diff --git a/0069-dns-only-disable-unbound-when-DoT-is-enabled.patch b/0069-dns-only-disable-unbound-when-DoT-is-enabled.patch new file mode 100644 index 0000000..9025d7d --- /dev/null +++ b/0069-dns-only-disable-unbound-when-DoT-is-enabled.patch @@ -0,0 +1,62 @@ +From 91353b10748f1153540c6f5447a80864dee59d7f Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Wed, 12 Feb 2025 09:48:58 +0100 +Subject: [PATCH] dns: only disable unbound when DoT is enabled + +Ensure unbound is only stopped and disabled when DNS over TLS was +enabled during installation. + +Signed-off-by: Antonio Torres +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipaserver/install/bindinstance.py | 11 +++++++---- + ipaserver/install/dns.py | 3 +++ + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 4f4ab9bbc66fcfd89354d6659cf9ac2bcaa270f6..0cc1f1325ce0a9dbdb09f4100a1a22bc4f24924a 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -689,6 +689,8 @@ class BindInstance(service.Service): + self.forward_policy = forward_policy + self.reverse_zones = reverse_zones + ++ self.sstore.backup_state("dns_over_tls", "enabled", dns_over_tls) ++ + if not zonemgr: + self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain) + else: +@@ -1377,10 +1379,11 @@ class BindInstance(service.Service): + + self.named_conflict.unmask() + +- certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT) +- certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_KEY) +- services.knownservices.unbound.disable() +- services.knownservices.unbound.stop() ++ if self.sstore.restore_state("dns_over_tls", "enabled"): ++ if not self.sstore.restore_state("dns_over_tls", "external_crt"): ++ certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT) ++ services.knownservices["unbound"].disable() ++ services.knownservices["unbound"].stop() + + ipautil.remove_file(paths.NAMED_CONF_BAK) + ipautil.remove_file(paths.NAMED_CUSTOM_CONF) +diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py +index 29ca0d2ff4efa8ad80784b393f49ac8ec0e03512..88aff19bcec11f778af5644167c32c45cbcab594 100644 +--- a/ipaserver/install/dns.py ++++ b/ipaserver/install/dns.py +@@ -457,6 +457,9 @@ def install(standalone, replica, options, api=api): + + bind.create_instance() + ++ bind.sstore.backup_state("dns_over_tls", ++ "external_crt", ++ bool(options.dns_over_tls_cert)) + if options.dns_over_tls: + print("Setting up DNS over TLS") + _setup_dns_over_tls(options) +-- +2.48.1 + diff --git a/freeipa.spec b/freeipa.spec index 00d510c..70af35c 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -207,7 +207,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 14%{?rc_version:.%rc_version}%{?dist} +Release: 15%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -306,6 +306,7 @@ Patch0065: 0065-Add-DNS-over-TLS-support.patch Patch0066: 0066-ipatests-on-rhel10-do-not-install-firefox.patch Patch0067: 0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch Patch0068: 0068-Align-startup_timeout-with-the-systemd-default-and-d.patch +Patch0069: 0069-dns-only-disable-unbound-when-DoT-is-enabled.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1951,6 +1952,9 @@ fi %endif %changelog +* Wed Feb 12 2025 Florence Blanc-Renaud - 4.12.2-15 +- Resolves: RHEL-67912 Add DNS over TLS Support + * Tue Feb 11 2025 Florence Blanc-Renaud - 4.12.2-14 - Resolves: RHEL-78766 Include latest fixes in python3-ipatests package - Resolves: RHEL-77965 ipa-server-install failing on slow hsm