ipa-4.12.2-11

- Resolves: RHEL-67913 Add DNS over TLS Support, require bind9.18 32:9.18.29-2 and bind-dyndb-ldap 11.11-1

Signed-off-by: Thomas Woerner <twoerner@redhat.com>

freeipa.spec

@@ -85,7 +85,8 @@
 
 # Fix for TLS 1.3 PHA, RHBZ#1775158
 %global httpd_version 2.4.37-21
-%global bind_version 9.11.20-6
+%global bind_name bind9.18
+%global bind_version 9.18.29-2
 
 # support for passkey
 %global sssd_version 2.9.5
@@ -135,6 +136,7 @@
 %global httpd_version 2.4.41-9
 
 # Fix for RHBZ#2117342
+%global bind_name bind
 %if 0%{?fedora} < 37
 %global bind_version 9.11.24-1
 %else
@@ -224,7 +226,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        10%{?rc_version:.%rc_version}%{?dist}
+Release:        11%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -299,6 +301,7 @@ Patch0048:      0048-ipatests-restart-dirsrv-after-time-jumps.patch
 Patch0049:      0049-ipa-otpd-do-not-pass-OIDC-client-secret-if-there-is-.patch
 Patch0050:      0050-Migrate-Keycloak-tests-to-JDK-21-and-Keycloak-26.patch
 Patch0051:      0051-Apply-certmonger_timeout-to-start_tracking-and-reque.patch
+Patch0052:      0052-Add-DNS-over-TLS-support.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -648,14 +651,14 @@ If you are installing an IPA server, you need to install this package.
 Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.2-2
-Requires: bind >= %{bind_version}
-Requires: bind-utils >= %{bind_version}
+Requires: bind-dyndb-ldap >= 11.11-1
+Requires: %{bind_name} >= %{bind_version}
+Requires: %{bind_name}-utils >= %{bind_version}
 # bind-dnssec-utils is required by the OpenDNSSec integration
 # https://pagure.io/freeipa/issue/9026
-Requires: bind-dnssec-utils >= %{bind_version}
+Requires: %{bind_name}-dnssec-utils >= %{bind_version}
 %if %{with bind_pkcs11}
-Requires: bind-pkcs11 >= %{bind_version}
+Requires: %{bind_name}-pkcs11 >= %{bind_version}
 %else
 Requires: softhsm >= %{softhsm_version}
 Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
@@ -663,6 +666,7 @@ Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
 # RHEL 8.3+ and Fedora 32+ have 2.1
 Requires: opendnssec >= 2.1.6-5
+Recommends: %{name}-server-encrypted-dns
 %{?systemd_requires}
 
 Provides: %{alt_name}-server-dns = %{version}
@@ -677,6 +681,15 @@ IPA integrated DNS server with support for automatic DNSSEC signing.
 Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
 
 
+%package server-encrypted-dns
+Summary: support for encrypted DNS in IPA integrated DNS server
+Requires: %{name}-client-encrypted-dns
+
+%description server-encrypted-dns
+Provides support for enabling DNS over TLS in the IPA integrated DNS
+server.
+
+
 %package server-trust-ad
 Summary: Virtual package to install packages required for Active Directory trusts
 Requires: %{name}-server = %{version}-%{release}
@@ -749,7 +762,7 @@ Requires: sssd-idp >= %{sssd_version}
 Requires: sssd-krb5 >= %{sssd_version}
 Requires: certmonger >= %{certmonger_version}
 Requires: nss-tools >= %{nss_version}
-Requires: bind-utils
+Requires: %{bind_name}-utils
 Requires: oddjob-mkhomedir
 Requires: libsss_autofs
 Requires: autofs
@@ -757,6 +770,7 @@ Requires: libnfsidmap
 Requires: (nfs-utils or nfsv4-client-utils)
 Requires: sssd-tools >= %{sssd_version}
 Requires(post): policycoreutils
+Recommends: %{name}-client-encrypted-dns
 
 # https://pagure.io/freeipa/issue/8530
 Recommends: libsss_sudo
@@ -798,6 +812,14 @@ If your network uses IPA for authentication, this package should be
 installed on every client machine.
 This package provides command-line tools for IPA administrators.
 
+%package client-encrypted-dns
+Summary: Enable encrypted DNS support for clients
+Requires: unbound
+
+%description client-encrypted-dns
+This package enables support for installing clients with encrypted DNS
+via DNS over TLS.
+
 %package client-samba
 Summary: Tools to configure Samba on IPA client
 Group: System Environment/Base
@@ -1745,6 +1767,10 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
 
+%files server-encrypted-dns
+%doc README.md Contributors.txt
+%license COPYING
+
 %files server-trust-ad
 %doc README.md Contributors.txt
 %license COPYING
@@ -1804,6 +1830,10 @@ fi
 %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf
 %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template
 
+%files client-encrypted-dns
+%doc README.md Contributors.txt
+%license COPYING
+
 %files -n python3-ipaclient
 %doc README.md Contributors.txt
 %license COPYING
@@ -1914,6 +1944,9 @@ fi
 %endif
 
 %changelog
+* Tue Feb 11 2025 Thomas Woerner <twoerner@redhat.com> - 4.12.2-11
+- Resolves: RHEL-67913 Add DNS over TLS Support, Require bind9.18 32:9.18.29-2 and new bind-dyndb-ldap 11.11-1
+
 * Tue Jan 28 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-10
 - Resolves: RHEL-73022 A slow HSM can cause IPA server installation to fail setting up certificate tracking