ipa-4.12.2-15

- Resolves: RHEL-67912 Add DNS over TLS Support

0069-dns-only-disable-unbound-when-DoT-is-enabled.patch

@@ -0,0 +1,62 @@
+From 91353b10748f1153540c6f5447a80864dee59d7f Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Wed, 12 Feb 2025 09:48:58 +0100
+Subject: [PATCH] dns: only disable unbound when DoT is enabled
+
+Ensure unbound is only stopped and disabled when DNS over TLS was
+enabled during installation.
+
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/bindinstance.py | 11 +++++++----
+ ipaserver/install/dns.py          |  3 +++
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 4f4ab9bbc66fcfd89354d6659cf9ac2bcaa270f6..0cc1f1325ce0a9dbdb09f4100a1a22bc4f24924a 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -689,6 +689,8 @@ class BindInstance(service.Service):
+         self.forward_policy = forward_policy
+         self.reverse_zones = reverse_zones
+ 
++        self.sstore.backup_state("dns_over_tls", "enabled", dns_over_tls)
++
+         if not zonemgr:
+             self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
+         else:
+@@ -1377,10 +1379,11 @@ class BindInstance(service.Service):
+ 
+         self.named_conflict.unmask()
+ 
+-        certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT)
+-        certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_KEY)
+-        services.knownservices.unbound.disable()
+-        services.knownservices.unbound.stop()
++        if self.sstore.restore_state("dns_over_tls", "enabled"):
++            if not self.sstore.restore_state("dns_over_tls", "external_crt"):
++                certmonger.stop_tracking(certfile=paths.BIND_DNS_OVER_TLS_CRT)
++            services.knownservices["unbound"].disable()
++            services.knownservices["unbound"].stop()
+ 
+         ipautil.remove_file(paths.NAMED_CONF_BAK)
+         ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
+diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
+index 29ca0d2ff4efa8ad80784b393f49ac8ec0e03512..88aff19bcec11f778af5644167c32c45cbcab594 100644
+--- a/ipaserver/install/dns.py
++++ b/ipaserver/install/dns.py
+@@ -457,6 +457,9 @@ def install(standalone, replica, options, api=api):
+ 
+     bind.create_instance()
+ 
++    bind.sstore.backup_state("dns_over_tls",
++                             "external_crt",
++                             bool(options.dns_over_tls_cert))
+     if options.dns_over_tls:
+         print("Setting up DNS over TLS")
+         _setup_dns_over_tls(options)
+-- 
+2.48.1
+

freeipa.spec

@@ -207,7 +207,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        14%{?rc_version:.%rc_version}%{?dist}
+Release:        15%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -306,6 +306,7 @@ Patch0065:      0065-Add-DNS-over-TLS-support.patch
 Patch0066:      0066-ipatests-on-rhel10-do-not-install-firefox.patch
 Patch0067:      0067-Configure-the-pki-tomcatd-service-systemd-timeout.patch
 Patch0068:      0068-Align-startup_timeout-with-the-systemd-default-and-d.patch
+Patch0069:      0069-dns-only-disable-unbound-when-DoT-is-enabled.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1951,6 +1952,9 @@ fi
 %endif
 
 %changelog
+* Wed Feb 12 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-15
+- Resolves: RHEL-67912 Add DNS over TLS Support
+
 * Tue Feb 11 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-14
 - Resolves: RHEL-78766 Include latest fixes in python3-ipatests package
 - Resolves: RHEL-77965 ipa-server-install failing on slow hsm