]> git.ipfire.org Git - thirdparty/pdns.git/log
thirdparty/pdns.git
12 months agoAllow disabled records to be fetched from the API.
Miod Vallat [Thu, 20 Mar 2025 14:15:35 +0000 (15:15 +0100)] 
Allow disabled records to be fetched from the API.

Fixes #11473

12 months agoAdd an API-specific lookup method to DNSBackend.
Miod Vallat [Thu, 20 Mar 2025 13:35:00 +0000 (14:35 +0100)] 
Add an API-specific lookup method to DNSBackend.

This method, APILookup(), behaves similarly to lookup() but allows
disabled records to be returned to the caller. Backends with no support
for disabled records (bind, geoip, ldap, lua2, pipe, tinydns) implement
it as a by-default wrapper over lookup(). Other backends override with
their own processing.

SQL-style backends use distinct queries, api-id-query and
api-any-id-query, so as not to penalize non-API workloads.

12 months agorec: add a Lua function to get the config dir and name 15435/head
Otto Moerbeek [Mon, 14 Apr 2025 14:35:27 +0000 (16:35 +0200)] 
rec: add a Lua function to get the config dir and name

12 months agoMerge pull request #15429 from rgacogne/rec-fix-typo-test_FWCatz
Remi Gacogne [Mon, 14 Apr 2025 14:08:10 +0000 (16:08 +0200)] 
Merge pull request #15429 from rgacogne/rec-fix-typo-test_FWCatz

rec: Fix a typo in the FWCatz regression tests

12 months agoAllow alternate location for libssl
Otto Moerbeek [Fri, 28 Mar 2025 09:55:14 +0000 (10:55 +0100)] 
Allow alternate location for libssl

Needed at least on OpenBSD to get boringssl for dnsdist with quiche,
but other platforms might benefit as well

12 months agoMerge pull request #15426 from rgacogne/ddist-document-how-to-remove-ecs
Remi Gacogne [Mon, 14 Apr 2025 13:46:00 +0000 (15:46 +0200)] 
Merge pull request #15426 from rgacogne/ddist-document-how-to-remove-ecs

dnsdist: Document that `SetDisableECSAction` doesn't remove existing values

12 months agoMerge pull request #15428 from rgacogne/ddist-resume-health-checks
Remi Gacogne [Mon, 14 Apr 2025 13:45:42 +0000 (15:45 +0200)] 
Merge pull request #15428 from rgacogne/ddist-resume-health-checks

dnsdist: Mention the lazy health-check option more often in the docs

12 months agoMerge pull request #15421 from miodvallat/a_zone_by_any_other_name
Miod Vallat [Mon, 14 Apr 2025 13:33:27 +0000 (15:33 +0200)] 
Merge pull request #15421 from miodvallat/a_zone_by_any_other_name

Introduce ZoneName

12 months agorec: Fix a typo in the FWCatz regression tests 15429/head
Remi Gacogne [Mon, 14 Apr 2025 13:22:01 +0000 (15:22 +0200)] 
rec: Fix a typo in the FWCatz regression tests

Observed on GH actions:
```
  test_FWCatz.py:353:
  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

  self = <test_FWCatz.FWCatzXFRRecursorTest testMethod=testFWCatz>
  expected = {'forward_zones': [{'forwarders': ['1.2.3.4'], 'zone': 'c.'}]}

      def checkForwards(self, expected):
          attempts = 0
          tries = 10
          ex = None
          while attempts < tries:
              try:
                  with open('configs/' + self._confdir + '/catzone.forward.catz.') as file:
                      reality = yaml.safe_load(file);
                      if expected == reality:
                          return
              except Exception as e:
                  ex = e
              attempts = attempts + 1
  >           sleep(0.1)
  E           NameError: name 'sleep' is not defined
```

12 months agodnsdist: Mention the lazy health-check option more often in the docs 15428/head
Remi Gacogne [Mon, 14 Apr 2025 13:07:11 +0000 (15:07 +0200)] 
dnsdist: Mention the lazy health-check option more often in the docs

12 months agodnsdist: Document that `SetDisableECSAction` doesn't remove existing values 15426/head
Remi Gacogne [Mon, 14 Apr 2025 12:43:35 +0000 (14:43 +0200)] 
dnsdist: Document that `SetDisableECSAction` doesn't remove existing values

And document a possible work-around.

