From 752566b5214a943f084e4e5d092f2b6dbdf0c393 Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Fri, 19 Jan 2024 17:22:42 +0000
Subject: [PATCH 1/7] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild


From 848c0c938a51b86b30a3304fb09abc37a7d99c7f Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Wed, 24 Jan 2024 09:39:09 +0000
Subject: [PATCH 2/7] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild


From 52d732d58dfb8950ab1ccb0bc9e1ada02aaf8ab7 Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Wed, 17 Jul 2024 21:12:32 +0000
Subject: [PATCH 3/7] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild


From b0889c46e924ee4e625d4c3242c872018c195d50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 10 Sep 2024 16:30:06 +0200
Subject: [PATCH 4/7] Mark explicitly server cert with CA flag

Since OpenSSL 3.2 it did not connect from control to server cert. Create
server with indication is it CA.

Also use clientAuth trust for CA cert. That allows control cert to be
used for client authentication.

Resolves: rhbz#2310947
---
 dnssec-trigger-0.17-openssl-3.2.patch | 34 +++++++++++++++++++++++++++
 dnssec-trigger.spec                   |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 dnssec-trigger-0.17-openssl-3.2.patch

diff --git a/dnssec-trigger-0.17-openssl-3.2.patch b/dnssec-trigger-0.17-openssl-3.2.patch
new file mode 100644
index 0000000..d1b9474
--- /dev/null
+++ b/dnssec-trigger-0.17-openssl-3.2.patch
@@ -0,0 +1,34 @@
+From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 10 Sep 2024 16:22:07 +0200
+Subject: [PATCH] Mark explicitly server cert with CA flag
+
+Since OpenSSL 3.2 it did not connect from control to server cert. Create
+server with indication is it CA.
+
+Also use clientAuth trust for CA cert. That allows control cert to be
+used for client authentication.
+---
+ dnssec-trigger-control-setup.sh.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
+index 7cc305a..eede665 100644
+--- a/dnssec-trigger-control-setup.sh.in
++++ b/dnssec-trigger-control-setup.sh.in
+@@ -200,9 +200,9 @@ EOF
+ test -f request.cfg || error "could not create request.cfg"
+ 
+ echo "create $SVR_BASE.pem (self signed certificate)"
+-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+-# create trusted usage pem
+-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
++openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
++# create trusted usage pem for CA, what are signed certs allowed to do?
++openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
+ 
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
+-- 
+2.46.0
+
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index 422708c..c96f581 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -33,6 +33,7 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
 Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
+Patch7: dnssec-trigger-0.17-openssl-3.2.patch
 
 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22

From 0c89edf730dc112309bd284cff87af69c267b135 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 20 Nov 2024 17:01:01 +0100
Subject: [PATCH 5/7] Add recipe for adding custom server

Related: RHEL-6597
---
 dnssec-trigger-0.17-server-recipe.patch | 59 +++++++++++++++++++++++++
 dnssec-trigger.spec                     |  2 +
 2 files changed, 61 insertions(+)
 create mode 100644 dnssec-trigger-0.17-server-recipe.patch

diff --git a/dnssec-trigger-0.17-server-recipe.patch b/dnssec-trigger-0.17-server-recipe.patch
new file mode 100644
index 0000000..a3f70d8
--- /dev/null
+++ b/dnssec-trigger-0.17-server-recipe.patch
@@ -0,0 +1,59 @@
+From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 20 Nov 2024 16:58:48 +0100
+Subject: [PATCH] Add recipe for adding own server
+
+Until someone adds nice support for using just CA bundle and server
+name, allow specification by fingerprint obtained manually. Do not rely
+only on server provided by upstream.
+---
+ dnssec.conf     | 4 ++--
+ example.conf.in | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.conf b/dnssec.conf
+index bf896d3..4726ca1 100644
+--- a/dnssec.conf
++++ b/dnssec.conf
+@@ -38,7 +38,7 @@
+ #
+ #  - See also security notes on the `add_wifi_provided_zones` option.
+ #
+-# validate_connection_provided_zones=yes
++# validate_connection_provided_zones=no
+ #
+ #  - Connection provided zones will be configured in Unbound as secure forward
+ #    zones, validated using DNSSEC.
+@@ -63,7 +63,7 @@
+ #    Turning this option off has security implications, See the security
+ #    notice above.
+ #
+-validate_connection_provided_zones=yes
++validate_connection_provided_zones=no
+ 
+ # add_wifi_provided_zones:
+ # ------------------------
+diff --git a/example.conf.in b/example.conf.in
+index dafd35d..f7e8a54 100644
+--- a/example.conf.in
++++ b/example.conf.in
+@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
+ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ 
++# How to add your own record:
++# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
++# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
++# Append returned sha256 Fingerprint after ssl443: IP-address section.
++
+ # Use VPN servers for all traffic
+ # use-vpn-forwarders: no
+ 
+@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
+ 
+ # Add domains provided by VPN connections into Unbound forward zones
+ # add-wifi-provided-zones: no
+-
+-- 
+2.47.0
+
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index c96f581..9928104 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -34,6 +34,8 @@ Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
 Patch7: dnssec-trigger-0.17-openssl-3.2.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/15
+Patch8: dnssec-trigger-0.17-server-recipe.patch
 
 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22

From 6a978fe44e65fac2a9770928760ed49103177085 Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Thu, 16 Jan 2025 16:01:04 +0000
Subject: [PATCH 6/7] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild


From 559a9eaee10979fae00e29fcc379a26a97e9496e Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Wed, 23 Jul 2025 19:24:40 +0000
Subject: [PATCH 7/7] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild