diff --git a/bind-9.18-nsupdate-TLS-doc.patch b/bind-9.18-nsupdate-TLS-doc.patch new file mode 100644 index 0000000..bb7021a --- /dev/null +++ b/bind-9.18-nsupdate-TLS-doc.patch @@ -0,0 +1,114 @@ +From 146811cdc40459129b20df9b3bb31bd152570b72 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Wed, 21 Sep 2022 15:05:11 +0000 +Subject: [PATCH 2/3] Document nsupdate options related to DoT + +Add documentation for the newly implemented DoT feature of the +nsupdate program. + +(cherry picked from commit bd8299d7b501234263a6aee98049f879b1c700b7) +--- + bin/nsupdate/nsupdate.rst | 48 ++++++++++++++++++++++++++++++++++++++- + 1 file changed, 47 insertions(+), 1 deletion(-) + +diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst +index 81bb4815cf4..f1ab5c76fa7 100644 +--- a/bin/nsupdate/nsupdate.rst ++++ b/bin/nsupdate/nsupdate.rst +@@ -19,7 +19,7 @@ nsupdate - dynamic DNS update utility + Synopsis + ~~~~~~~~ + +-:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename] ++:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [ [**-S**] [**-K** tlskeyfile] [**-E** tlscertfile] [**-A** tlscafile] [**-H** tlshostname] [-O] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename] + + Description + ~~~~~~~~~~~ +@@ -71,6 +71,15 @@ Options + + This option sets use of IPv6 only. + ++.. option:: -A tlscafile ++ ++ This option specifies the file of the certificate authorities (CA) certificates ++ (in PEM format) in order to verify the remote server TLS certificate when ++ using DNS-over-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will ++ override the certificates from the global certificates store, which are ++ otherwise used by default when :option:`-S` is enabled. This option can not ++ be used in conjuction with :option:`-O`, and it implies :option:`-S`. ++ + .. option:: -C + + Overrides the default `resolv.conf` file. This is only intended for testing. +@@ -84,10 +93,23 @@ Options + + This option sets extra debug mode. + ++.. option:: -E tlscertfile ++ ++ This option sets the certificate(s) file for authentication for the ++ DNS-over-TLS (DoT) transport to the remote server. The certificate ++ chain file is expected to be in PEM format. This option implies :option:`-S`, ++ and can only be used with :option:`-K`. ++ + .. option:: -g + + This option enables standard GSS-TSIG mode. + ++.. option:: -H tlshostname ++ ++ This option makes :program:`nsupdate` use the provided hostname during remote ++ server TLS certificate verification. Otherwise, the DNS server name ++ is used. This option implies :option:`-S`. ++ + .. option:: -i + + This option forces interactive mode, even when standard input is not a terminal. +@@ -104,6 +126,13 @@ Options + key used to authenticate Dynamic DNS update requests. In this case, + the key specified is not an HMAC-MD5 key. + ++.. option:: -K tlskeyfile ++ ++ This option sets the key file for authenticated encryption for the ++ DNS-over-TLS (DoT) transport with the remote server. The private key file is ++ expected to be in PEM format. This option implies :option:`-S`, and can only ++ be used with :option:`-E`. ++ + .. option:: -l + + This option sets local-host only mode, which sets the server address to localhost +@@ -123,6 +152,14 @@ Options + This option enables a non-standards-compliant variant of GSS-TSIG + used by Windows 2000. + ++.. option:: -O ++ ++ This option enables Opportunistic TLS. When used, the remote peer's TLS ++ certificate will not be verified. This option should be used for debugging ++ purposes only, and it is not recommended to use it in production. This ++ option can not be used in conjuction with :option:`-A`, and it implies ++ :option:`-S`. ++ + .. option:: -p port + + This option sets the port to use for connections to a name server. The default is +@@ -138,6 +175,15 @@ Options + This option sets the number of UDP retries. The default is 3. If zero, only one update + request is made. + ++.. option:: -S ++ ++ This option indicates whether to use DNS-over-TLS (DoT) when querying ++ name servers specified by ``server servername port`` syntax in the input ++ file, and the primary server discovered through a SOA request. When the ++ :option:`-K` and :option:`-E` options are used, then the specified TLS ++ client certificate and private key pair are used for authentication ++ (Mutual TLS). This option implies :option:`-v`. ++ + .. option:: -t timeout + + This option sets the maximum time an update request can take before it is aborted. The +-- +2.48.1 + diff --git a/bind9.18.spec b/bind9.18.spec index d8f2f5e..30aebf1 100644 --- a/bind9.18.spec +++ b/bind9.18.spec @@ -117,6 +117,7 @@ Patch26: bind-9.18-unittest-netmgr-unstable.patch # https://issues.redhat.com/browse/FREEIPA-11706 # https://issues.redhat.com/browse/RHEL-76331 Patch27: bind-9.18-nsupdate-TLS.patch +Patch28: bind-9.18-nsupdate-TLS-doc.patch %{?systemd_ordering} Requires: coreutils @@ -966,6 +967,7 @@ fi; %changelog * Mon Jan 27 2025 Petr Menšík - 32:9.18.29-2 - Backport nsupdate TLS support into 9.18 (RHEL-76331) +- Update nsupdate manual about new TLS options * Wed Aug 21 2024 Petr Menšík - 32:9.18.29-1 - Update to 9.18.29 (RHEL-53015)