12 months agodnsdist: Document certificate switching support in the OpenSSL provider
Remi Gacogne [Mon, 14 Apr 2025 12:09:20 +0000 (14:09 +0200)] 
dnsdist: Document certificate switching support in the OpenSSL provider

12 months agodnsdist: Fix clang-tidy warnings
Remi Gacogne [Thu, 10 Apr 2025 12:29:25 +0000 (14:29 +0200)] 
dnsdist: Fix clang-tidy warnings

12 months agodnsdist: Add support for switching certificates based on SNI w/ OpenSSL
Remi Gacogne [Fri, 4 Apr 2025 13:18:31 +0000 (15:18 +0200)] 
dnsdist: Add support for switching certificates based on SNI w/ OpenSSL

We already supported this with GnuTLS, but OpenSSL does not make it
easy: we need to keep a different `SSL_CTX` object for each certificate/key
and change the `SSL_CTX` associated with an incoming connection to
the correct one based on the Server Name Indication from the servername
callback (actually OpenSSL devs advise to use the ClientHello callback
instead when using a recent enough version of OpenSSL, but the
SNI hostname is not available is not available at this point so we
would have to parse it ourselves, which is a terrible idea, and the
drawbacks are not clear. `nginx` has been getting away with it, so
hopefully we will as well).
One additional issue is that we still need to load certificates
for the same name but different key types (RSA vs ECDSA, for example)
in the same `SSL_CTX` context, which makes the code a bit convoluted.

12 months agoFix clang-tidy warning of unnecessary std::move() for const ref 15388/head
Oliver Chen [Mon, 14 Apr 2025 12:03:28 +0000 (12:03 +0000)] 
Fix clang-tidy warning of unnecessary std::move() for const ref

12 months agoMerge pull request #15413 from romeroalx/pin-wheel
Peter van Dijk [Mon, 14 Apr 2025 09:22:27 +0000 (11:22 +0200)] 
Merge pull request #15413 from romeroalx/pin-wheel

Pin the version of the python packages wheel and setuptools-git

12 months agoMerge branch 'master' into master
pacnal [Mon, 14 Apr 2025 08:51:24 +0000 (16:51 +0800)] 
Merge branch 'master' into master

12 months agoMerge pull request #15418 from rgacogne/ddist-fix-tcp-only-cache
Remi Gacogne [Mon, 14 Apr 2025 08:45:53 +0000 (10:45 +0200)] 
Merge pull request #15418 from rgacogne/ddist-fix-tcp-only-cache

dnsdist: Fix cache lookup for unavailable TCP-only backends

12 months agodnsdist: Apply Otto's suggestions 15418/head
Remi Gacogne [Mon, 14 Apr 2025 07:42:50 +0000 (09:42 +0200)] 
dnsdist: Apply Otto's suggestions

12 months agoMerge pull request #15423 from rgacogne/ddist-cache-tc-really
Remi Gacogne [Mon, 14 Apr 2025 07:21:49 +0000 (09:21 +0200)] 
Merge pull request #15423 from rgacogne/ddist-cache-tc-really

dnsdist: Add an option to cache truncated answers

12 months agoclang-tidy the previous clang-tidy run 15421/head
Miod Vallat [Fri, 11 Apr 2025 16:37:01 +0000 (18:37 +0200)] 
clang-tidy the previous clang-tidy run

