docs: Generate schema files also when using Meson

verify-pinned-python-pkgs: ignore extras when comparing downloaded packages

chore: create requirements.txt using --allow-unsafe to pin setuptools as well

chore: spell-check fixes

chore: ignore sphinx stamp files everywhere

docs(rec): Fix building PDF and json schema refs

docs(auth): fix building the pdf

docs: appease spell-checker

docs: Disable the actual Lua Language server

ci(auth): API spec is now OpenAPI 3.1, no need to convert

use python-3.13 pip-compile for generating hashes

docs(auth): automatically document API examples

docs(auth): Generate a proper JSON schema

This takes the definitions from the OpenAPI spec so we can document the
JSON objects properly.

docs(auth): Make the OpenAPI definition pass the linter

docs(rec): restructure documents in the TOC

docs(rec): ignore files that are not used

docs(rec): Fix some rendering/directive issues

docs(recursor): Fix all API related objects and references

docs(rec): Initial convert to immaterial theme

docs(auth): Shuffle TOCs around

docs(auth): Modernize

ci: Switch docs to python 3.12

docs(dnsdist): Reorganize the content to fit the HTML theme

docs(dnsdist): properly reference TimedIPSet as class

docs(dnsdist): Prevent LuaLS plugin warning

chore: fix `invoke` "invalid escape sequence" warnings

docs(dnsdist): add dynblocks to a TOC to prevent a warning

chore(dnsdist): Reformat multiline YAML strings in dnsdist-actions-definitions.yml

docs(dnsdist): Fix small layout issue

docs(dnsdist): Use correct annotations for HTTP query params

This also fixes some rendering issues in the example requests and
responses.

docs(dnsdist): document API JSON objects with jsonschema

docs(dnsdist): Make the docs consistent with commercial docs

docs(dnsdist): Update sphinx and use a material theme

This also fixes 20-ish Lua related build warnings, the json domain does
not work yet.

Merge pull request #16995 from omoerbeek/rec-pb-logging-features

rec: two protobuf logging features: use 4 byte framesize and add strategy

Merge pull request #16998 from omoerbeek/rec-min-ttl-root-ns

rec: apply specific minimum TTL for root NS records

Apply suggestion from @omoerbeek

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17021 from rgacogne/rec-fix-typo-in-pdns-features-doc

rec: Fix a typo in the documention of `pdns_features`

Merge pull request #17023 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/rustls-webpki-0.103.10

build(deps): bump rustls-webpki from 0.103.9 to 0.103.10 in /pdns/recursordist/rec-rust-lib/rust

build(deps): bump rustls-webpki in /pdns/recursordist/rec-rust-lib/rust

Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.9 to 0.103.10.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.10
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

rec: Fix a typo in the documention of `pdns_features`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17019 from omoerbeek/rec-cargo-location

rec: Prevent dist failure if cargo is in a non-default location

Add test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: apply specific minimum TTL for root NS records

This is to prevent hammering the root servers.
Only relevant to weird setups with silly root records.

Merge pull request #17018 from rgacogne/ddist-fix-qtype-numeric-value

dnsdist: Fix passing a numeric value to the YAML QType selector

Merge pull request #17016 from omoerbeek/rec-old-settings-fix

rec: give better error mesage on api-dir not set

rec: Prevent dist failure if cargo is in a non-default location

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: give better error mesage on api-dir not set

Plus skip irrelevant settings when generating the settings table
as some settings are Lua or YAML only.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Process suggestions from rgagogne

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add docs and tests for new features

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tweak Hashed strategy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add config, untested.

This triggered the need to reorganize some build files to avoid a
mix of missing and duplicate symbols. It look like adding the two
static metods to do Strategy string <-> enum caused duplicate
symbols.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Implement basic protobuf log strategy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Allow 4 byte framesize and use it if configured

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fix Python 3.14 compat issue

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Format

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tidy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix passing a numeric value to the YAML QType selector

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16997 from PowerDNS/dependabot/pip/regression-tests.recursor-dnssec/pyasn1-0.6.3

build(deps): bump pyasn1 from 0.4.8 to 0.6.3 in /regression-tests.recursor-dnssec

