From 0c89edf730dc112309bd284cff87af69c267b135 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 20 Nov 2024 17:01:01 +0100
Subject: [PATCH 1/3] Add recipe for adding custom server

Related: RHEL-6597
---
 dnssec-trigger-0.17-server-recipe.patch | 59 +++++++++++++++++++++++++
 dnssec-trigger.spec                     |  2 +
 2 files changed, 61 insertions(+)
 create mode 100644 dnssec-trigger-0.17-server-recipe.patch

diff --git a/dnssec-trigger-0.17-server-recipe.patch b/dnssec-trigger-0.17-server-recipe.patch
new file mode 100644
index 0000000..a3f70d8
--- /dev/null
+++ b/dnssec-trigger-0.17-server-recipe.patch
@@ -0,0 +1,59 @@
+From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 20 Nov 2024 16:58:48 +0100
+Subject: [PATCH] Add recipe for adding own server
+
+Until someone adds nice support for using just CA bundle and server
+name, allow specification by fingerprint obtained manually. Do not rely
+only on server provided by upstream.
+---
+ dnssec.conf     | 4 ++--
+ example.conf.in | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.conf b/dnssec.conf
+index bf896d3..4726ca1 100644
+--- a/dnssec.conf
++++ b/dnssec.conf
+@@ -38,7 +38,7 @@
+ #
+ #  - See also security notes on the `add_wifi_provided_zones` option.
+ #
+-# validate_connection_provided_zones=yes
++# validate_connection_provided_zones=no
+ #
+ #  - Connection provided zones will be configured in Unbound as secure forward
+ #    zones, validated using DNSSEC.
+@@ -63,7 +63,7 @@
+ #    Turning this option off has security implications, See the security
+ #    notice above.
+ #
+-validate_connection_provided_zones=yes
++validate_connection_provided_zones=no
+ 
+ # add_wifi_provided_zones:
+ # ------------------------
+diff --git a/example.conf.in b/example.conf.in
+index dafd35d..f7e8a54 100644
+--- a/example.conf.in
++++ b/example.conf.in
+@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
+ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ 
++# How to add your own record:
++# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
++# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
++# Append returned sha256 Fingerprint after ssl443: IP-address section.
++
+ # Use VPN servers for all traffic
+ # use-vpn-forwarders: no
+ 
+@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
+ 
+ # Add domains provided by VPN connections into Unbound forward zones
+ # add-wifi-provided-zones: no
+-
+-- 
+2.47.0
+
diff --git a/dnssec-trigger.spec b/dnssec-trigger.spec
index c96f581..9928104 100644
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@@ -34,6 +34,8 @@ Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
 Patch7: dnssec-trigger-0.17-openssl-3.2.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/15
+Patch8: dnssec-trigger-0.17-server-recipe.patch
 
 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22

From 6a978fe44e65fac2a9770928760ed49103177085 Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Thu, 16 Jan 2025 16:01:04 +0000
Subject: [PATCH 2/3] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild


From 559a9eaee10979fae00e29fcc379a26a97e9496e Mon Sep 17 00:00:00 2001
From: Fedora Release Engineering <releng@fedoraproject.org>
Date: Wed, 23 Jul 2025 19:24:40 +0000
Subject: [PATCH 3/3] Rebuilt for
 https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild