Prefer std::string::find(char) when searching for a single character.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17240 from miodvallat/hardenxfr

auth: harden xfr*BitInt writers

Widen types passed to xfr*BitInt to reject too large values.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17255 from PowerDNS/dependabot/github_actions/KineticCafe/actions-dco-2.1.1

build(deps): bump KineticCafe/actions-dco from 1.3.8 to 2.1.1

Merge pull request #17254 from PowerDNS/dependabot/github_actions/sigstore/cosign-installer-4.1.1

build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1

Merge pull request #17282 from omoerbeek/omoerbeek-patch-1

rec: remove use of -v flag for cp

rec: remove use of -v flag for cp

Fixes #17241

Merge pull request #17280 from omoerbeek/rec-docs-pb

rec docs: fix description of (outgoing)ProtobufServer

rec docs: fix description of (outgoing)ProtobufServer

And remove obsolete variant.

Fixes #17278

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17238 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/rustls-webpki-0.103.13

build(deps): bump rustls-webpki from 0.103.10 to 0.103.13 in /pdns/recursordist/rec-rust-lib/rust

Merge pull request #17253 from omoerbeek/rec-docs-rpz-vs-packetcache

rec docs: add a note about RPZ vs packetcache interaction

Merge pull request #17257 from omoerbeek/dnsdist-test-signedness

dnsdist: fix a few signed vs unsigned compare warnings in tests

Merge pull request #17256 from omoerbeek/dnsdist-boost-1.91

dnsdist: make code boost-1.91 compatible

build(deps): bump KineticCafe/actions-dco from 1.3.8 to 2.1.1

Bumps [KineticCafe/actions-dco](https://github.com/kineticcafe/actions-dco) from 1.3.8 to 2.1.1.
- [Release notes](https://github.com/kineticcafe/actions-dco/releases)
- [Changelog](https://github.com/KineticCafe/actions-dco/blob/main/Changelog.md)
- [Commits](https://github.com/kineticcafe/actions-dco/compare/1c23966ecce077f76671a61caabeb13eefc72a51...6e1652ef3027ce128e65e6edd215ae053350bd16)

---
updated-dependencies:
- dependency-name: KineticCafe/actions-dco
  dependency-version: 2.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v4.1.0...v4.1.1)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

dnsdist: fix a few signed vs unisgned compare warnings in tests

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: make code boost-1.91 compatible

Fixes #17245

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Re-order first RPZ note

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec docs: add a note about RPZ vs packetcache interaction

Discussed in #YWH-PGM6095-266 by krawall, thanks!

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17242 from miodvallat/pastis

prep for auth 5.1.0-beta1

Merge pull request #17252 from Habbie/200-entries-should-be-enough-for-anybody

rec aggressive nsec test: increase entry count so we hit the 8192 byte limit on 32 bit systems too

Merge pull request #17247 from franklouwers/master

auth docs: update EOL policy wording

Merge pull request #17248 from miodvallat/times_they_are_truncating

auth: (bind) fix one bad case of time_t truncation

increase entry count so we hit the 8192 byte limit on 32 bit systems
too

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>

Wednesday, after all.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Update docs/appendices/EOL.rst

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Frank Louwers <24672+franklouwers@users.noreply.github.com>

auth docs: update EOL policy wording

Signed-off-by: Frank Louwers <frank@louwers.be>

Fix one bad case of time_t truncation.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17243 from mind04/no-axfr-anonymous

auth: remove extra 'A' from some AXFR log lines

auth: remove extra 'A' from some AXFR log lines

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

Merge pull request #16971 from mind04/auth-nested-catalogs

Auth: nested catalogs

auth: make gcc 15.2 happy

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: fix regression tests for --with-dynmodules

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: implement nested catalogs

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

Documentation & secpoll updates for auth-5.1.0-beta1

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Advertize lmdb comments.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Fix year

