Support <class> <ttl> <type> in zonefiles [#942].

pass policy to rrset_signer (#932)

Update cryptography requirement from >=2.6,<41.0 to >=2.6,<42.0 (#937)

Updates the requirements on [cryptography](https://github.com/pyca/cryptography) to permit the latest version.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.6...41.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump sphinx-rtd-theme from 1.2.0 to 1.2.1 (#933)

Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 1.2.0 to 1.2.1.
- [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst)
- [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/1.2.0...1.2.1)

---
updated-dependencies:
- dependency-name: sphinx-rtd-theme
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Httpx now has a socket_options parameter in its NetworkBackends.

We accept this parameter if it is given, but do not actually do
anything with it.  In theory this shouldn't be a problem as we're
never passing it either in the cases where we use our backends.

try again to make doco builds work again by upgrading the build image

try to make doco builds work again by upgrading the build image

more requests cleanup

Deal with "in" changes for enums in python 3.12

In python 3.12, "in" for enums tests values as well, so something
like "12345 in dns.rdatatype.RdataType" will now return True.  This
broke some logic guarding against registering a known-but-unimplmemented
type code point with a class that didn't have the right name.  We now
just give up on this test as it will never be a real problem.  We change
a few related tests to be more sensible.

Add support for ruff linter.

Fix NSEC3 base32 processing. (#929)

The NSEC3 next name field is defined as base32 with no padding, but the
code was doing base32 decoding with padding.  This wouldn't have any
effect in the normal case, since the only defined NSEC3 hashing
algorithm is SHA1, and that generates a 160 bit hash that doesn't
require padding when encoded in base32.

This change removes generated padding after encode, rejects padded input
on decode, and adds necessary padding for decode.

resolve_at() type fixes

Add make_resolver_at() and resolve_at(). (#926)

simplify DDR text

Remove unnecessary string concatenation.

Note 3.8 as the minimum for 2.4 (3.7 is EOL at the end of June).

Add basic DDR support. (#919)

* Add basic DDR support.

Message get_rrset() needs to pass idna_codec to find_rrset().
Also removes some lint about "section = section" being a no-op.

run black on enum.py

Enum typing (#923)

* IntEnum improvements.

This changes make() to always return an instance of the subclass,
creating one on the fly if the value is not known, and updates the typ
registration code to deal with this.  It also adds typing annotations to
make().

* Add missing int check.

Some older versions of python weren't rejecting non-int values.

* Fix int check.

Raise TypeError for non-int, not ValueError, to make tests happy.

* Annotate to_text/from_text.

* Remove many the_ prefixed variables.

These were needed in the past to work around typing issues.

Improve get_rrset/find_rrset API. (#922)

* Improve get_rrset/find_rrset API.

This allows most of the parameters to be specified as strings, matching
the interface for dns.message.make_query().

* Remove unneeded "the_section".

There's no need to use a separate internal variable for the section;
mypy doesn't complain about reuse.

Bump readthedocs-sphinx-search from 0.2.0 to 0.3.1 (#920)

Bumps [readthedocs-sphinx-search](https://github.com/readthedocs/readthedocs-sphinx-search) from 0.2.0 to 0.3.1.
- [Release notes](https://github.com/readthedocs/readthedocs-sphinx-search/releases)
- [Changelog](https://github.com/readthedocs/readthedocs-sphinx-search/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/readthedocs/readthedocs-sphinx-search/commits)

---
updated-dependencies:
- dependency-name: readthedocs-sphinx-search
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Add some missing resolver doco.

run black

Clean up the NoDOH exception.

The docstring/default should refer to httpx, not requests, and the
callers should use it rather than providing alternate (and different)
strings.

Add server_hostname to DoQNameserver.

lint

Optionally allow server hostname to be checked by QUIC.

Update cryptography requirement from >=2.6,<40.0 to >=2.6,<41.0 (#917)

Updates the requirements on [cryptography](https://github.com/pyca/cryptography) to permit the latest version.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.6...40.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Note DNSSEC zone signing (NSEC) is now available.

Zone signer (#911)

* first cut at NSEC support

* use transactions, fix delegations

* rename to add_nsec_to_zone

* optimize NSEC generation

* split out function to get all secure names (could be useful for NSEC3 later)

* add `Bitmap.from_rdtypes()` and add missing typing

* more typing

* add missing import

* add more typing

* fix tok type

* remove _get_secure_names, optimize

* better zone testing (compare as text)
add test example with delegation below other delegation

* include NSEC itself in the bitmap

* lint

* Add names iteration to transactions via iterate_names().

Also make rdataset iteration more obvious by adding an
explicit iterate_rdatasets() API.

* use iterate_names()

* typo

* black

* use single iteration

* better type fix

* add optional transaction to add_nsec_to_zone

* idea for zone signer

* do not sign RRSIGs

* fix signer

* correctly sign DS

* simplify

* simplify by passing rrset to signer

* fix typing

* nit

* add DS

* add more test

* rewrite zone signer

* compact

* simplify

* make easier to read

* bring back rrset_signer

* move default RRset signer

* more

* more

* prettier context handling (mypy issue pending)

* make NSEC zone signer less complex

* update

* fix txn, sign as defined by SEP

* docs

* add back missing dnskey_include

* rename dnskey_include to add_dnskey

* check KSK/ZSK key tags in signed zone

---------

Co-authored-by: Bob Halley <halley@dnspython.org>

linting + have asyncio HTTP code actually connect to right address

re-run black

More curio cleanups.

Better DNS-over-HTTPS support. (#908)

This change:

Allows resolution hostnames in URLs using dnspython's resolver
or via a bootstrap address, without rewriting URLs.

Adds full support for source addresses and ports to
httpx, except for asyncio I/O where only the source address
can be specified.

Removes support for requests.

Add names iteration to transactions via iterate_names(). (#907)

Also make rdataset iteration more obvious by adding an
explicit iterate_rdatasets() API.

Update wheel requirement from ^0.38.1 to ^0.40.0 (#910)

Updates the requirements on [wheel](https://github.com/pypa/wheel) to permit the latest version.
- [Release notes](https://github.com/pypa/wheel/releases)
- [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst)
- [Commits](https://github.com/pypa/wheel/compare/0.38.1...0.40.0)

---
updated-dependencies:
- dependency-name: wheel
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

remove a curio reference that missed the first pass

Remove curio support.

lint

add Bitmap.from_rdtypes() (#906)

* add `Bitmap.from_rdtypes()` and add missing typing

* more typing

* add missing import

* add more typing

* fix tok type

Add dns.resolver.resolve_name(). (#903)

* Add dns.resolver.resolve_name().

* Add missing type annotations.

* Add async resolve_name().

* Replace List[Answer] with HostAnswers.

* Switch addresses_and_families() tuple order

* Fix comment.

Remove the DSA signature test, as it can fail in certain
OpenSSL 3 with the FIPS 140-3 module, as the module will not
generate keys with a "q" size that is representable in DNSSEC.

Fix hangs when QUIC connection fails [#899]. (#900)

This also fixes problems with computing the wait_for() timeout for
the sync and asyncio ports, and fixes delivery of the timeout for
the sync port.

Make a few nameserver changes that missed getting added to the PR.

Resolver "nameserver" object support. (#897)

* Resolver "nameserver" object support.

This turns the list of nameserver strings in the resolver into a tuple
of nameserver objects, which abstract away making queries to a
nameserver of a given type.

The resolver's legacy nameserver list is "enriched" into a tuple of
nameserver objects whenever it is set.  Note that you cannot mutate
the object other than by setting,
e.g. res.nameservers.append("1.2.3.4") will not work.

Error message accumulation has been updated to refer to the
nameservers using a descriptive text form.

* doco fix

* more doco fixes

* do enrichment at Resolution time

* require a later mypy, fix type issues

* add nameserver doc

Fix typos.

Add dns.quic to setup.cfg for legacy setup.py installs [#896]

Bump sphinx-rtd-theme from 1.1.1 to 1.2.0 (#894)

Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 1.1.1 to 1.2.0.
- [Release notes](https://github.com/readthedocs/sphinx_rtd_theme/releases)
- [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst)
- [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/1.1.1...1.2.0)

---
updated-dependencies:
- dependency-name: sphinx-rtd-theme
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

add more minor typehints (#889)

Update black requirement from ^22.1.0 to ^23.1.0 (#892)

Updates the requirements on [black](https://github.com/psf/black) to permit the latest version.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/22.1.0...23.1.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bump readthedocs-sphinx-search from 0.1.2 to 0.2.0 (#891)

Bumps [readthedocs-sphinx-search](https://github.com/readthedocs/readthedocs-sphinx-search) from 0.1.2 to 0.2.0.
- [Release notes](https://github.com/readthedocs/readthedocs-sphinx-search/releases)
- [Changelog](https://github.com/readthedocs/readthedocs-sphinx-search/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/readthedocs/readthedocs-sphinx-search/commits)

---
updated-dependencies:
- dependency-name: readthedocs-sphinx-search
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

The DS digest_type field is now made a DSDigest instance by the constructor (#890)

Hey @rthalley

I found another place in the code there, you may have gotten "distracted" 😉 as you phrased it in
https://github.com/rthalley/dnspython/issues/888#issuecomment-1402198449

So, I just made a pull request this time

The DNSKEY flags field is now made a Flag instance by the constructor.