Merge pull request #17009 from PowerDNS/dependabot/pip/regression-tests.dnsdist/pyasn1-0.6.3

build(deps): bump pyasn1 from 0.4.8 to 0.6.3 in /regression-tests.dnsdist

Apply suggestion from @omoerbeek

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Port fixes from 16997: move pysnmp code to async mode

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17011 from miodvallat/obscurity

auth, rec: redact more configuration secrets in the /config endpoint

Merge pull request #17013 from rgacogne/ddist-fix-rust-lib-dependencies

dnsdist: Add missing dependencies to our Rust's lib

Reformat and add cryptography as dependency

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17012 from pieterlexis/dnsdist-ywh-136

dnsdist: harden locateEDNSOptRR

dnsdist: Add missing dependencies to our Rust's lib

We do use the selectors and actions definition to generate the YAML
settings parsing parts of the Rust library, so it needs to be re-generated
if these change.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Update requirements.txt

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Adapt code to pysnmp 7 async API

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

chore(dnsdist): Add tests for `locateEDNSOptRR`

fix(dnsdist): Check OPT owner in `locateEDNSOptRR`

fix(dnsdist): reject QD!=0 in `locateEDNSOptRR`

fix(dnsdist): reject small packets in `locateEDNSOptRR`

This issue could not be exploited in the service, as too small packets
never reach this function during normal operation.

Discovered by Ilya Rozentsvaig and reported via YWH-136.

Rework the logic deciding whether a config setting should be redacted.

Add *-secret to the list of patterns for auth, due to edns-cookie-secret
and tcp-control-secret.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17003 from pieterlexis/dnsdist-rmserver-log

feat(dnsdist): Log downstream removal

Merge pull request #16933 from pieterlexis/dnsdist-expungebyname-multiple

feat(dnsdist): Allow cache expunging with multiple names

Merge pull request #17008 from miodvallat/more_suspenders

auth: handle backend exceptions better during rectify

build(deps): bump pyasn1 in /regression-tests.dnsdist

Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.4.8 to 0.6.3.
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](https://github.com/pyasn1/pyasn1/compare/v0.4.8...v0.6.3)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17007 from romeroalx/bump-version-actions

gh actions: upgrade actions to the most recent version

Merge pull request #17005 from omoerbeek/rec-rpz-skip-continue

rec: continue processing response Policies if a discarded policy is hit

Handle possible backend exceptions in DNSSECKeeper::rectifyZone().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not leave dangling transactions if get() throws.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

feat(dnsdist): Log downstream removal

Closes: #17001

Merge pull request #17004 from miodvallat/lmdbetter

auth: minor lmdb fixes (for the 42nd time)

Merge pull request #16992 from rgacogne/ywh-141

Small cleanup of `EDNSSubnetOpts`

Merge pull request #16999 from omoerbeek/rec-getrr-checks

rec: more getRR return value checks

Use the serializing size constants, for readability.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure local variable is always initialized.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

When replacing an rrset, correctly delete any ENT entries.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: more getRR return value checks

All cases of "cannot happen", but better safe than sorry

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16993 from rgacogne/rec-fix-auth-recs-serialization

rec: Fix serialization of cached authority records

gh actions: upgrade actions to the most recent version

build(deps): bump pyasn1 in /regression-tests.recursor-dnssec

Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.4.8 to 0.6.3.
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](https://github.com/pyasn1/pyasn1/compare/v0.4.8...v0.6.3)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16996 from rgacogne/ddist-fix-ot-closer--assertion

dnsdist: Prevent copies of OT closers

dnsdist: Prevent copies of OT closers

Moving them is OK, duplicating them isn't otherwise we might close
the same span several times which is bad.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: Actually test the deserialized cache content in the unit test

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: Fix serialization of cached authority records

The type needs to be present in the protobuf output before
the content, otherwise we cannot decode the content properly
when deserializing.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16991 from pieterlexis/dnsdist-http11-505

fix(dnsdist): respond 505 to DoH HTTP/1.1 reqs

fix(dnsdist): respond 505 to DoH HTTP/1.1 reqs

Closes: #16990

Merge pull request #16989 from PowerDNS/dependabot/pip/regression-tests.dnsdist/pyopenssl-26.0.0

build(deps): bump pyopenssl from 25.3.0 to 26.0.0 in /regression-tests.dnsdist