tcpiohandler: Some versions of GnuTLS require `gnutls/socket.h` for `gnutls_transport_set_fastopen`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

meson: Add missing checks for `TLS_client_method`, `gnutls_transport_set_fastopen`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16902 from miodvallat/removeelse

auth: loosen check in NotificationQueue::removeIf

Ignore port numbers in removeIf() if either ComboAddress lacks one.

Fixes: #13576
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16890 from rgacogne/ddist-fix-latency-again

dnsdist: Clean up the type mess around latency metrics (again)

Merge pull request #16898 from rgacogne/ddist-do-no-start-network-listener-in-config-check

dnsdist: Don't start the NetworkListener thread in config check mode

dnsdist: Don't start the NetworkListener thread in config check mode

Not only is this useless, there is a risk of race if the thread is not
created quickly enough, so when the main thread reaches the end of the
configuration and exits the new thread tries to access an object that
has been freed.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16897 from milzi234/chore/docs_spog_section

chore(docs site): add single pane of glass

chore(docs site): add single pane of glass

Merge pull request #16879 from rgacogne/ddist-unset-tag

dnsdist: Add actions, methods and FFI functions to unset a tag

Merge pull request #16881 from rgacogne/ddist-excluded-entries-should-not-count-toward-super-subnet-limit

dnsdist: Subnets excluded from dynamic rules should not count towards thresholds

Merge pull request #16893 from omoerbeek/rec-prep-5.4.0-rc1

rec: Prep for rec-5.4.0-rc1 release

Merge pull request #16887 from rgacogne/ddist-fix-invalid-substr-use-dnsparser

dnsdist: Fix invalid `substr()` use in the DNS overlay parser

Prep for rec-5.4.0-rc1 release

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Clean up the type mess around latency metrics (again)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix invalid `substr()` use in the DNS overlay parser

`std::basic_string_view<CharT,Traits>::substr`'s second parameter is a length,
not an iterator or a position, so the existing code was misusing it and
creating a view that potentially expanded outside of the packet.
However currently the view is never used to read more than
`record.d_contentOffset` (we are passing it immediately to `makeComboAddressFromRaw`
with `record.d_contentLength` as the length) and `record.d_contentOffset`
has been validated right before to be either `4` or `16`, so
there is no out-of-bounds read.
This issue has been introduced in b6f9a21db93ee25ec665dc5f65e87eb7adebd102 and
is not included in any stable release, so no need to backport
the fix.

Reported by Nyaz360 in YWH-PGM6095-85, thanks a lot!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16858 from omoerbeek/rec-dot-client-cert

re: add feature to optionally use a client certificate for outgoing DoT

Better python formatting from @rgacogne

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add docs

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fix race and test and check subject of client cert and add PEM test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add test for Dot with client cert

When run individually, the new test works. But there seems to be a race
condition: in some cases old responders look to be still running, making
subsequent test fail on larger test runs.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tidy existing TLS tests a bit

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Generate cert to use as client cert in tests

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Basic infra for client cert

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Refactor key setup so it isn's tied to server-only code

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Subnets excluded from dynamic rules should not count towards thresholds

Until now we only looked at whether a subnet was excluded from dynamic rules
when deciding to insert a block. This introduced an issue when the dynamic
rules were configured to group clients into subnets via the `setMasks` directive,
because then queries received from an excluded client were still counted towards
the thresholds for the final subnet. For example, when grouping IPv4 clients
into `/24` subnets and excluding `192.0.2.1`, we would end up blocking the
whole `192.0.2.0/24` subnet if the number of queries or responses received
from `192.0.2.1` were over the threshold.
From now on excluded subnets will no longer count toward the thresholds.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16872 from PowerDNS/feature/update-repo-test-script-20260212

Update Repo Test Script

dnsdist: Fix c/p mistake spotted by Miod (thanks!)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Use `not in` instead of a fugly line of `and`s.

Undo some whitespace changes so diff looks good.

Reinstate `while` usage.

dnsdist: Add actions, methods and FFI functions to unset a tag

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Remove `auth-47` as it is not maintained anymore.

Comment by @miodvallat in #16872.

Merge pull request #16871 from miodvallat/gettingtoooldtowritecode

auth: fix stupid logic error in lmdb-write-update-notification=no

Update repo test script.

This had not been synced to the repo for a while.

Perform DomainInfo consolidation before filtering.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Fix polarity of setting description.

This was forgotten after this setting changed name and polarity.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16868 from rgacogne/rust-audit-pr

CI: Run the Rust deps audit check on the correct branch for pull requests

CI: Run the Rust deps check workflow on PR to master

As suggested by Alexis, many thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16862 from omoerbeek/rec-janitor-lwres

rec: cleanup lwres.??

