libssl: Properly deal with an empty error stack in `libssl_get_error_string`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

libssl: Fix the position of OCSP files on errors

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17363 from hlindqvist/lmdb-shards-map-doc-clarification

Clarify the documentation regarding lmdb-shards-map-size

Clarify the documentation regarding lmdb-shards-map-size

This aligns the note in the lmdb-map-size section better
with how lmdb-map-size and lmdb-shards-map-size actually
interact.

Signed-off-by: Håkan Lindqvist <h@qw.se>

Merge pull request #17333 from rgacogne/unbreak-clang-tidy

ci: Unbreak clang-tidy (unknown key 'IgnoredVariableNames')

Merge pull request #17334 from omoerbeek/rec-docs-edns-subnet-allow

rec: better describe the mechanics of outgoing.edns_subnet_allow_list

Merge pull request #17307 from rgacogne/ddist-fix-tcp-rate-limiting

dnsdist: Fix invalid TCP rate limiting computation

rec: better describe the mechanics of outgoing.edns_subnet_allow_list

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

ci: Unbreak clang-tidy (unknown key 'IgnoredVariableNames')

It turns out that the clang-tidy workflow has been broken for a while on master:
```
/home/runner/work/pdns/pdns/pdns/dnsdistdist/.clang-tidy:14:1: error: unknown key 'IgnoredVariableNames'
```

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix warnings reported by clang-tidy, apply Otto's suggestions

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Remove empty line

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add more unit tests for concurrent TCP connections

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17322 from pieterlexis/warn-on-submodule-update

ci: Add check for builder submodule

dnsdist: Fix flaky TCP rate limiting regression tests

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

ci: Add check for builder submodule

dnsdist: Fix TCP rate-limiting ban expiry (introduced in f960b7d8d98911c717ee7dfeb4dc6475ce98d135)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix Python formatting

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17320 from miodvallat/unreserve

auth, rec: smarter memory need computation

dnsdist: Properly handle TCP limit tests spanning two time buckets

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Compute a less inaccurate number of dns records to pass to reserve().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Properly handle TCP clients that have been idle for a while

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix off-by-one in the TCP connection rate regression test

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Only account TLS conns once we know if they were resumed

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix invalid TCP rate limiting computation

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17297 from omoerbeek/rec-auth-corsflag

rec and auth: Implement an allow cors flag in a simlar way dnsdist has

Apply suggestions from code review

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Rename the option to [webserver-]cross-origin-request-header

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Move to a string instead of a boolean flag, as suggested by zeha

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add docs and rename auth setting name

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17135 from rgacogne/ddist-also-set-udp-buffer-size-for-backend

dnsdist: Also apply UDP socket buffer sizes to backend sockets

Update regression-tests.api/test_Basics.py

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Drop the origin part, fix auth regression test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17291 from rgacogne/ddist-document-api-read-write-flush

dnsdist: Document that flushing the cache is allowed in read-only mode

Merge pull request #17290 from rgacogne/ddist-remove-ffi-pp-dead-code

dnsdist: Bail out when a `NULL` pointer is passed to `dnsdist_ffi_dnsquestion_get_proxy_protocol_values`

Merge pull request #17285 from omoerbeek/rec-byterreccheck

rec: check bytes received limit immediate after increase

Implement an allow cors flag in a simlar way dnsdist has

Docs and tests missing

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17283 from omoerbeek/rec-src-rem-log

rec: be more consistent in logging source and remote

dnsdist: Document that flushing the cache is allowed in read-only mode

As reported by Prasanna Dabi (thanks!) one might expect that a read-only
API would not allow the flushing of the packet cache. This is not the case,
the read-only flag controls whether the API is allowed to alter the configuration,
but flushing the content of the packet cache is always allowed.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Bail out when a `NULL` pointer is passed to `dnsdist_ffi_dnsquestion_get_proxy_protocol_values`

Reported by ylwango613, thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17287 from rgacogne/ddist-ebpf-add-range-rule

dnsdist: Fix `BPFFilter::addRangeRule`

Merge pull request #17288 from rgacogne/ddist-fix-null-ptr-deref-verbose-doh-healthcheck

dnsdist: Fix a crash with DoH backends in verbose health-check mode

Merge pull request #17289 from omoerbeek/rec-optimize-dns64

rec: optimize dns64 PTR processing (#YWH-PGM6095-280)

dnsdist: Fix a crash with DoH backends in verbose health-check mode

Reported by Mehtab Zafar, many thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: optimize dns64 PTR processing (#YWH-PGM6095-280)

And return ServFail on malformed DNS64 PTR queries

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix `BPFFilter::addRangeRule`

Reported by Prasanna Dabi (thanks!):
"The eBPF DDoS mitigation implementation in dnsdist contains a critical logic error that prevents new range-based block rules from being applied. When the BPFFilter::addRangeRule() function is called to block a subnet, it first checks the eBPF map to determine if the rule already exists. If the subnet is not currently in the map, the bpf_lookup_elem call returns -1. In this failure state, the local CounterAndActionValue value struct remains in its default, zeroed-out state, where the action field is automatically set to BPFFilter::MatchAction::Pass.

The conditional check intended to skip redundant rules contains a logic typo: it evaluates value.action == BPFFilter::MatchAction::Pass instead of comparing the requested action parameter.Because the default state of the unpopulated struct is always Pass, the condition (res == -1 && value.action == BPFFilter::MatchAction::Pass) evaluates to true for every new rule attempt.This causes the daemon to throw a std::runtime_error and reject the mitigation."

