rec: Fix DNAME interaction with aggressive use of NSEC3

rfc6672 section 5.3.2 "DNAME Bit in NSEC Type Map":

In any negative response, the NSEC or NSEC3 [RFC5155] record type
bitmap SHOULD be checked to see that there was no DNAME that could
have been applied. If the DNAME bit in the type bitmap is set and
the query name is a subdomain of the closest encloser that is
asserted, then DNAME substitution should have been done, but the
substitution has not been done as specified.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17152 from miodvallat/did_not_age_well

auth: fixes to AXFR in Bind backend

Merge pull request #17153 from rgacogne/ddist-better-handling-of-nghttp2-errors

dnsdist: Better handling of nghttp2 errors

Merge pull request #17154 from rgacogne/ddist-outgoing-doh-remove-debug

dnsdist: Remove commented out leftover debug messages in outgoing DoH

dnsdist: Don't try to convert consumed bytes to a nghttp2 error

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Remove commented out leftover debug messages in outgoing DoH

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Better handling of nghttp2 errors

There are a few cases where an error returned by `nghttp2` could
have been silently ignored. Thanks to ilhamaf for reporting this!
As far as I can tell there is no actual impact, except perhaps that
we can detect errors/stale connections earlier, but I haven't been
able to cause any actual problem introduced by not handling these
errors properly.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Harden stripDomainSuffix() logic.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17151 from rgacogne/ddist-ywh-230

dnsdist: Fix handling of long HTTP/2 Date headers, handle non-POSIX locales

Drop boolean return from stripDomainSuffix().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Remove ciEqual(), clone of pdns_iequals().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17149 from miodvallat/parse_is_hard

webserver: correctly split the basic authorization cookie

Merge pull request #17148 from miodvallat/httpenury

auth: add a configurable limit of web server connections

dnsdist: Check the value of the HTTP Date header, even with a weird locale

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Use the POSIX locale to generate the HTTP Date header

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Split HTTP Date header generation, use timebuf_t

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix handling of long HTTP/2 Date headers

Some days of the year can, in some specific locales, require more than 40 bytes.
We should handle that gracefully with a larger buffer, and also just skip the
`Date` header altogether if it somehow does not fit into our buffer.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Correctly split the basic authorization cookie.

This allows passwords containing colons to be correctly handled.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Add a limit of the number of concurrent connections to auth webserver.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Move connection-management.hh to shared place.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17002 from miodvallat/directbackenderror

pdnsutil: possibly helpful backend-cmd help

Merge pull request #17134 from miodvallat/gallup

auth: only perform secpoll checks when they make sense

Merge pull request #17141 from rgacogne/ddist-coverity-20260414

dnsdist: Silence performance warnings from Coverity

dnsdist: Silence performance warnings from Coverity

Coverity (CID 503155 and 503156, at least) is worried that we are
mistakenly duplicating the `std::string`s that our Lua bindings are
returning. We are doing it on purpose, so let's make it clear.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17140 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/rand-0.9.4

build(deps): bump rand from 0.9.2 to 0.9.4 in /pdns/recursordist/rec-rust-lib/rust

build(deps): bump rand in /pdns/recursordist/rec-rust-lib/rust

Bumps [rand](https://github.com/rust-random/rand) from 0.9.2 to 0.9.4.
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.4/CHANGELOG.md)
- [Commits](https://github.com/rust-random/rand/compare/rand_core-0.9.2...0.9.4)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.9.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17139 from miodvallat/codeupdate

auth: comb the dns update code

Better variable names.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Work on DNSRecord references rather than pointers whenever possible.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Reduce scope of MOADNSParser objects.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Pass the MOADNSParser d_answers field rather than the whole object.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not keep secpolling for non-releases.

Fixes: #17133
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17132 from rgacogne/ddist-fix-dnsresponse_t-lua-ffi

dnsdist: Lua FFI response actions are passed a `dnsdist_ffi_dnsresponse_t`

Allow `dnsresponse`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Lua FFI _response_ actions are passed a `dnsdist_ffi_dnsresponse_t`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17124 from rgacogne/ddist-refactor-dq-header-interface

dnsdist: Refactor access to DNS headers from Lua

Merge pull request #17126 from miodvallat/createhex

auth lua: one more bad case of createForward

Merge pull request #17044 from PowerDNS/dependabot/pip/meson/requests-2.33.0

build(deps): bump requests from 2.32.4 to 2.33.0 in /meson

Merge pull request #17046 from PowerDNS/dependabot/pip/regression-tests.api/requests-2.33.0

build(deps): bump requests from 2.32.4 to 2.33.0 in /regression-tests.api

Merge pull request #17130 from miodvallat/dynlistentome

auth: some pdns_control love

Merge pull request #17129 from rgacogne/ddist-coverity-cid-502893

dnsdist: Fix a warning from Coverity about unintentional copy

Merge pull request #17128 from omoerbeek/rec-coverity-lua

rec: minor optimization from Coverity

Give some details about control socket setup and access control.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: minor optimization from Coverity

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix a warning from Coverity about unintentional copy

It is intentional, so make it clear.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Apply documentation suggestions from Pieter (thanks!)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17127 from kpfleming/complete-rename-swagger-to-openapi

Complete the transition from Swagger to OpenAPI

Merge pull request #17125 from pieterlexis/dnsdist-padding-ecs

feat(dnsdist): Test for Frontend padding and backend ECS

Complete the transition from Swagger to OpenAPI

Remove one remaining reference to Swagger in the documentation, and
rename the API schema file to use 'openapi' instead of
'swagger'. These are all internal (build system and other) changes and
should have no effect on users.

