouters - 1.4.4-2
+- Add requires for ods-kasp2html (rhbz#1073313)
+
+* Thu Mar 27 2014 Paul Wouters - 1.4.4-1
+- Updated to 1.4.4 (compatibility with non RFC 5155 errata 3441)
+- Change the default ZSK policy from 1024 to 2048 bit RSA keys
+- Fix post to be quiet when upgrading opendnssec
+
+* Thu Jan 09 2014 Paul Wouters - 1.4.3-1
+- Updated to 1.4.3 (rhel#1048449) - minor bugfixes, minor feature enhancements
+- rhel#1025985 OpenDNSSEC signer cannot be started due to a typo in service file
+
+* Wed Sep 11 2013 Paul Wouters - 1.4.2-1
+- Updated to 1.4.2, bugfix release
+
+* Sat Aug 03 2013 Fedora Release Engineering - 1.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Jun 28 2013 Paul Wouters - 1.4.1-1
+- Updated to 1.4.1. NSEC3 handling and serial number handling fixes
+- Add BuildRequire for systemd-units
+
+* Sat May 11 2013 Paul Wouters - 1.4.0-1
+- Updated to 1.4.0
+
+* Fri Apr 12 2013 Paul Wouters - 1.4.20-0.8.rc3
+- Updated to 1.4.0rc3
+- Enabled hardened compile, full relzo/pie
+
+* Fri Jan 25 2013 Patrick Uiterwijk - 1.4.0-0.7.rc2
+- Updated to 1.4.0rc2, which includes svn r6952
+
+* Fri Jan 18 2013 Patrick Uiterwijk - 1.4.0-0.6.rc1
+- Updated to 1.4.0rc1
+- Applied opendnssec-ksk-premature-retirement.patch (svn r6952)
+
+* Tue Dec 18 2012 Paul Wouters - 1.4.0-0.5.b2
+- Updated to 1.4.0b2
+- All patches have been merged upstream
+- cron job should be marked as config file
+
+* Tue Oct 30 2012 Paul Wouters - 1.4.0-0.4.b1
+- Added BuildRequires: procps-ng for bug OPENDNSSEC-345
+- Change RRSIG inception offset to -2h to avoid possible
+ daylight saving issues on resolvers
+- Patch to prevent removal of occluded data
+
+* Wed Sep 26 2012 Paul Wouters - 1.4.0-0.3.b1
+- Just an EVR fix to the proper standard
+- Cleanup of spec file
+- Introduce new systemd-rpm macros (rhbz#850242)
+
+* Wed Sep 12 2012 Paul Wouters - 1.4.0-0.b1.1
+- Updated to 1.4.0b1
+- Patch for NSEC3PARAM TTL
+- Cron job to assist narrowing ods-enforcerd timing differences
+
+* Wed Aug 29 2012 Paul Wouters - 1.4.0-0.a3.1
+- Updated to 1.4.0a3
+- Patch to more aggressively try to resign
+- Patch to fix locking issue eating up cpu
+
+* Fri Jul 20 2012 Fedora Release Engineering - 1.4.0-0.a2.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Jun 12 2012 Paul Wouters - 1.4.0-0.a2.1
+- Updated to 1.4.0a2
+- ksm-utils patch for ods-ksmutil to die sooner when it can't lock
+ the HSM.
+
+* Wed May 16 2012 Paul Wouters - 1.4.0-0.a1.3
+- Patch for crasher with deleted RRsets and NSEC3/OPTOUT chains
+
+* Mon Mar 26 2012 Paul Wouters - 1.4.0-0.a1.2
+- Added opendnssec LICENSE file from trunk (Thanks Jakob!)
+
+* Mon Mar 26 2012 Paul Wouters - 1.4.0-0.a1.1
+- Fix macros in comment
+- Added missing -m to install target
+
+* Sun Mar 25 2012 Paul Wouters - 1.4.0-0.a1
+- The 1.4.x branch no longer needs ruby, as the auditor has been removed
+- Added missing openssl-devel BuildRequire
+- Comment out so keys generated by ods can be used by bind
+
+* Fri Feb 24 2012 Paul Wouters - 1.3.6-3
+- Requires rubygem-soap4r when using ruby-1.9
+- Don't ghost /var/run/opendnssec
+- Converted initd to systemd
+
+* Thu Nov 24 2011 root - 1.3.2-6
+- Added rubygem-dnsruby requires as rpm does not pick it up automatically
+
+* Tue Nov 22 2011 root - 1.3.2-5
+- Added /var/opendnssec/signconf/ /as this temp dir is needed
+
+* Mon Nov 21 2011 Paul Wouters - 1.3.2-4
+- Added /var/opendnssec/signed/ as this is the default output dir
+
+* Sun Nov 20 2011 Paul Wouters - 1.3.2-3
+- Add ods user for opendnssec tasks
+- Added initscripts and services for ods-signerd and ods-enforcerd
+- Initialise OpenDNSSEC softhsm token on first install
+
+* Wed Oct 05 2011 Paul Wouters - 1.3.2-1
+- Updated to 1.3.2
+- Added dependancies on opencryptoki and softhsm
+- Don't install duplicate unreadable .sample files
+- Fix upstream conf.xml to point to actually used library paths
+
+* Thu Mar 3 2011 Paul Wouters - 1.2.0-1
+- Initial package for Fedora