Run the Rust deps audit check on the current branch for PRs

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

CI: Do not run the Rust deps audit on all branches for PRs

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16861 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/time-0.3.47

build(deps): bump time from 0.3.45 to 0.3.47 in /pdns/recursordist/rec-rust-lib/rust

build(deps): bump time in /pdns/recursordist/rec-rust-lib/rust

Bumps [time](https://github.com/time-rs/time) from 0.3.45 to 0.3.47.
- [Release notes](https://github.com/time-rs/time/releases)
- [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md)
- [Commits](https://github.com/time-rs/time/compare/v0.3.45...v0.3.47)

---
updated-dependencies:
- dependency-name: time
  dependency-version: 0.3.47
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16855 from omoerbeek/rec-ws-pkcs12

rec: add feature to read TLS key info from an encrypted PKCS12 (pfx) file for the embedded web server

Better var name

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Process review comments from Miod

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

skip test on class level

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Mention the PKCS12 feature is not available everywhere.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Make pkcs12 feature dependent on rust version

Also add test infra to test for rec features

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add password field in yaml generation from map

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Better comments and function names

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add docs

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add test, pin time crate to avoid depending on rustc 1.88

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: add feature to read webserver key and cert from (encrypted) pkcs12 file

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16857 from PowerDNS/dependabot/pip/regression-tests.recursor-dnssec/cryptography-46.0.5

build(deps): bump cryptography from 46.0.4 to 46.0.5 in /regression-tests.recursor-dnssec

Merge pull request #16856 from omoerbeek/rustc-update-to-1.93

rec and dnsdist: Update rustc and cargo to 1.93

build(deps): bump cryptography in /regression-tests.recursor-dnssec

Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.4 to 46.0.5.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.4...46.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16852 from PowerDNS/dependabot/pip/regression-tests.dnsdist/cryptography-46.0.5

build(deps): bump cryptography from 46.0.4 to 46.0.5 in /regression-tests.dnsdist

Merge pull request #16823 from rgacogne/ddist-export-dns-flags-via-protobuf

dnsdist: Export DNS flags via ProtoBuf

Reduce include files to much smaller set

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: cleanup in lwres related code

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16854 from miodvallat/wolf

auth: get rid of a "may be uninitialized" warning.

Update rustc and cargo to 1.93

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Get rid of a "may be uninitialized" warning.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16849 from rgacogne/quiche-0.24.9

dnsdist: Update Quiche to 0.24.9

Merge pull request #16846 from rgacogne/ddist-fix-pool-zero-scope-version

dnsdist: Fix version added for `ServerPool:{g,s}etZeroScope`

Merge pull request #16853 from omoerbeek/rec-regr-test-robustness

rec: improve regression test startup/teardown robustness

Type in var name from Miod

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

build(deps): bump cryptography in /regression-tests.dnsdist

Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.4 to 46.0.5.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.4...46.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Make sure all teardown class methods are called before raising a potential exception

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix version added for `ServerPool:{g,s}etZeroScope`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Call super().tearDownClass() if possible

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Wrong type of object used

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Update Quiche to 0.24.9

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: check if auths are running

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16843 from omoerbeek/rec-docs-prs

rec docs: fill in PR#s for SA 2026-01 now that we know the numbers

rec docs: fill in PR#s for SA 2026-01 now that we know the numbers

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16838 from omoerbeek/rec-limitcachesize

rec: Limit packet and record cache entry size

Merge pull request #16837 from omoerbeek/rec-answer-sizes

rec: Limit amount of work done for a single client query in new ways

Merge pull request #16836 from omoerbeek/rec-cname-follow

rec: Allowed names should not include names from CNAMEs that cannot be reached

Merge pull request #16835 from omoerbeek/rec-prep-20260209

Prep for 20260209 Recursor security release

Update versionadded in docs

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Limit packet and record cache entry size

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Update versionadded in docs

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Set a max on the number of visted IPs for a single qname/type

We use 2 * outgoing.max_ns_per_resolve as a limit. A tigher limit makes a few unit test fail.

Proper limit to be discussed.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: if the IPs of the auths of a zone resolve to duplicate IPs, skip the dups

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

If we received a delegation, also sample NS set if size > s_maxnsperresolve

Previously this was only done for NS sets retrieved fomr the record cache

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: count cumulative answer sizes for a single client query

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

boost::optional -> std::optional

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: allowed names should not include names from CNAMEs that cannot be reached

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Prep for 20260209 Recursor security release

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16670 from miodvallat/frontline

auth: better advice when creating zones

Merge pull request #16573 from miodvallat/soaked

auth: minor getAllDomains optimizations

Merge pull request #16829 from pieterlexis/docs-setuptools-pin

chore: pin setuptools so pkg_resources keeps working

chore: Pin setuptools for build scripts

chore: Pin setuptools for builder tools

chore: Pin setuptools for remotebackend tests

chore: Pin setuptools for meson venv

chore: Pin setuptools for pdns-keyroller