import CS bind9.18-9.18.29-2.el9

2025-03-11 07:02:01 +00:00 · 2025-03-11 07:02:01 +00:00 · 2683c619eb
commit 2683c619eb
parent e4326ff34b
5 changed files with 3376 additions and 9 deletions
--- a/SOURCES/bind-9.18-nsupdate-TLS-doc.patch
+++ b/SOURCES/bind-9.18-nsupdate-TLS-doc.patch
@ -0,0 +1,114 @@
+From 146811cdc40459129b20df9b3bb31bd152570b72 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Wed, 21 Sep 2022 15:05:11 +0000
+Subject: [PATCH 2/3] Document nsupdate options related to DoT
+
+Add documentation for the newly implemented DoT feature of the
+nsupdate program.
+
+(cherry picked from commit bd8299d7b501234263a6aee98049f879b1c700b7)
+---
+ bin/nsupdate/nsupdate.rst | 48 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 47 insertions(+), 1 deletion(-)
+
+diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst
+index 81bb4815cf4..f1ab5c76fa7 100644
+--- a/bin/nsupdate/nsupdate.rst
+++ b/bin/nsupdate/nsupdate.rst
+@@ -19,7 +19,7 @@ nsupdate - dynamic DNS update utility
+ Synopsis
+ ~~~~~~~~
+ 
+-:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
+:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [ [**-S**] [**-K** tlskeyfile] [**-E** tlscertfile] [**-A** tlscafile] [**-H** tlshostname] [-O] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
+ 
+ Description
+ ~~~~~~~~~~~
+@@ -71,6 +71,15 @@ Options
+ 
+    This option sets use of IPv6 only.
+ 
+.. option:: -A tlscafile
+
+   This option specifies the file of the certificate authorities (CA) certificates
+   (in PEM format) in order to verify the remote server TLS certificate when
+   using DNS-over-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will
+   override the certificates from the global certificates store, which are
+   otherwise used by default when :option:`-S` is enabled. This option can not
+   be used in conjuction with :option:`-O`, and it implies :option:`-S`.
+
+ .. option:: -C
+ 
+    Overrides the default `resolv.conf` file. This is only intended for testing.
+@@ -84,10 +93,23 @@ Options
+ 
+    This option sets extra debug mode.
+ 
+.. option:: -E tlscertfile
+
+   This option sets the certificate(s) file for authentication for the
+   DNS-over-TLS (DoT) transport to the remote server. The certificate
+   chain file is expected to be in PEM format. This option implies :option:`-S`,
+   and can only be used with :option:`-K`.
+
+ .. option:: -g
+ 
+    This option enables standard GSS-TSIG mode.
+ 
+.. option:: -H tlshostname
+
+   This option makes :program:`nsupdate` use the provided hostname during remote
+   server TLS certificate verification. Otherwise, the DNS server name
+   is used. This option implies :option:`-S`.
+
+ .. option:: -i
+ 
+    This option forces interactive mode, even when standard input is not a terminal.
+@@ -104,6 +126,13 @@ Options
+    key used to authenticate Dynamic DNS update requests. In this case,
+    the key specified is not an HMAC-MD5 key.
+ 
+.. option:: -K tlskeyfile
+
+   This option sets the key file for authenticated encryption for the
+   DNS-over-TLS (DoT) transport with the remote server. The private key file is
+   expected to be in PEM format. This option implies :option:`-S`, and can only
+   be used with :option:`-E`.
+
+ .. option:: -l
+ 
+    This option sets local-host only mode, which sets the server address to localhost
+@@ -123,6 +152,14 @@ Options
+    This option enables a non-standards-compliant variant of GSS-TSIG
+    used by Windows 2000.
+ 
+.. option:: -O
+
+   This option enables Opportunistic TLS. When used, the remote peer's TLS
+   certificate will not be verified. This option should be used for debugging
+   purposes only, and it is not recommended to use it in production. This
+   option can not be used in conjuction with :option:`-A`, and it implies
+   :option:`-S`.
+
+ .. option:: -p port
+ 
+    This option sets the port to use for connections to a name server. The default is
+@@ -138,6 +175,15 @@ Options
+    This option sets the number of UDP retries. The default is 3. If zero, only one update
+    request is made.
+ 
+.. option:: -S
+
+   This option indicates whether to use DNS-over-TLS (DoT) when querying
+   name servers specified by ``server servername port`` syntax in the input
+   file, and the primary server discovered through a SOA request. When the
+   :option:`-K` and :option:`-E` options are used, then the specified TLS
+   client certificate and private key pair are used for authentication
+   (Mutual TLS). This option implies :option:`-v`.
+
+ .. option:: -t timeout
+ 
+    This option sets the maximum time an update request can take before it is aborted. The
+-- 
+2.48.1
+
--- a/SOURCES/bind-9.18-nsupdate-TLS-tests.patch
+++ b/SOURCES/bind-9.18-nsupdate-TLS-tests.patch
--- a/SOURCES/bind-9.18-nsupdate-TLS.patch
+++ b/SOURCES/bind-9.18-nsupdate-TLS.patch
--- a/SOURCES/bind-9.5-PIE.patch
+++ b/SOURCES/bind-9.5-PIE.patch
@ -1,17 +1,28 @@
+From 13348a5fc64387bf53ef450688e181100d0ceddb Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 12 Dec 2024 15:56:13 +0100
+Subject: [PATCH] Harden named service build flags
+
+---
+ bin/named/Makefile.am | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
 diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
-index 57a023b..085f2f7 100644
+index 57a023b..b832e9c 100644
 --- a/bin/named/Makefile.am
 +++ b/bin/named/Makefile.am
-@@ -32,9 +32,12 @@ AM_CPPFLAGS +=				\
- endif HAVE_LIBXML2
+@@ -33,7 +33,10 @@ endif HAVE_LIBXML2
 
 AM_CPPFLAGS +=						\
-+	-fpie                                           \
 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
- 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
- 
-+AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+-	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"		\
+	-fpie
 +
+AM_LDFLAGS  += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+ 
 sbin_PROGRAMS = named
 
- nodist_named_SOURCES = xsl.c
+-- 
+2.47.1
+
--- a/SPECS/bind9.18.spec
+++ b/SPECS/bind9.18.spec
@ -77,7 +77,7 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
 Version:  9.18.29
-Release:  1%{?dist}
+Release:  2%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -114,6 +114,11 @@ Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
 Patch26: bind-9.18-unittest-netmgr-unstable.patch
+# https://issues.redhat.com/browse/FREEIPA-11706
+# https://issues.redhat.com/browse/RHEL-76331
+Patch27: bind-9.18-nsupdate-TLS.patch
+Patch28: bind-9.18-nsupdate-TLS-doc.patch
+Patch29: bind-9.18-nsupdate-TLS-tests.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -961,6 +966,11 @@ fi;
 %endif

 %changelog
+* Mon Jan 27 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-2
+- Backport nsupdate TLS support into 9.18 (RHEL-76331)
+- Update nsupdate manual about new TLS options
+- Test nsupdate TLS support
+
 * Wed Aug 21 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-1
 - Update to 9.18.29 (RHEL-53015)