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

build(deps): bump rustls-webpki in /pdns/recursordist/rec-rust-lib/rust

Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.13.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](https://github.com/rustls/webpki/compare/v/0.103.10...v/0.103.13)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17234 from romeroalx/fix-pinning-py-0426

requirements.txt: update version of pinned packages

Merge pull request #17237 from rgacogne/ddist-clang-tidy-warnings-20260423

dnsdist: Fix clang-tidy warnings

dnsdist: Fix clang-tidy warnings

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17231 from rgacogne/ddist-udp-max-outstanding

dnsdist: Set default number of outstanding queries per backend to 65536

dnsdist: Set default number of outstanding queries per backend to 65536

The existing default was off by one, wasting one possible state.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17235 from omoerbeek/dnsparser-unquoted-bound

common: Check boundary in getUnquotedText() as we do in getText()

Tidy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

requirements.txt: update version of pinned packages

Check boundary as we do in getText()

From YWH-PGM6095-137. We still stay inside the packet, so no security
issue.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17232 from omoerbeek/auth-fix-missing-test-file

auth unit tests: add missing test file for the autotools case

Merge pull request #16522 from Habbie/lmdb-full-comments

auth lmdb: full support for comments

Merge pull request #17218 from rgacogne/ddist-1.9.14-2.0.5-changelog-secpoll

dnsdist: Update ChangeLog and security polling zone for 1.9.14, 2.0.5

auth unit tests: add missing test file for the autotools case

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17180 from edmonds/dnsdist/per-backend-max-udp-outstanding

dnsdist: Add per-backend `max_udp_outstanding` YAML config setting

Merge pull request #17205 from omoerbeek/rec-priv-rpz-soa

rec: throw if no valid SOA found (YWH-PGM6095-168)

Merge pull request #17203 from omoerbeek/rec-private-zonemd

rec: zonemd null pointer dereference on non-standard schemes (#YWH-PGM6095-156)

Merge pull request #17216 from rgacogne/ddist-ywh-189

dnsdist: Prevent division by zero when computing DNSCrypt padding

Merge pull request #17214 from rgacogne/ddist-ywh-170

dnsdist: Clean QUIC stream-related data after errors

Merge pull request #17210 from rgacogne/ywh-159

dnsdist: Handle SVCB response without any usable address

Merge pull request #17208 from rgacogne/ywh-138

dnsdist: Apply TCP connections limits to DoQ/DoH3 connections

Merge pull request #17202 from omoerbeek/rec-priv-cookie-optional

rec: only check cookie if we sent one out (YWH-PGM6095-134)

Merge pull request #17201 from omoerbeek/ywh-135

rec: Prevent null-pointer dereference in aggressive NSEC cache

Merge pull request #17228 from miodvallat/system_of_a_markdawn

auth: buglets in the 2026-05 SA

Merge pull request #17199 from omoerbeek/rec-rpz-race

rec: work on a copy of PolicyZoneData while building the new RPZ zone

Merge pull request #17204 from rgacogne/ddist-sa-follow-up

dnsdist: Fix CVSS links in security advisory 2026-04

Merge pull request #17209 from rgacogne/ywh-148

dnsdist: Fix out-of-bounds check for UDP responses from backend

Merge pull request #17211 from rgacogne/ywh-163

dnsdist: Check record length before calling the visitor function

Merge pull request #17212 from rgacogne/ywh-165

dnsdist: Use `DNSName` in `StatNode` to avoid encoding issues

Merge pull request #17213 from rgacogne/ywh-166

dnsdist: Prevent ID overflow in outgoing TCP connections

Merge pull request #17215 from rgacogne/ddist-ywh-174

dnsdist: Cap the amount of data buffered toward a DoH server

Merge pull request #17197 from omoerbeek/rec-cachesize-neg-aggr

rec: estimate size and refuse to cache big negcache entries

Merge pull request #17200 from omoerbeek/yahttp-size

all: Fix two cases of lacking/wrong max size compares (YWH-PGM6095-90)

Merge pull request #17196 from omoerbeek/yahttp-chunksize

all: better handling of yahttp chunksize

Merge pull request #17194 from omoerbeek/rec-limit-web-req

rec: limit size of incoming web request.

