Only add NSEC3 record pairs in updateDNSSECOrderNameAndAuth() if doing NSEC3.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Also remove NSEC3 record pairs when removing ENT.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not attempt to write NSEC3 pairs pointing to ourselves.

The second record from the pair would end up overwriting the first one,
which could confuse the logic assuming pairs are always well-formed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Simplify updateDNSSECOrderNameAndAuth() further wrt NSEC3 chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure we never leave dangling NSEC33333333333333333333333 chains in replaceRRSet().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Simplify NSEC3 chain update logic in updateDNSSECOrderNameAndAuth()...

...now that writeNSEC3RecordPair() can handle updates correctly.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Tweak logic in updateDNSSECOrderNameAndAuth(). NFC

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure writeNSEC3RecordPair() does not leave dangling chains.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Really avoid using d_rwtxn in writeNSEC3RecordPair().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Plumbing to let updateDNSSECOrderNameAndAuth tell NSEC apart from NSEC3.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15766 from omoerbeek/rec-coverity-20250702

rec: fix two Coverity reported resource leaks and add release() to FDWrapper

Merge pull request #15764 from miodvallat/unsec3break

fix coverity-reported stupid lmdb bug

rec: fix two Coverity reported resource leaks and add release() to FDWrapper()

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15763 from omoerbeek/auth-tsig-arc4random_buf

auth: Use arc4random(void *, size) in TSIG generation

Also use new dns_random(void *, size_t) for client cookie

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15577 from jsoref/check-spelling-0.0.25

Upgrade check-spelling to v0.0.25

Pass an explicit RecordsRWTransaction to writeNSEC3RecordPair.

Otherwise it would use d_rwtxn, which could be nullptr sometimes if
invoked invoked from updateDNSSECOrderNameAndAuth.

Regression introduced in 91df390a5583bfacb5fb7e646c03916da8afc477, reported
by Coverity.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15757 from Habbie/a-view-to-a-catz

views/catz: one bugfix plus some words

Merge pull request #15756 from omoerbeek/rec-coverity-20250626

rec: coverity 20250626

Upgrade check-spelling to v0.0.25

Refresh metadata based on
https://github.com/check-spelling/spell-check-this/commit/8749d8d8b30b5dfb272ae9b4579c07a8165fc273

- SARIF reporting is enabled by default
  - When active, public repositories will need to add a code scanning ruleset
  - For private repositories, unless you're using GHEC and paying for Advanced Security, you'll want to set a repository actions variable `DO_NOT_USE_SARIF_REPORTING` (see `/settings/variables/actions`) to `1` to disable SARIF

- Extend checking
  - `.rst` docs
  - pdns/dnsdistdist/dnsdist-settings-definitions.yml

spelling: www.linuxnetworks.de

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: www.infosecinstitute.com

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: www.gutenberg.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: web.archive.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: was

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: to

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: sourceware.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: sourceforge.io

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: setup,

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: set up

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: restriction

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: red hat

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: pdns

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: otherwise,

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: or

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: metronome.powerdns.com

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: mailarchive.ietf.org

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: incompatibility

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: https

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: geoip backend

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: for

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: fall back

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: export

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: evanjones.ca

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: equal

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: “edited_serial”

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: big-endian

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: berthub.eu

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: bert-hubert.blogspot.com

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: benchmarking

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: addresses

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: additional

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: a

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: 8b1ed87

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: 30

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: ; otherwise,

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: , or

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Remove obsolete download links

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

auth: Use arc4random(void *, size) in TSIG generation

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15758 from omoerbeek/rec-listen-v6-by-default

rec: start to listen on ::1 by default, but don't consider it an error if that fails

Remove no longer relevant comment

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15683 from PowerDNS/dependabot/pip/regression-tests.dnsdist/protobuf-6.31.1

build(deps): bump protobuf from 6.30.2 to 6.31.1 in /regression-tests.dnsdist

Merge pull request #15754 from rgacogne/ddist-warn-on-backend-certificate-validation-without-subject-name

dnsdist: Error if backend certificate validation is enabled without a subject name

Merge pull request #15747 from rgacogne/ddist-get-object-from-yaml-config

dnsdist: Add a Lua binding to get objects declared in YAML

document current views/catz interaction situation

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>

Only allow the failure if the incoming.listen settings is default

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

catz producer: encode ZoneNames without their variants

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>

rec: start to listen on ::1 by default, but don't consider it an error if it fails

Merge pull request #15751 from rgacogne/ddist-yaml-error-on-unsupported-backend-protocol

dnsdist: Error on unsupported backend protocols from YAML

Merge pull request #15755 from omoerbeek/rec-compile-docs

rec: Mention meson in compile instructions

Merge pull request #15707 from rgacogne/ddist-no-backend-crash

dnsdist: Prevent Lua bindings for backend from crashing on empty backend

dnsdist: Lowercase the TLS provider name for YAML-originated backends

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Error if backend certificate validation is enabled without a subject name

We can only validate if a proper subject name or subject address is passed,
and we do not want to silently disable validation, so let's refuse to start.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add an explicit return type to getObjectFromYAMLConfiguration

As suggested by Otto.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #15750 from rgacogne/ddist-fix-logging-yaml

dnsdist: Fix logging and XSK YAML settings being ignored

Merge pull request #15718 from rgacogne/ddist-return-nil-for-non-existing-lua-objects

dnsdist: Return `nil` for non-existing Lua objects

rec: Mention meson in compile instructions

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Use a more leightweight struct to pass the initial Span data, we're only using a few fields

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: a few minor Coverity cases in the new OpenTelemetry trace code

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15752 from omoerbeek/rec-rustweb-vs-handler

rec: don't let rust code and handler use thread pipes simultaneously

dnsdist: Prevent Lua bindings for backend from crashing on empty backend

We currently return an empty `std::shared_ptr` when the backend is not
set (self-answered response, for example), and unfortunately LuaWrapper
is not smart enough to make that equivalent to `nil`, so testing whether
the backend is valid from Lua is not possible. While I would prefer to
fix that, this fix prevents us from crashing when calling the bindings
associated to a backend with an empty shared pointer.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix logging and XSK YAML settings being ignored

It turns out that the configuration we receive from the
serde parser was not correctly translated to our own
configuration.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Error on unsupported backend protocols from YAML

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add a regression test for `getObjectFromYAMLConfiguration`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add a Lua binding to get objects declared in YAML

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #15745 from miodvallat/nsec3_to_deceive

"simple" lmdb code factoring

Merge pull request #15753 from miodvallat/clever_breakage

Unbreak auth tests

Merge pull request #15744 from bagasme/dnsdist-installing-update

dnsdist: Mention compiling with meson

Fix oracle after merge of #15417.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15748 from omoerbeek/rec-meson-python-version

rec meson: check python version to be at least 3.8

Merge pull request #15417 from miodvallat/some_other_afternoon

[tools] Let pdnsutil always setup a SOA-EDIT-API metadata when creating zones

More logic worth factoring in getBeforeAndAfterNames().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Rewrite the now-deobfuscated logic into two getAfterForward calls.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec meson: check python version to be at least 3.8

Fixes #15732

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #15746 from omoerbeek/rec-fix-sysconf-debian

rec: Fix sysconfdir in debian packages built by meson

rec: don't let rust code and handler use thread pipes simultaneously

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Deobfuscate a loop variable.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Factor trailing code of getBeforeAndAfterNamesAbsolute(). NFCI

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Remove duplicate assignment.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #15730 from renaudallard/patch-1

rec: Correct zonetocaches settings example