diff --git a/bind-9.20-nsupdate-tls.patch b/bind-9.20-nsupdate-tls.patch
index 183ff0b..ccf46e4 100644
--- a/bind-9.20-nsupdate-tls.patch
+++ b/bind-9.20-nsupdate-tls.patch
@@ -1,7 +1,7 @@
-From ec00ba4b215963af5e05892cf2ce1a62222ede46 Mon Sep 17 00:00:00 2001
+From b44dc4ed5c34445511f06d4b972407d539f8e9da Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Mon, 11 Nov 2024 18:09:07 +0100
-Subject: [PATCH 1/3] Backport nsupdate TLS support into 9.18
+Subject: [PATCH] Backport nsupdate TLS support into 9.18
 
 Attempt to support TLS from nsupdate even in 9.18 release.
 
@@ -40,9 +40,15 @@ implementation as a model for the newly added features.
 
 [pemensik] Adapted to previous 9.18 changes.
 Add usage and command line parsing
+
+Fixup tls initialization from nsupdate
+
+Detach transport also on dispatch_destroy properly.
+
+Adapted to 9.18.33.
 ---
  bin/nsupdate/nsupdate.c         | 192 ++++++++++++++++++++----
- lib/dns/dispatch.c              | 107 ++++++++++++--
+ lib/dns/dispatch.c              | 128 ++++++++++++++--
  lib/dns/include/dns/dispatch.h  |  22 +++
  lib/dns/include/dns/request.h   |  23 +++
  lib/dns/include/dns/transport.h |  45 +++++-
@@ -50,10 +56,10 @@ Add usage and command line parsing
  lib/dns/request.c               |  63 ++++++--
  lib/dns/transport.c             | 253 ++++++++++++++++++++++++++++++++
  lib/dns/xfrin.c                 | 232 +----------------------------
- 9 files changed, 649 insertions(+), 290 deletions(-)
+ 9 files changed, 668 insertions(+), 292 deletions(-)
 
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 45ba90fba7b..93c7ea6cb17 100644
+index 293ed28..819925e 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
 @@ -45,6 +45,7 @@
@@ -449,7 +455,7 @@ index 45ba90fba7b..93c7ea6cb17 100644
  	if (answer != NULL) {
  		dns_message_detach(&answer);
 diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
-index d737363fea4..44a2896cb03 100644
+index eb37198..8273c32 100644
 --- a/lib/dns/dispatch.c
 +++ b/lib/dns/dispatch.c
 @@ -30,6 +30,7 @@
@@ -517,18 +523,33 @@ index d737363fea4..44a2896cb03 100644
 +
 +	switch (transport_type) {
 +	case DNS_TRANSPORT_UDP:
- 		return ("UDP");
+ 		return "UDP";
 -	case isc_socktype_tcp:
 +	case DNS_TRANSPORT_TCP:
- 		return ("TCP");
+ 		return "TCP";
 +	case DNS_TRANSPORT_TLS:
 +		return "TLS";
 +	case DNS_TRANSPORT_HTTP:
 +		return "HTTP";
  	default:
- 		return ("<unexpected>");
+ 		return "<unexpected>";
  	}
-@@ -1161,6 +1182,15 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, isc_socktype_t type,
+@@ -457,6 +478,14 @@ dispentry_destroy(dns_dispentry_t *resp) {
+ 		isc_nmhandle_detach(&resp->handle);
+ 	}
+ 
++	if (resp->tlsctx_cache != NULL) {
++		isc_tlsctx_cache_detach(&resp->tlsctx_cache);
++	}
++
++	if (resp->transport != NULL) {
++		dns_transport_detach(&resp->transport);
++	}
++
+ 	isc_mem_put(disp->mgr->mctx, resp, sizeof(*resp));
+ 
+ 	dns_dispatch_detach(&disp); /* DISPATCH001 */
+@@ -1161,6 +1190,15 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, isc_socktype_t type,
  isc_result_t
  dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
  		       const isc_sockaddr_t *destaddr, dns_dispatch_t **dispp) {
@@ -544,7 +565,7 @@ index d737363fea4..44a2896cb03 100644
  	dns_dispatch_t *disp = NULL;
  
  	REQUIRE(VALID_DISPATCHMGR(mgr));
-@@ -1170,7 +1200,11 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
+@@ -1170,7 +1208,11 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
  
  	dispatch_allocate(mgr, isc_socktype_tcp, &disp);
  
@@ -556,7 +577,7 @@ index d737363fea4..44a2896cb03 100644
  
  	if (localaddr != NULL) {
  		disp->local = *localaddr;
-@@ -1185,6 +1219,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
+@@ -1185,6 +1227,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
  	 * Append it to the dispatcher list.
  	 */
  
@@ -564,7 +585,7 @@ index d737363fea4..44a2896cb03 100644
  	/* FIXME: There should be a lookup hashtable here */
  	ISC_LIST_APPEND(mgr->list, disp, link);
  	UNLOCK(&mgr->lock);
-@@ -1208,6 +1243,13 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
+@@ -1208,6 +1251,13 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
  isc_result_t
  dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
  		    const isc_sockaddr_t *localaddr, dns_dispatch_t **dispp) {
@@ -578,7 +599,7 @@ index d737363fea4..44a2896cb03 100644
  	dns_dispatch_t *disp_connected = NULL;
  	dns_dispatch_t *disp_fallback = NULL;
  	isc_result_t result = ISC_R_NOTFOUND;
-@@ -1248,8 +1290,10 @@ dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
+@@ -1248,8 +1298,10 @@ dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
  		if (disp->socktype != isc_socktype_tcp ||
  		    !isc_sockaddr_equal(destaddr, &peeraddr) ||
  		    (localaddr != NULL &&
@@ -590,7 +611,17 @@ index d737363fea4..44a2896cb03 100644
  			UNLOCK(&disp->lock);
  			continue;
  		}
-@@ -1426,7 +1470,18 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+@@ -1403,6 +1455,9 @@ dispatch_destroy(dns_dispatch_t *disp) {
+ 			     disp->handle, &disp->handle);
+ 		isc_nmhandle_detach(&disp->handle);
+ 	}
++	if (disp->transport != NULL) {
++		dns_transport_detach(&disp->transport);
++	}
+ 
+ 	isc_mutex_destroy(&disp->lock);
+ 
+@@ -1426,7 +1481,18 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
  		 unsigned int timeout, const isc_sockaddr_t *dest,
  		 dispatch_cb_t connected, dispatch_cb_t sent,
  		 dispatch_cb_t response, void *arg, dns_messageid_t *idp,
@@ -610,7 +641,7 @@ index d737363fea4..44a2896cb03 100644
  	dns_dispentry_t *resp = NULL;
  	dns_qid_t *qid = NULL;
  	in_port_t localport;
-@@ -1444,6 +1499,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+@@ -1444,6 +1510,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
  	REQUIRE(connected != NULL);
  	REQUIRE(response != NULL);
  	REQUIRE(sent != NULL);
@@ -618,7 +649,7 @@ index d737363fea4..44a2896cb03 100644
  
  	LOCK(&disp->lock);
  
-@@ -1471,6 +1527,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+@@ -1471,6 +1538,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
  		.rlink = ISC_LINK_INITIALIZER,
  		.magic = RESPONSE_MAGIC,
  	};
@@ -626,8 +657,8 @@ index d737363fea4..44a2896cb03 100644
  
  #if DNS_DISPATCH_TRACE
  	fprintf(stderr, "dns_dispentry__init:%s:%s:%d:%p->references = 1\n",
-@@ -1530,6 +1587,14 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
- 		return (ISC_R_NOMORE);
+@@ -1530,6 +1598,14 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+ 		return ISC_R_NOMORE;
  	}
  
 +	if (transport != NULL) {
@@ -641,7 +672,7 @@ index d737363fea4..44a2896cb03 100644
  	dns_dispatch_attach(disp, &resp->disp); /* DISPATCH001 */
  
  	disp->requests++;
-@@ -1779,6 +1844,7 @@ dns_dispatch_done(dns_dispentry_t **respp) {
+@@ -1779,6 +1855,7 @@ dns_dispatch_done(dns_dispentry_t **respp) {
  	*respp = NULL;
  
  	dispentry_cancel(resp, ISC_R_CANCELED);
@@ -649,7 +680,7 @@ index d737363fea4..44a2896cb03 100644
  	dns_dispentry_detach(&resp); /* DISPENTRY000 */
  }
  
-@@ -1970,6 +2036,27 @@ udp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
+@@ -1970,6 +2047,27 @@ udp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
  