12 months agoMerge pull request #15355 from rgacogne/dnsdist-better-handling-exception-when-parsin...
Remi Gacogne [Fri, 11 Apr 2025 15:05:31 +0000 (17:05 +0200)] 
Merge pull request #15355 from rgacogne/dnsdist-better-handling-exception-when-parsing-yaml

dnsdist: Better handling of exceptions raised during YAML parsing

12 months agoclang-tidy the previous clang-tidy run
Miod Vallat [Fri, 11 Apr 2025 13:58:11 +0000 (15:58 +0200)] 
clang-tidy the previous clang-tidy run

12 months agodnsdist: Update outdated comment, as suggested by Miod (thanks!) 15423/head
Remi Gacogne [Fri, 11 Apr 2025 13:48:27 +0000 (15:48 +0200)] 
dnsdist: Update outdated comment, as suggested by Miod (thanks!)

12 months agoAppease clang-tidy.
Miod Vallat [Fri, 11 Apr 2025 09:29:05 +0000 (11:29 +0200)] 
Appease clang-tidy.

12 months agoIntroduce ZoneName.
Miod Vallat [Fri, 11 Apr 2025 07:29:05 +0000 (09:29 +0200)] 
Introduce ZoneName.

This is currently equivalent to DNSName and is intended to be used for,
well, zone names. This will allow specific processing later, and
currently make the areas where such names are used more visible.

This commit is mostly mechanical and introduces type changes in various
API and data fields.

12 months agodnsdist: Add an option to cache truncated answers
Remi Gacogne [Thu, 10 Apr 2025 15:05:21 +0000 (17:05 +0200)] 
dnsdist: Add an option to cache truncated answers

12 months agoMerge pull request #15420 from rgacogne/ddist-add-binding-for-incoming-interface
Remi Gacogne [Fri, 11 Apr 2025 12:12:15 +0000 (14:12 +0200)] 
Merge pull request #15420 from rgacogne/ddist-add-binding-for-incoming-interface

dnsdist: Add Lua bindings for the incoming network interface

12 months agoMerge pull request #15419 from rgacogne/ddist-cache-tc
Remi Gacogne [Fri, 11 Apr 2025 11:49:26 +0000 (13:49 +0200)] 
Merge pull request #15419 from rgacogne/ddist-cache-tc

dnsdist: Refactor the packet cache settings

12 months agodnsdist: Fix clang-tidy warning introduced by fixing another clang-tidy warning intro... 15420/head
Remi Gacogne [Fri, 11 Apr 2025 10:41:30 +0000 (12:41 +0200)] 
dnsdist: Fix clang-tidy warning introduced by fixing another clang-tidy warning introduced by..

12 months agodnsdist: Make clang-tidy happy by passing the settings by value 15419/head
Remi Gacogne [Fri, 11 Apr 2025 07:44:16 +0000 (09:44 +0200)] 
dnsdist: Make clang-tidy happy by passing the settings by value

12 months agodnsdist: Refactor the packet cache settings
Remi Gacogne [Fri, 4 Apr 2025 10:08:45 +0000 (12:08 +0200)] 
dnsdist: Refactor the packet cache settings

12 months agodnsdist: Fix clang-tidy's warning
Remi Gacogne [Fri, 11 Apr 2025 10:07:01 +0000 (12:07 +0200)] 
dnsdist: Fix clang-tidy's warning

12 months agoAdd VRF to the list of allowed words
Remi Gacogne [Fri, 11 Apr 2025 09:35:08 +0000 (11:35 +0200)] 
Add VRF to the list of allowed words

12 months agodnsdist: Add Lua bindings for the incoming network interface
Remi Gacogne [Fri, 11 Apr 2025 09:28:51 +0000 (11:28 +0200)] 
dnsdist: Add Lua bindings for the incoming network interface

This is useful in Virtual Routing and Forwarding (VRF) environments
where the destination IP address might not be enough to identify the VRF.