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17286 from miodvallat/beaucoupfish

auth, dnsdist: lost+found, faster

Merge pull request #17284 from miodvallat/grossbody

auth, dnsdist: use less inefficient code in web server

Prefer std::string::find(char) when searching for a single character.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17240 from miodvallat/hardenxfr

auth: harden xfr*BitInt writers

Missing ;

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: check bytes received limit immediate after increase

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Maintain a "current size of received body" counter.

This allows us to get rid of synthesizing partial body contents as
std::string objects, only to check for their length being still within
allowed bounds.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Widen types passed to xfr*BitInt to reject too large values.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: be more consistent in logging soure and remote

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17255 from PowerDNS/dependabot/github_actions/KineticCafe/actions-dco-2.1.1

build(deps): bump KineticCafe/actions-dco from 1.3.8 to 2.1.1

Merge pull request #17254 from PowerDNS/dependabot/github_actions/sigstore/cosign-installer-4.1.1

build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1

Merge pull request #17282 from omoerbeek/omoerbeek-patch-1

rec: remove use of -v flag for cp

rec: remove use of -v flag for cp

Fixes #17241

Merge pull request #17280 from omoerbeek/rec-docs-pb

rec docs: fix description of (outgoing)ProtobufServer

rec docs: fix description of (outgoing)ProtobufServer

And remove obsolete variant.

Fixes #17278

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17238 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/rustls-webpki-0.103.13

build(deps): bump rustls-webpki from 0.103.10 to 0.103.13 in /pdns/recursordist/rec-rust-lib/rust

Merge pull request #17253 from omoerbeek/rec-docs-rpz-vs-packetcache

rec docs: add a note about RPZ vs packetcache interaction

Merge pull request #17257 from omoerbeek/dnsdist-test-signedness

dnsdist: fix a few signed vs unsigned compare warnings in tests

Merge pull request #17256 from omoerbeek/dnsdist-boost-1.91

dnsdist: make code boost-1.91 compatible

build(deps): bump KineticCafe/actions-dco from 1.3.8 to 2.1.1

Bumps [KineticCafe/actions-dco](https://github.com/kineticcafe/actions-dco) from 1.3.8 to 2.1.1.
- [Release notes](https://github.com/kineticcafe/actions-dco/releases)
- [Changelog](https://github.com/KineticCafe/actions-dco/blob/main/Changelog.md)
- [Commits](https://github.com/kineticcafe/actions-dco/compare/1c23966ecce077f76671a61caabeb13eefc72a51...6e1652ef3027ce128e65e6edd215ae053350bd16)

---
updated-dependencies:
- dependency-name: KineticCafe/actions-dco
  dependency-version: 2.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v4.1.0...v4.1.1)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

dnsdist: fix a few signed vs unisgned compare warnings in tests

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: make code boost-1.91 compatible

Fixes #17245

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Re-order first RPZ note

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec docs: add a note about RPZ vs packetcache interaction

Discussed in #YWH-PGM6095-266 by krawall, thanks!

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17242 from miodvallat/pastis

prep for auth 5.1.0-beta1

Merge pull request #17252 from Habbie/200-entries-should-be-enough-for-anybody

rec aggressive nsec test: increase entry count so we hit the 8192 byte limit on 32 bit systems too

Merge pull request #17247 from franklouwers/master

auth docs: update EOL policy wording

Merge pull request #17248 from miodvallat/times_they_are_truncating

auth: (bind) fix one bad case of time_t truncation

increase entry count so we hit the 8192 byte limit on 32 bit systems
too

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>

Wednesday, after all.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Update docs/appendices/EOL.rst

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Frank Louwers <24672+franklouwers@users.noreply.github.com>

auth docs: update EOL policy wording

Signed-off-by: Frank Louwers <frank@louwers.be>

Fix one bad case of time_t truncation.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17243 from mind04/no-axfr-anonymous

auth: remove extra 'A' from some AXFR log lines

auth: remove extra 'A' from some AXFR log lines

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

Merge pull request #16971 from mind04/auth-nested-catalogs

Auth: nested catalogs

auth: make gcc 15.2 happy

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: fix regression tests for --with-dynmodules

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: implement nested catalogs

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

Documentation & secpoll updates for auth-5.1.0-beta1

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Advertize lmdb comments.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Fix year

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

build(deps): bump rustls-webpki in /pdns/recursordist/rec-rust-lib/rust

Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.13.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](https://github.com/rustls/webpki/compare/v/0.103.10...v/0.103.13)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17234 from romeroalx/fix-pinning-py-0426

requirements.txt: update version of pinned packages

Merge pull request #17237 from rgacogne/ddist-clang-tidy-warnings-20260423

dnsdist: Fix clang-tidy warnings

dnsdist: Fix clang-tidy warnings

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17231 from rgacogne/ddist-udp-max-outstanding

dnsdist: Set default number of outstanding queries per backend to 65536

dnsdist: Set default number of outstanding queries per backend to 65536

The existing default was off by one, wasting one possible state.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17235 from omoerbeek/dnsparser-unquoted-bound

common: Check boundary in getUnquotedText() as we do in getText()

Tidy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

requirements.txt: update version of pinned packages

Check boundary as we do in getText()

From YWH-PGM6095-137. We still stay inside the packet, so no security
issue.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17232 from omoerbeek/auth-fix-missing-test-file

auth unit tests: add missing test file for the autotools case