dnsdist: Test accessing the rings via the console

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #15790 from jsoref/refresh-spelling-v0.0.25-2

Refresh spelling v0.0.25 2

Merge pull request #15803 from omoerbeek/rec-nsspeed-share

rec: add Lua hooks to dump and restore measured nameserver speed table

Merge pull request #15806 from miodvallat/entropy

auth: one less discrepancy between lmdb and sql backends

Merge pull request #15783 from omoerbeek/rec-docs-policy-mod

rec: polish docs describing how to modify policy decisions

Merge pull request #15794 from rgacogne/ddist-protocol-selector

dnsdist: Add a selector to match the incoming protocol

Merge pull request #15815 from rgacogne/ddist-fix-source-backend-yaml

dnsdist: Properly process the YAML source parameter for backends

Merge pull request #15813 from rgacogne/ddist-autotools-dlopen

dnsdist: Properly link with `libdl` when building with `autotools`

dnsdist: Properly process the YAML source parameter for backends

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Properly link with `libdl` when building with `autotools`

Depending on the system we might actually need to link with `libdl`
when our Rust library is used, and the mechanism to do that was not
properly set up when building with `autotools` (we were adding `LIBDL`
to the the libraries we need but the variable was not properly filled).
Unfortunately the systems we are exercising in our CI do not need to
explicitly link with `libdl` so we did not notice.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #15807 from omoerbeek/rec-prep-5.3.0-alpha2

Prep for rec-5.3.0-alpha2

Process review comments from rgacogne

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add missing files to testrunner sources

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Formatting

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

name of nsspeed entries can be empty (auth case)

Add test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Documentation

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Reorg sources, split nsspeeds_t out into separate .cc and .hh

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add size limit

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Basic code to fill ns speed table from a dump

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Expose getNSSPeedsTable() to Lua script

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Dump ns speed map in protobuf format

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Prep for rec-5.3.0-alpha2

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Make updateEmptyNonTerminals conform to its specification...

...by performing the insertions (if any) when all ENT had to be removed
first.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15798 from miodvallat/flaggerbasted

lmdb NSEC3 record handling hygiene: return of the wrath of the seventh son of the phantom of the beast

Merge pull request #15799 from kpfleming/pblogger-rs

Add Protobuf logger written in Rust.

Merge pull request #15759 from elenril/preoutquery_force_tcp

rec: allow forcing TCP from preoutquery()

Tidy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add test

rec: allow forcing TCP from preoutquery()

Merge pull request #15801 from rgacogne/ddist200rc1-changelog-secpoll

dnsdist: Prepare ChangeLog and security polling zone for 2.0.0-rc1

Merge pull request #15639 from Habbie/alma10

builder: add el-10 target, based on rockylinux:10 for now

Merge pull request #15788 from neheb/npd

clang-tidy: replace lock_guard with scoped_lock

clang-tidy: replace lock_guard with scoped_lock

Found with modernize-use-scoped-lock

Signed-off-by: Rosen Penev <rosenp@gmail.com>

docs: add new targets to daily master builds

nit

dnsdist: Use the correct month for the release date

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Address review feedback.

Eliminate some code duplication.

Improve make_addr_port by letting SocketAddrV4/V6 format themselves.

Add Protobuf logger written in Rust.

This was inspired by the ProtobufLogger.py already present in the
'contrib' directory.

In addition to being written in Rust instead of Python, there are
various other differences:

* Each line of output is prefixed with the sender's 'socket address'
  (IP address and port number).

* Messages from multiple clients will be properly output, they will
  not be mixed.

* Timestamp format is slightly different (full ISO-8601 with UTC
  offset).

* Command-line arguments are handled by a full parser, which can
  generate help text and report the program's version.

* All 'optional' fields in the protobuf messages are checked for
  presence before being read.

* Output to stdout will never block reception/decoding/formatting of
  protobuf messages; if stdout blocks for some reason, incoming
  messages will be stored in memory until they can be printed.

* Summary, meta, and question lines are printed; responses are not,
  nor is OpenTelemetry data. Future work for another contributor!

* 'meta' output is untested.

* A Cargo feature 'opentelemetry' is available to be the starting
  point of OT support.

No AI or LLM tools were used in the creation or testing of this code.

dnsdist: Prepare ChangeLog and security polling zone for 2.0.0-rc1

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #15792 from miodvallat/auth496

auth-4.9.7 secpoll & changelog

Document ill-fated 4.9.6 so that people aren't surprised too much.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Turns out it will be called 4.9.7

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Better name for a local variable. NFC

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Stricter handling of the `hasOrderName` LMDBResourceRecord field.

The value of this field is intended to reflect whether there are NSEC3
chain records with the same qname. This commit tries harder to keep it
in sync with the actual state of the database.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Tweak boolean logic to make it more readable.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Pass false to updateDNSSECOrderNameAndAuth if NSEC3 but narrow.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Rename the 'ordername' flag of in-db DNSResourceRecords for clarity.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Refresh check-spelling metadata

... based on https://github.com/check-spelling/spell-check-this/commit/331af7c8daa9a57f32759f32eba72558746a0e77

spelling: write a very short summary

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: when, ...