12 months agoDocument usage of timeout response rule and add defensive checks
Oliver Chen [Thu, 10 Apr 2025 14:00:55 +0000 (14:00 +0000)] 
Document usage of timeout response rule and add defensive checks

Removed unnecessary packet buffer generation that is no value

12 months agodnsdist: Add a regression test for cache lookups w/ unavailable cache-only backends
Remi Gacogne [Thu, 10 Apr 2025 14:04:04 +0000 (16:04 +0200)] 
dnsdist: Add a regression test for cache lookups w/ unavailable cache-only backends

12 months agoMerge pull request #15416 from rgacogne/ddist-fix-quic-sni-meson
Remi Gacogne [Thu, 10 Apr 2025 13:53:08 +0000 (15:53 +0200)] 
Merge pull request #15416 from rgacogne/ddist-fix-quic-sni-meson

dnsdist: Fix two issues when building with `meson`

12 months agodnsdist: Fix cache lookup for unavailable TCP-only backends
Remi Gacogne [Thu, 10 Apr 2025 13:49:51 +0000 (15:49 +0200)] 
dnsdist: Fix cache lookup for unavailable TCP-only backends

12 months agodnsdist: Fix building with OpenSSL providers enabled 15416/head
Remi Gacogne [Thu, 10 Apr 2025 11:02:39 +0000 (13:02 +0200)] 
dnsdist: Fix building with OpenSSL providers enabled

12 months agodnsdist: Fix the version check for OpenSSL when providers are enabled
Remi Gacogne [Thu, 10 Apr 2025 10:51:32 +0000 (12:51 +0200)] 
dnsdist: Fix the version check for OpenSSL when providers are enabled

12 months agodnsdist: Properly detect Quiche functions with meson
Remi Gacogne [Thu, 10 Apr 2025 10:50:32 +0000 (12:50 +0200)] 
dnsdist: Properly detect Quiche functions with meson

We forgot to check for the availability of `quiche_conn_server_name`
when we migrated from `autotools` to `meson`.

12 months agoMerge pull request #15387 from rgacogne/ddist-share-stek-context-identical-frontends
Remi Gacogne [Thu, 10 Apr 2025 10:13:10 +0000 (12:13 +0200)] 
Merge pull request #15387 from rgacogne/ddist-share-stek-context-identical-frontends

dnsdist: Share tickets key between identical frontends created via YAML

12 months agodnsdist: Document how STEKs are managed in frontend groups 15387/head
Remi Gacogne [Thu, 10 Apr 2025 09:13:49 +0000 (11:13 +0200)] 
dnsdist: Document how STEKs are managed in frontend groups

12 months agoMerge pull request #15415 from miodvallat/web_disservice
Miod Vallat [Thu, 10 Apr 2025 09:07:48 +0000 (11:07 +0200)] 
Merge pull request #15415 from miodvallat/web_disservice

[auth] minor web service cleanup

12 months agoReplace the two lists of metadata keywords with a single list of pairs. 15415/head
Miod Vallat [Thu, 10 Apr 2025 05:59:40 +0000 (07:59 +0200)] 
Replace the two lists of metadata keywords with a single list of pairs.

This removes the need for a second search in order to figure out whether
the metadata is write-protected from the API.

12 months agoClean metadata lists.
Miod Vallat [Thu, 10 Apr 2025 05:51:18 +0000 (07:51 +0200)] 
Clean metadata lists.

- remove duplicate entries
- remove leftover mention of API-RECTIFY in readonly list.

12 months agoMerge pull request #15407 from rgacogne/ddist-fix-doh3-without-doh
Remi Gacogne [Thu, 10 Apr 2025 08:33:14 +0000 (10:33 +0200)] 
Merge pull request #15407 from rgacogne/ddist-fix-doh3-without-doh

dnsdist: Fix compilation with DoH3 enabled and DoH disabled

12 months agoSort metada name lists.
Miod Vallat [Thu, 10 Apr 2025 05:49:39 +0000 (07:49 +0200)] 
Sort metada name lists.