More doco updates for 2.4

Add missing quic files to setup.py cythonize [#887].

Add deprecation note about the Resolver nameserver attribute.

Make Coverity happier [#882].

Use 'https' instead of 'http' for dnspython.org (#883)

These days, 'https' should be used instead of 'http' for almost
anything, and Coverity is warning that dnspython.org URL in 'setup.cfg'
uses 'http'.

This patch changes the use of 'http' to 'https' on setup.cfg and
documentation, where it does not affect module code, tests or examples.

remove obsolete lgtm link

Remove obsolete comment (#873)

Update cryptography requirement from >=2.6,<39.0 to >=2.6,<40.0 (#878)

Updates the requirements on [cryptography](https://github.com/pyca/cryptography) to permit the latest version.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.6...39.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Update SECURITY.md to 2.3.x

Update versions and CI post 2.3 branch.

update whatsnew

lint

DNSSEC doco fixes.

CDS/CDNSKEY utilities (#872)

Add CDS and CDNSKEY utilities:

make_cdnskey()
make_cds()
make_ds_rdataset()
cds_rdataset_to_ds_rdataset()
dnskey_rdataset_to_cds_rdataset()
dnskey_rdataset_to_cdnskey_rdataset()

Update pocov Makefile rule for coverage 7.0.0.

Update coverage requirement from ^6.0 to ^7.0 (#874)

Updates the requirements on [coverage](https://github.com/nedbat/coveragepy) to permit the latest version.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/6.0...7.0.0)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Fix async quic() doco.

Properly pass source and source_port to connect() in the sync version of quic().

Fix misc. lint.

Remove unsupported python case (#871)

DNSSEC policy. (#869)

add DNSSEC sign() to whatsnew

add sign and make_dnskey functions (#868)

Improve DNSSEC _doco, minor DNSSEC and typing tweaks.

DNSSEC signer (#866)

* first cut at key_to_dnskey

* update docs

* typo

* use real test vectors for DNSKEY

* comment

* split

* add test for large exponent size

* rename to make_dnskey

* no default algorithm

* rename and add comment

* split out function to create rrsig signature data

* docs

* add type for public key

* more typing

* make RSA exponent key test easier to read

* work in progress for dns.dnssec.sign

* better docs

* docs

* simplify

* add test with RSASHA1

* initial support for DSA

* update docs

* clean up DSA, t still not clear

* allow inception/expiration to be specified as datetime, string, float or in

* allow rrset to be specified as a tuple

* calculate dsa_t

* reformat

* more rrset tuple fixes

* support DSA

* improve exception handling

* fix return type error

* fix typing issue to silence mypy

* make test case more verbose

* ensure UTC and use sigtime_to_posixtime to convert text to timestamp

Add NSEC3 RFC to doco.

Add more DNSSEC RFCs.

One more RFC text tweak.

More RFC updates.

More whatsnew updates.

Merge pull request #863 from rbrins/master

changed docs dns.resolver.Answer response to QueryMessage

changed docs dns.resolver.Answer response to QueryMessage

Basic SVCB and HTTPS doco.

Add some more RFCs.

Improve AMTRELAY doco.

Add doco for AMTRELAY, L32, L64, LP, and NID.

Make generate-rdatatype-doc.py work properly again.

Test on 3.10 still for windows as aioquic does not build without openssl source.

DoQ packing and testing tweaks

Fix type lint from latest mypy.

Merge pull request #842 from rthalley/quic

Initial DoQ support.

Merge pull request #858 from rthalley/dependabot/pip/sphinx-rtd-theme-1.1.1

Bump sphinx-rtd-theme from 1.1.0 to 1.1.1

Bump sphinx-rtd-theme from 1.1.0 to 1.1.1

Bumps [sphinx-rtd-theme](https://github.com/readthedocs/sphinx_rtd_theme) from 1.1.0 to 1.1.1.
- [Release notes](https://github.com/readthedocs/sphinx_rtd_theme/releases)
- [Changelog](https://github.com/readthedocs/sphinx_rtd_theme/blob/master/docs/changelog.rst)
- [Commits](https://github.com/readthedocs/sphinx_rtd_theme/compare/1.1.0...1.1.1)

---
updated-dependencies:
- dependency-name: sphinx-rtd-theme
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #856 from GlennChia/docs/fix-typo-examples

docs: programs typo

docs: programs typo

Merge pull request #852 from rthalley/dependabot/pip/sphinx-rtd-theme-1.1.0

Bump sphinx-rtd-theme from 1.0.0 to 1.1.0