Backport nsupdate TLS support
This should add working nsupdate support for -S parameter and some others in addition. References: https://issues.redhat.com/browse/FREEIPA-11706 https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6751 https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6752 Resolves: RHEL-77354
This commit is contained in:
Petr Menšík
parent
3acbaf0f31
commit
e56ef46872
114
bind-9.20-nsupdate-tls-doc.patch
Normal file
114
bind-9.20-nsupdate-tls-doc.patch
Normal file
@ -0,0 +1,114 @@
|
||||
From c5c756ce2ac4c1563d024428e148ca27c7721f71 Mon Sep 17 00:00:00 2001
|
||||
From: Aram Sargsyan <aram@isc.org>
|
||||
Date: Wed, 21 Sep 2022 15:05:11 +0000
|
||||
Subject: [PATCH 2/3] Document nsupdate options related to DoT
|
||||
|
||||
Add documentation for the newly implemented DoT feature of the
|
||||
nsupdate program.
|
||||
|
||||
(cherry picked from commit bd8299d7b501234263a6aee98049f879b1c700b7)
|
||||
---
|
||||
bin/nsupdate/nsupdate.rst | 48 ++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 47 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst
|
||||
index 81bb4815cf4..f1ab5c76fa7 100644
|
||||
--- a/bin/nsupdate/nsupdate.rst
|
||||
+++ b/bin/nsupdate/nsupdate.rst
|
||||
@@ -19,7 +19,7 @@ nsupdate - dynamic DNS update utility
|
||||
Synopsis
|
||||
~~~~~~~~
|
||||
|
||||
-:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
|
||||
+:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [ [**-S**] [**-K** tlskeyfile] [**-E** tlscertfile] [**-A** tlscafile] [**-H** tlshostname] [-O] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
|
||||
|
||||
Description
|
||||
~~~~~~~~~~~
|
||||
@@ -71,6 +71,15 @@ Options
|
||||
|
||||
This option sets use of IPv6 only.
|
||||
|
||||
+.. option:: -A tlscafile
|
||||
+
|
||||
+ This option specifies the file of the certificate authorities (CA) certificates
|
||||
+ (in PEM format) in order to verify the remote server TLS certificate when
|
||||
+ using DNS-over-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will
|
||||
+ override the certificates from the global certificates store, which are
|
||||
+ otherwise used by default when :option:`-S` is enabled. This option can not
|
||||
+ be used in conjuction with :option:`-O`, and it implies :option:`-S`.
|
||||
+
|
||||
.. option:: -C
|
||||
|
||||
Overrides the default `resolv.conf` file. This is only intended for testing.
|
||||
@@ -84,10 +93,23 @@ Options
|
||||
|
||||
This option sets extra debug mode.
|
||||
|
||||
+.. option:: -E tlscertfile
|
||||
+
|
||||
+ This option sets the certificate(s) file for authentication for the
|
||||
+ DNS-over-TLS (DoT) transport to the remote server. The certificate
|
||||
+ chain file is expected to be in PEM format. This option implies :option:`-S`,
|
||||
+ and can only be used with :option:`-K`.
|
||||
+
|
||||
.. option:: -g
|
||||
|
||||
This option enables standard GSS-TSIG mode.
|
||||
|
||||
+.. option:: -H tlshostname
|
||||
+
|
||||
+ This option makes :program:`nsupdate` use the provided hostname during remote
|
||||
+ server TLS certificate verification. Otherwise, the DNS server name
|
||||
+ is used. This option implies :option:`-S`.
|
||||
+
|
||||
.. option:: -i
|
||||
|
||||
This option forces interactive mode, even when standard input is not a terminal.
|
||||
@@ -104,6 +126,13 @@ Options
|
||||
key used to authenticate Dynamic DNS update requests. In this case,
|
||||
the key specified is not an HMAC-MD5 key.
|
||||
|
||||
+.. option:: -K tlskeyfile
|
||||
+
|
||||
+ This option sets the key file for authenticated encryption for the
|
||||
+ DNS-over-TLS (DoT) transport with the remote server. The private key file is
|
||||
+ expected to be in PEM format. This option implies :option:`-S`, and can only
|
||||
+ be used with :option:`-E`.
|
||||
+
|
||||
.. option:: -l
|
||||
|
||||
This option sets local-host only mode, which sets the server address to localhost
|
||||
@@ -123,6 +152,14 @@ Options
|
||||
This option enables a non-standards-compliant variant of GSS-TSIG
|
||||
used by Windows 2000.
|
||||
|
||||
+.. option:: -O
|
||||
+
|
||||
+ This option enables Opportunistic TLS. When used, the remote peer's TLS
|
||||
+ certificate will not be verified. This option should be used for debugging
|
||||
+ purposes only, and it is not recommended to use it in production. This
|
||||
+ option can not be used in conjuction with :option:`-A`, and it implies
|
||||
+ :option:`-S`.
|
||||
+
|
||||
.. option:: -p port
|
||||
|
||||
This option sets the port to use for connections to a name server. The default is
|
||||
@@ -138,6 +175,15 @@ Options
|
||||
This option sets the number of UDP retries. The default is 3. If zero, only one update
|
||||
request is made.
|
||||
|
||||
+.. option:: -S
|
||||
+
|
||||
+ This option indicates whether to use DNS-over-TLS (DoT) when querying
|
||||
+ name servers specified by ``server servername port`` syntax in the input
|
||||
+ file, and the primary server discovered through a SOA request. When the
|
||||
+ :option:`-K` and :option:`-E` options are used, then the specified TLS
|
||||
+ client certificate and private key pair are used for authentication
|
||||
+ (Mutual TLS). This option implies :option:`-v`.
|
||||
+
|
||||
.. option:: -t timeout
|
||||
|
||||
This option sets the maximum time an update request can take before it is aborted. The
|
||||
--
|
||||
2.47.0
|
||||
|
||||
1556
bind-9.20-nsupdate-tls.patch
Normal file
1556
bind-9.20-nsupdate-tls.patch
Normal file
File diff suppressed because it is too large
Load Diff
12
bind.spec
12
bind.spec
@ -80,7 +80,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
|
||||
# Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it.
|
||||
# Updating just bind will cause freeipa-dns-server package to be uninstallable.
|
||||
Version: 9.18.33
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -118,6 +118,13 @@ Patch10: bind-9.5-PIE.patch
|
||||
Patch16: bind-9.16-redhat_doc.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2122010
|
||||
Patch26: bind-9.18-unittest-netmgr-unstable.patch
|
||||
# Downstream backport from 9.20
|
||||
# https://issues.redhat.com/browse/FREEIPA-11706
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6751
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6752
|
||||
Patch28: bind-9.20-nsupdate-tls.patch
|
||||
# Man change for patch28 nsupdate
|
||||
Patch29: bind-9.20-nsupdate-tls-doc.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
# https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
|
||||
@ -891,6 +898,9 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sun Feb 02 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.33-2
|
||||
- Add nsupdate TLS support (RHEL-77354)
|
||||
|
||||
* Sun Feb 02 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.33-1
|
||||
- Update to 9.16.33 (rhbz#2342784)
|
||||
- Make relative documentation links
|
||||
|
||||
Loading…
Reference in New Issue
Block a user