12 months agopin version of wheel and setuptools-git packages 15413/head
romeroalx [Wed, 9 Apr 2025 13:03:36 +0000 (15:03 +0200)] 
pin version of wheel and setuptools-git packages

12 months agoMerge pull request #15408 from omoerbeek/rec-prep-20250409
Otto Moerbeek [Wed, 9 Apr 2025 08:35:26 +0000 (10:35 +0200)] 
Merge pull request #15408 from omoerbeek/rec-prep-20250409

rec: Prep for rec 20250409 releases

12 months agoTypo in version 15408/head
Otto Moerbeek [Wed, 9 Apr 2025 07:45:18 +0000 (09:45 +0200)] 
Typo in version

12 months agorec regr tests: allow to set moduledir using an env var 15410/head
Otto Moerbeek [Tue, 8 Apr 2025 14:40:20 +0000 (16:40 +0200)] 
rec regr tests: allow to set moduledir using an env var

This makes picking the right modulerdir explicit instead of hard-coded.
With meson the location varies, and also I would like to use packaged
modules even when I happen to have backend .so's in the default place.

12 months agoGenerate timeout response packet, clang-tidy, PR comments
Oliver Chen [Wed, 9 Apr 2025 06:58:43 +0000 (06:58 +0000)] 
Generate timeout response packet, clang-tidy, PR comments

Generate a valid packet for timeout response rules so that other
actions that requires packet buffer would be happy. Fix a few
clang-tidy issues, address a few PR comments, i.e. revert changes
that fixed in other commit.

12 months agoMerge pull request #15399 from miodvallat/ignoreland
Miod Vallat [Wed, 9 Apr 2025 06:43:45 +0000 (08:43 +0200)] 
Merge pull request #15399 from miodvallat/ignoreland

.gitignore glitch

12 months agoPrep for rec 20350409 releases
Otto Moerbeek [Tue, 8 Apr 2025 12:34:59 +0000 (14:34 +0200)] 
Prep for rec 20350409 releases

12 months agoMerge pull request #15402 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust...
Otto Moerbeek [Tue, 8 Apr 2025 08:56:46 +0000 (10:56 +0200)] 
Merge pull request #15402 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/tokio-1.43.1

build(deps): bump tokio from 1.43.0 to 1.43.1 in /pdns/recursordist/rec-rust-lib/rust

12 months agodnsdist: Fix compilation with DoH3 enabled and DoH disabled 15407/head
Remi Gacogne [Tue, 8 Apr 2025 08:05:52 +0000 (10:05 +0200)] 
dnsdist: Fix compilation with DoH3 enabled and DoH disabled

While unusual, this is a completely valid setup.

12 months agobuild(deps): bump tokio in /pdns/recursordist/rec-rust-lib/rust 15402/head
dependabot[bot] [Tue, 8 Apr 2025 02:12:35 +0000 (02:12 +0000)] 
build(deps): bump tokio in /pdns/recursordist/rec-rust-lib/rust

Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.43.0 to 1.43.1.
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.43.0...tokio-1.43.1)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.43.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
12 months agoFix name of tsig_tests binary in .gitignore 15399/head
Miod Vallat [Mon, 7 Apr 2025 13:29:25 +0000 (15:29 +0200)] 
Fix name of tsig_tests binary in .gitignore

12 months agoMerge pull request #15397 from omoerbeek/rec-prep-5.2.1
Otto Moerbeek [Mon, 7 Apr 2025 12:45:41 +0000 (14:45 +0200)] 
Merge pull request #15397 from omoerbeek/rec-prep-5.2.1

rec: prep for rec-5.2.1

12 months agorec: prep for rec-5.2.1 15397/head
Otto Moerbeek [Mon, 7 Apr 2025 11:06:10 +0000 (13:06 +0200)] 
rec: prep for rec-5.2.1

