Merge pull request #15792 from miodvallat/auth496

auth-4.9.7 secpoll & changelog

Document ill-fated 4.9.6 so that people aren't surprised too much.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Turns out it will be called 4.9.7

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Due to technical difficulties™, the release is postponed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15791 from miodvallat/udon

lmdb NSEC3 record handling hygiene bugfix

Merge pull request #15793 from bagasme/pdnsutil-ref-fix

pdns: Fix pdnsutil cross-references

pdns: Fix pdnsutil cross-references

Sphinx reports unknown document warnings when building html-docs:

docs/backends/generic-sql.rst:104: WARNING: unknown document: pdnsutil
docs/backends/geoip.rst:94: WARNING: unknown document: pdnsutil
docs/changelog/4.0.rst:398: WARNING: unknown document: pdnsutil
docs/changelog/4.0.rst:420: WARNING: unknown document: pdnsutil
docs/changelog/4.1.rst:3: WARNING: unknown document: pdnsutil
docs/changelog/4.1.rst:3: WARNING: unknown document: pdnsutil
docs/changelog/4.1.rst:1: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:15: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:15: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:16: WARNING: unknown document: pdnsutil
docs/changelog/4.7.rst:9: WARNING: unknown document: pdnsutil
docs/guides/basic-database.rst:80: WARNING: unknown document: pdnsutil
docs/guides/basic-database.rst:80: WARNING: unknown document: pdnsutil
docs/guides/basic-database.rst:80: WARNING: unknown document: pdnsutil
docs/running.rst:114: WARNING: unknown document: pdnsutil
docs/upgrading.rst:58: WARNING: unknown document: pdnsutil

Fix references to pdnsutil(1) manpage.

Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>

auth-4.9.6 secpoll & changelog

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

On second thought, revert 2a8a5c7629984e51b717494a23c0c6651de0b030.

We are only removing ENT when we know for sure that there are other
records for that name, so there is no risk of orphaning NSEC3 chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Only remove NSEC3 pairs when removing ENT if there are no other records.

This logic was added in 2a8a5c7629984e51b717494a23c0c6651de0b030 but is
too aggressive.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15789 from jsoref/disable-sarif

Disable check-spelling sarif for PowerDNS/pdns

Disable check-spelling sarif for PowerDNS/pdns

- At present, it's too complicated to rely on rulesets in combination
  with `pull_request` so it makes sense to turn it off for the main
  repository.

- Leave SARIF reporting enabled by default for repositories other than
  PowerDNS/pdns.

- When active, public repositories will need to add a code scanning
  ruleset if they want to use pull requests that are not cross-forks
  and they should not accept pull requests from forks as processing
  won't work.

- For private repositories, unless you're using GHEC and paying for
  Advanced Security, you'll want to set a repository actions variable
  `DO_NOT_USE_SARIF_REPORTING` (see `/settings/variables/actions`) to
  `1` to disable SARIF.
  - This commit fixes the logic for that.

Merge pull request #15767 from miodvallat/nsecticide

lmdb NSEC3 record handling hygiene

Only add NSEC3 record pairs in updateDNSSECOrderNameAndAuth() if doing NSEC3.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Also remove NSEC3 record pairs when removing ENT.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not attempt to write NSEC3 pairs pointing to ourselves.

The second record from the pair would end up overwriting the first one,
which could confuse the logic assuming pairs are always well-formed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Simplify updateDNSSECOrderNameAndAuth() further wrt NSEC3 chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure we never leave dangling NSEC33333333333333333333333 chains in replaceRRSet().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Simplify NSEC3 chain update logic in updateDNSSECOrderNameAndAuth()...

...now that writeNSEC3RecordPair() can handle updates correctly.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15782 from omoerbeek/rec-pubsuffix-dist

rec: Only download pub suffix list if pubsuffix.cc is not available

Tweak logic in updateDNSSECOrderNameAndAuth(). NFC

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure writeNSEC3RecordPair() does not leave dangling chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Really avoid using d_rwtxn in writeNSEC3RecordPair().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Plumbing to let updateDNSSECOrderNameAndAuth tell NSEC apart from NSEC3.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15768 from bagasme/dnsdist-dot-yml

dnsdist: DoT docs update (YAML config)

Fix mkpubsuffix call to pass one argument

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rm now handled by trap

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review from Miod

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

A litle bit more logging, so it's easier to see what's going on

It looks like meson hides build steps if they do not produce any output

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Add YAML version of DoT configurations

Convert incoming and outgoing DoT lua snippets to YAML format.

Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>

dnsdist: Update outgoing DNS-over-TLS/HTTPS support status

Support for outgoing DNS-over-TLS and DNS-over-HTTPS has been around
since version 1.7.0, but its status in the docs has not been updated
since then.