  static isc_result_t
  tcp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
@@ -677,8 +708,25 @@ index d737363fea4..44a2896cb03 100644
  	/* Check whether the dispatch is already connecting or connected. */
  	LOCK(&disp->lock);
  	switch (disp->state) {
+@@ -1995,8 +2093,14 @@ tcp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
+ 			      "connecting from %s to %s, timeout %u", localbuf,
+ 			      peerbuf, resp->timeout);
+ 
+-		isc_nm_tcpdnsconnect(disp->mgr->nm, &disp->local, &disp->peer,
+-				     tcp_connected, disp, resp->timeout, 0);
++		if (tlsctx != NULL) {
++			isc_nm_tlsdnsconnect(disp->mgr->nm, &disp->local, &disp->peer,
++					     tcp_connected, disp, resp->timeout, 0,
++					     tlsctx, sess_cache);
++		} else {
++			isc_nm_tcpdnsconnect(disp->mgr->nm, &disp->local, &disp->peer,
++					     tcp_connected, disp, resp->timeout, 0);
++		}
+ 		break;
+ 
+ 	case DNS_DISPATCHSTATE_CONNECTING:
 diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
-index ad377f078ed..cfdc37481ce 100644
+index ad377f0..cfdc374 100644
 --- a/lib/dns/include/dns/dispatch.h
 +++ b/lib/dns/include/dns/dispatch.h
 @@ -56,6 +56,7 @@
@@ -739,7 +787,7 @@ index ad377f078ed..cfdc37481ce 100644
   * Add a response entry for this dispatch.
   *
 diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
-index d00574f9827..17bcbf68c3b 100644
+index d00574f..17bcbf6 100644
 --- a/lib/dns/include/dns/request.h
 +++ b/lib/dns/include/dns/request.h
 @@ -44,6 +44,7 @@
@@ -787,7 +835,7 @@ index d00574f9827..17bcbf68c3b 100644
   * \brief Create and send a request.
   *
 diff --git a/lib/dns/include/dns/transport.h b/lib/dns/include/dns/transport.h
-index e74ccd7f970..e6499a97e73 100644
+index e74ccd7..e6499a9 100644
 --- a/lib/dns/include/dns/transport.h
 +++ b/lib/dns/include/dns/transport.h
 @@ -13,7 +13,9 @@
@@ -874,7 +922,7 @@ index e74ccd7f970..e6499a97e73 100644
   * Requires:
   *\li	'transport' is valid.
 diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
-index 6465962bd41..f0aaa24e936 100644
+index 6465962..f0aaa24 100644
 --- a/lib/dns/include/dns/types.h
 +++ b/lib/dns/include/dns/types.h
 @@ -141,6 +141,8 @@ typedef struct dns_ssutable	     dns_ssutable_t;
@@ -887,7 +935,7 @@ index 6465962bd41..f0aaa24e936 100644
  typedef struct dns_tsec		     dns_tsec_t;
  typedef struct dns_tsig_keyring	     dns_tsig_keyring_t;
 diff --git a/lib/dns/request.c b/lib/dns/request.c
-index fb17ed2262e..463a7ca6d63 100644
+index 8aaa29f..badedab 100644
 --- a/lib/dns/request.c
 +++ b/lib/dns/request.c
 @@ -399,12 +399,12 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) {
@@ -914,7 +962,7 @@ index fb17ed2262e..463a7ca6d63 100644
 -					destaddr, dispatchp);
 +	result = dns_dispatch_createtcp2(requestmgr->dispatchmgr, srcaddr,
 +					 destaddr, transport, 0, dispatchp);
- 	return (result);
+ 	return result;
  }
  
 @@ -452,12 +452,12 @@ udp_dispatch(dns_requestmgr_t *requestmgr, const isc_sockaddr_t *srcaddr,
@@ -1021,7 +1069,7 @@ index fb17ed2262e..463a7ca6d63 100644
  		goto detach;
  	}
 diff --git a/lib/dns/transport.c b/lib/dns/transport.c
-index ae1ab7415b1..59eba1db252 100644
+index 88a3df4..2a779ba 100644
 --- a/lib/dns/transport.c
 +++ b/lib/dns/transport.c
 @@ -15,9 +15,11 @@
@@ -1302,7 +1350,7 @@ index ae1ab7415b1..59eba1db252 100644
  transport_destroy(dns_transport_t *transport) {
  	isc_refcount_destroy(&transport->references);
 diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
-index 72b24e15ac3..73bd834070c 100644
+index 3a4f761..3695815 100644
 --- a/lib/dns/xfrin.c
 +++ b/lib/dns/xfrin.c
 @@ -962,234 +962,6 @@ xfrin_create(isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db, isc_nm_t *netmgr,
@@ -1516,7 +1564,7 @@ index 72b24e15ac3..73bd834070c 100644
 -		*pctx = found;
 -	}
 -
--	return (ISC_R_SUCCESS);
+-	return ISC_R_SUCCESS;
 -
 -failure:
 -	if (tlsctx != NULL) {
@@ -1534,7 +1582,7 @@ index 72b24e15ac3..73bd834070c 100644
 -		isc_tls_cert_store_free(&store);
 -	}
 -
--	return (result);
+-	return result;
 -}
 -
  static isc_result_t
@@ -1552,5 +1600,5 @@ index 72b24e15ac3..73bd834070c 100644
  			goto failure;
  		}
 -- 
-2.47.0
+2.48.1