Merge pull request #17217 from omoerbeek/rec-docs-refs

rec docs: add references in changelogs, now that the PR numbers are known

Merge pull request #17198 from miodvallat/sa-2026-05

auth: fixes for SA 2026-05

Buglets in the 2026-05 SA

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Hopefully make the spell checker happy

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Update ChangeLog and security polling zone for 1.9.14, 2.0.5

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec docs: add references in changelogs, now that the PR numbers are known

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17157 from rgacogne/rec-fix-17137

rec: Fix DNAME interaction with aggressive use of NSEC3

Merge pull request #17156 from rgacogne/rec-fix-17136

rec: Fix DNSSEC validation of wildcard-expanded proof

Reformat

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fix writer and text parser for too long alpn values.

This is CVE-2026-33611, part of PowerDNS Security Advisory 2026-05.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure to wrap the socket in a unique_ptr to close it in all cases.

Also add a log message for empty update from rogue primaries.

This is CVE-2026-33610, part of PowerDNS Security Advisory 2026-05.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Rewrite the ldap escape function, and always escape network-controlled input.

This new version now will correctly handle 8-bit characters (which need to
be encoded in UTF-8 and then escaped), as well as the corner cases of
leading space or # and trailing space.

This is CVE-2026-33609, part of PowerDNS Security Advisory 2026-05.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Prevent creadeSecondaryDomain from creating an invalid bind configuration.

- reject domain names containing quotes, as these are not allowed by bind.
- make sure the generated filename to be used to store domain data is not
  empty and does not contain path separators.

This is CVE-2026-33608, part of PowerDNS Security Advisory 2026-05.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17193 from miodvallat/secpopaul

auth: SA 2026-05 updates

Documentation updates for 4.9.14 and 5.0.4.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Fix CVSS links in security advisory 2026-04

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17189 from rgacogne/ddist-1.9.13-2.0.4-changelog-secpoll

dnsdist: Update ChangeLog, security advisories and secpoll for 1.9.13 and 2.0.4

Merge pull request #17188 from omoerbeek/rec-docs-cl-sa-fix

rec docs; fix typos in SA-2026-03 and changelog, from dwfreed and winfried

dnsdist: Fix spelling mistakes

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Tell our spell-checker to allow security researcher names, and PRSD

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Update ChangeLog, security advisories and secpoll for 1.9.13 and 2.0.4

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec docs; fix typos in SA-2026-03 and changelog, from dwfreed and winfried

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17181 from omoerbeek/rec-prep-20260422

rec: Prep for SA-2026-03

rec: Prep for SA-2026-03

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Add per-backend `max_udp_outstanding` YAML config setting

This commit adds a new per-backend config setting `max_udp_outstanding`
which overrides the global `tuning.udp.max_outstanding_per_backend`
setting.

If the per-backend `max_udp_outstanding` setting is omitted, the value
of the global option `tuning.udp.max_outstanding_per_backend` will be
used instead.

This allows tuning the number of UDP states allocated on a per-backend
basis in order to tune the amount of memory consumed by dnsdist.
Low-latency backends may only need a small number of UDP states, while
high-latency backends may need a higher number of UDP states.

The `tuning.udp.max_outstanding_per_backend` setting and the new
per-backend `max_udp_outstanding` setting directly control the sizes of
the vectors of `IDState` objects that are preallocated at startup.

The size of the `IDState` object can vary depending on compile time
options, but in my local build it is currently 496 bytes. This means
that a backend with the maximum number of UDP states (65535) will
require allocating at least (496 * 65535 / 1048576) = 31 MB. Similarly,
a backend with 8192 UDP states will require allocating 3.9 MB, and a
backend with 256 UDP states only requires 124 KB.

Signed-off-by: Robert Edmonds <edmonds@users.noreply.github.com>

Merge pull request #17164 from rgacogne/ddist-error-on-unhandled-switch-case

dnsdist: Error on unhandled switch cases while in CI

dnsdist: Error on unhandled switch cases while in CI

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>