Signed-off-by: Kevin P. Fleming <kevin@km6g.us>

Add a test with trailing hex digits for createfoward 1-2-3-4.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Reject trailing hex digits in createforward 1-2-3-4 format.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

feat(dnsdist): Test for Frontend padding and backend ECS

Make more use of all-zeros strings. NFC

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17123 from miodvallat/backtick

fix markdown error

Remove spurious backticks.

Closes: #17111
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Refactor access to DNS headers from Lua

The existing interface is error-prone: it provides a pointer to
a buffer that might get invalidated if the user keeps it around
too long. The new interface makes it clear when the modification
is actually performed, and there is no dangling pointer.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17120 from rgacogne/ddist-coverity-20260408

dnsdist: Fix some warnings reported by Coverity

dnsdist: Fix some warnings reported by Coverity

Being more consistent when moving `RemoteLogActionConfiguration` objects.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17081 from rgacogne/ddist-dont-keep-parsed-edns-options-around

dnsdist: Do not keep the parsed EDNS options around

Merge pull request #17058 from rgacogne/ddist-move-dnsname-response-ring

dnsdist: Move the existing DNSName into the response rings

build(deps): bump requests in /regression-tests.api

Bumps [requests](https://github.com/psf/requests) from 2.32.4 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.32.4...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump requests from 2.32.4 to 2.33.0 in /meson

Bumps [requests](https://github.com/psf/requests) from 2.32.4 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.32.4...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17115 from pieterlexis/dnsdist-yw-202-padding

dnsdist: Actually pad responses

Merge pull request #17119 from pieterlexis/update-py-deps

chore: Update all python dependencies

dnsdist: Pass copies of EDNS options to Lua, views are error-prone

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Do not keep the parsed EDNS options around

The idea to keep the EDNS options around to avoid parsing them
a second time was a nice one, but invalidation is error-prone and
this is rarely useful in practice.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

chore: Update all python dependencies

Merge pull request #17117 from ronhombre/fix/cpq-use-after-move-doh3

Hardened DoH3 internal error handling for cpq

chore(dnsdist): Add unit tests for addEDNSPadding

Merge pull request #17116 from pieterlexis/dnsdist-remove-debug

chore(dnsdist): clean up troubleshooting code

Hardened DoH3 internal error handling for cpq

Added a check for cpq before releasing DU to handle exceptional cases.

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>

fix(dnsdist): allow adding empty options in addOrReplaceEDNSOption

fix(dnsdist): actually pad responses when requested

feat(dnsdist): test self-answered, padded DOH

fix(dnsdist): do not let dnspython pad responses

chore(dnsdist): clean up troubleshooting code

Merge pull request #17114 from ronhombre/fix/cpq-use-after-move

Hardened DoQ internal error handling for cpq

Merge pull request #17110 from ronhombre/fix/give-tcp-thread-to-doq-and-doh3

Give TCP thread as default for definition USE_SINGLE_ACCEPTOR_THREAD

Hardened DoQ internal error handling for cpq

Added a check for cpq before releasing DU to handle exceptional cases.

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>

Merge branch 'PowerDNS:master' into fix/give-tcp-thread-to-doq-and-doh3

Merge pull request #17112 from jsoref/check-spelling-0.0.26

Upgrade check-spelling to v0.0.26

Simplify TCP client thread initialization

Removed conditional TCP client thread creation and make them the default for definition USE_SINGLE_ACCEPTOR_THREAD

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>

Merge pull request #17070 from rgacogne/ddist-ywh-102

dnsdist: Fix use-after-free in EDNS options handling

Upgrade check-spelling to v0.0.26

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: whether or not

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: see

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: please

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: lowercase

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: configuration:

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: better or worse

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: be

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: auth-zone:

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: also

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: a

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Use internet archive link

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Give TCP thread for DoQ and DoH3

On OpenWRT, the dnsdist implementation isn't normally built with DoQ and DoH3 due to the lack of quiche support. However, when it is enabled and queried through QUIC, dnsdist sees that the connection we have is too big and goes out of its way to try to use TCP to make that request upstream when using PROXYv2.

This fixes that by checking if DoQ or DoH3 are enabled so that in certain configurations with only DoQ or DoH3 enabled, a TCP thread is given to the internal client.

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>

Merge pull request #16970 from omoerbeek/rec-rpz-vs-cache

rec: RPZ add auto cache flush of packet cache feature on RPZ updates

Merge pull request #17062 from pieterlexis/dnsdist-docs-rm-old-changed

docs(dnsdist): Remove all version changes pre-1.9

docs(dnsdist): Remove all version changes pre-1.9

Zap debug line

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>