Update the status.

Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>

Merge pull request #15766 from omoerbeek/rec-coverity-20250702

rec: fix two Coverity reported resource leaks and add release() to FDWrapper

Merge pull request #15764 from miodvallat/unsec3break

fix coverity-reported stupid lmdb bug

rec: fix two Coverity reported resource leaks and add release() to FDWrapper()

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15763 from omoerbeek/auth-tsig-arc4random_buf

auth: Use arc4random(void *, size) in TSIG generation

Also adapt autotool build

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Don't save the .dat file, only the generated pubsuffix.cc

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: only include generated pubsuffix.cc in dist file

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Also use new dns_random(void *, size_t) for client cookie

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15577 from jsoref/check-spelling-0.0.25

Upgrade check-spelling to v0.0.25

Pass an explicit RecordsRWTransaction to writeNSEC3RecordPair.

Otherwise it would use d_rwtxn, which could be nullptr sometimes if
invoked invoked from updateDNSSECOrderNameAndAuth.

Regression introduced in 91df390a5583bfacb5fb7e646c03916da8afc477, reported
by Coverity.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15757 from Habbie/a-view-to-a-catz

views/catz: one bugfix plus some words

Merge pull request #15756 from omoerbeek/rec-coverity-20250626

rec: coverity 20250626

Upgrade check-spelling to v0.0.25

Refresh metadata based on
https://github.com/check-spelling/spell-check-this/commit/8749d8d8b30b5dfb272ae9b4579c07a8165fc273

- SARIF reporting is enabled by default
  - When active, public repositories will need to add a code scanning ruleset
  - For private repositories, unless you're using GHEC and paying for Advanced Security, you'll want to set a repository actions variable `DO_NOT_USE_SARIF_REPORTING` (see `/settings/variables/actions`) to `1` to disable SARIF

- Extend checking
  - `.rst` docs
  - pdns/dnsdistdist/dnsdist-settings-definitions.yml

spelling: www.linuxnetworks.de

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: www.infosecinstitute.com

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: www.gutenberg.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: web.archive.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: was

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: to

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: sourceware.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: sourceforge.io

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: setup,

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: set up

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: restriction

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: red hat

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: pdns

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: otherwise,

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: or

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: metronome.powerdns.com

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: mailarchive.ietf.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: incompatibility

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: https

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: geoip backend

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: for

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: fall back

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: export

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: evanjones.ca

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: equal

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: “edited_serial”

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: big-endian

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: berthub.eu

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: bert-hubert.blogspot.com

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: benchmarking

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: addresses

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: additional

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: a

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: 8b1ed87

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: 30

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: ; otherwise,

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: , or

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Remove obsolete download links

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

auth: Use arc4random(void *, size) in TSIG generation

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15758 from omoerbeek/rec-listen-v6-by-default

rec: start to listen on ::1 by default, but don't consider it an error if that fails

Remove no longer relevant comment

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15683 from PowerDNS/dependabot/pip/regression-tests.dnsdist/protobuf-6.31.1

build(deps): bump protobuf from 6.30.2 to 6.31.1 in /regression-tests.dnsdist

Merge pull request #15754 from rgacogne/ddist-warn-on-backend-certificate-validation-without-subject-name

dnsdist: Error if backend certificate validation is enabled without a subject name

Merge pull request #15747 from rgacogne/ddist-get-object-from-yaml-config

dnsdist: Add a Lua binding to get objects declared in YAML

document current views/catz interaction situation

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>

Only allow the failure if the incoming.listen settings is default

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

catz producer: encode ZoneNames without their variants

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>

rec: start to listen on ::1 by default, but don't consider it an error if it fails

Merge pull request #15751 from rgacogne/ddist-yaml-error-on-unsupported-backend-protocol

dnsdist: Error on unsupported backend protocols from YAML

Merge pull request #15755 from omoerbeek/rec-compile-docs

rec: Mention meson in compile instructions

Merge pull request #15707 from rgacogne/ddist-no-backend-crash

dnsdist: Prevent Lua bindings for backend from crashing on empty backend

dnsdist: Lowercase the TLS provider name for YAML-originated backends

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Error if backend certificate validation is enabled without a subject name

We can only validate if a proper subject name or subject address is passed,
and we do not want to silently disable validation, so let's refuse to start.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add an explicit return type to getObjectFromYAMLConfiguration

As suggested by Otto.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #15750 from rgacogne/ddist-fix-logging-yaml

dnsdist: Fix logging and XSK YAML settings being ignored

Merge pull request #15718 from rgacogne/ddist-return-nil-for-non-existing-lua-objects

dnsdist: Return `nil` for non-existing Lua objects