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: when loading

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: to which the record belongs

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: to use

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Due to technical difficulties™, the release is postponed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15791 from miodvallat/udon

lmdb NSEC3 record handling hygiene bugfix

dnsdist: Add a regression test for the incoming protocol selector

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #15793 from bagasme/pdnsutil-ref-fix

pdns: Fix pdnsutil cross-references

pdns: Fix pdnsutil cross-references

Sphinx reports unknown document warnings when building html-docs:

docs/backends/generic-sql.rst:104: WARNING: unknown document: pdnsutil
docs/backends/geoip.rst:94: WARNING: unknown document: pdnsutil
docs/changelog/4.0.rst:398: WARNING: unknown document: pdnsutil
docs/changelog/4.0.rst:420: WARNING: unknown document: pdnsutil
docs/changelog/4.1.rst:3: WARNING: unknown document: pdnsutil
docs/changelog/4.1.rst:3: WARNING: unknown document: pdnsutil
docs/changelog/4.1.rst:1: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:15: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:15: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:16: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:9: WARNING: unknown document: pdnsutil
docs/guides/basic-database.rst:80: WARNING: unknown document: pdnsutil
docs/guides/basic-database.rst:80: WARNING: unknown document: pdnsutil
docs/guides/basic-database.rst:80: WARNING: unknown document: pdnsutil
docs/running.rst:114: WARNING: unknown document: pdnsutil
docs/upgrading.rst:58: WARNING: unknown document: pdnsutil

Fix references to pdnsutil(1) manpage.

Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>

auth-4.9.6 secpoll & changelog

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Add a selector to match the incoming protocol

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

On second thought, revert 2a8a5c7629984e51b717494a23c0c6651de0b030.

We are only removing ENT when we know for sure that there are other
records for that name, so there is no risk of orphaning NSEC3 chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Only remove NSEC3 pairs when removing ENT if there are no other records.

This logic was added in 2a8a5c7629984e51b717494a23c0c6651de0b030 but is
too aggressive.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15789 from jsoref/disable-sarif

Disable check-spelling sarif for PowerDNS/pdns

Disable check-spelling sarif for PowerDNS/pdns

- At present, it's too complicated to rely on rulesets in combination
  with `pull_request` so it makes sense to turn it off for the main
  repository.

- Leave SARIF reporting enabled by default for repositories other than
  PowerDNS/pdns.

- When active, public repositories will need to add a code scanning
  ruleset if they want to use pull requests that are not cross-forks
  and they should not accept pull requests from forks as processing
  won't work.

- For private repositories, unless you're using GHEC and paying for
  Advanced Security, you'll want to set a repository actions variable
  `DO_NOT_USE_SARIF_REPORTING` (see `/settings/variables/actions`) to
  `1` to disable SARIF.
  - This commit fixes the logic for that.

spelling: the second signals

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: that the

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: that must match the tag

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: that delivered the

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: that a

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: process sigusr1

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: into the recursor and can be enabled using the

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: in the future,

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: from which the ixfrs are consumed

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: corresponding to the query

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

deal with rpm-only or deb-only builds

remove test builds for targets we actually ship

start shipping el-10 packages

builder: avoid duplicate installation of meson/quiche/rust

builder: add el-10 target, based on rockylinux:10 for now

Merge pull request #15767 from miodvallat/nsecticide

lmdb NSEC3 record handling hygiene

Tweaks based on Miod's suggestions

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Only add NSEC3 record pairs in updateDNSSECOrderNameAndAuth() if doing NSEC3.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Also remove NSEC3 record pairs when removing ENT.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not attempt to write NSEC3 pairs pointing to ourselves.

The second record from the pair would end up overwriting the first one,
which could confuse the logic assuming pairs are always well-formed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Simplify updateDNSSECOrderNameAndAuth() further wrt NSEC3 chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure we never leave dangling NSEC33333333333333333333333 chains in replaceRRSet().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Simplify NSEC3 chain update logic in updateDNSSECOrderNameAndAuth()...

...now that writeNSEC3RecordPair() can handle updates correctly.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15782 from omoerbeek/rec-pubsuffix-dist

rec: Only download pub suffix list if pubsuffix.cc is not available

Tweak logic in updateDNSSECOrderNameAndAuth(). NFC

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure writeNSEC3RecordPair() does not leave dangling chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Really avoid using d_rwtxn in writeNSEC3RecordPair().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Plumbing to let updateDNSSECOrderNameAndAuth tell NSEC apart from NSEC3.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: polish docs describing how to modify policy decisions

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15768 from bagasme/dnsdist-dot-yml

dnsdist: DoT docs update (YAML config)

Fix mkpubsuffix call to pass one argument

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rm now handled by trap

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review from Miod

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>