12 months agoMerge pull request #15396 from omoerbeek/rec-cname-to-auth
Otto Moerbeek [Mon, 7 Apr 2025 12:21:09 +0000 (14:21 +0200)] 
Merge pull request #15396 from omoerbeek/rec-cname-to-auth

rec: rework of #14822: fix a difference between record-cache hit and miss in some ServFail results

12 months agoMerge pull request #15382 from miodvallat/i_lost_at_jeopardy
Miod Vallat [Mon, 7 Apr 2025 10:52:13 +0000 (12:52 +0200)] 
Merge pull request #15382 from miodvallat/i_lost_at_jeopardy

[auth] Backend capabilities

12 months agoMerge pull request #15375 from Habbie/ci-postgres-14
Peter van Dijk [Mon, 7 Apr 2025 10:51:25 +0000 (12:51 +0200)] 
Merge pull request #15375 from Habbie/ci-postgres-14

CI: bump postgres version

12 months agoBetter future-proof logic. 15382/head
Miod Vallat [Mon, 7 Apr 2025 10:12:07 +0000 (12:12 +0200)] 
Better future-proof logic.

12 months agoBetter error report when zone creation is not possible.
Miod Vallat [Thu, 3 Apr 2025 06:45:47 +0000 (08:45 +0200)] 
Better error report when zone creation is not possible.

Fixes #5783
Fixes #6954

12 months agoAdd a "can create domains" capability.
Miod Vallat [Thu, 3 Apr 2025 06:30:44 +0000 (08:30 +0200)] 
Add a "can create domains" capability.

12 months agoCheck backend capabilities before attempting some operations.
Miod Vallat [Mon, 31 Mar 2025 14:23:32 +0000 (16:23 +0200)] 
Check backend capabilities before attempting some operations.

This allows us to give better error messages to the users.

Fixes: #15006
12 months agoAllow backends to report a coarse-grained capabilities mask.
Miod Vallat [Mon, 31 Mar 2025 14:08:40 +0000 (16:08 +0200)] 
Allow backends to report a coarse-grained capabilities mask.

The current capabilities are DNSSEC supports, comments, direct backend
commands, and zone listing (AXFR) ability.

doesDNSSEC() is rewritten as a trivial wrapper around this.

12 months agoMerge pull request #15379 from miodvallat/if_i_could_only_cflags_it_down
Miod Vallat [Mon, 7 Apr 2025 09:28:30 +0000 (11:28 +0200)] 
Merge pull request #15379 from miodvallat/if_i_could_only_cflags_it_down

Minor build system tweaks

12 months agoMerge pull request #15392 from rgacogne/ddist-python-man-pages-not-found
Remi Gacogne [Mon, 7 Apr 2025 09:01:29 +0000 (11:01 +0200)] 
Merge pull request #15392 from rgacogne/ddist-python-man-pages-not-found

dnsdist with meson: Do not try to get the version/path of Python if not found

12 months agorec: rework of #14822: fix a difference between record-cache hit and miss in some... 15396/head
Otto Moerbeek [Mon, 17 Mar 2025 13:19:50 +0000 (14:19 +0100)] 
rec: rework of #14822: fix a difference between record-cache hit and miss in some ServFail results

Fixes: CNAME with target non-existent record in auth zone causes segfault
12 months agoMention which backends support search operations.
Miod Vallat [Mon, 31 Mar 2025 10:10:02 +0000 (12:10 +0200)] 
Mention which backends support search operations.

12 months agoMerge pull request #14840 from ukleinek/backend-docs
Miod Vallat [Mon, 7 Apr 2025 08:01:18 +0000 (10:01 +0200)] 
Merge pull request #14840 from ukleinek/backend-docs

Update Backend docs

12 months agoAdd regression test case for timeout response action
Oliver Chen [Sat, 5 Apr 2025 05:05:17 +0000 (05:05 +0000)] 
Add regression test case for timeout response action

12 months agoMerge pull request #15394 from rgacogne/fix-auth-apt-404
Remi Gacogne [Fri, 4 Apr 2025 12:37:20 +0000 (14:37 +0200)] 
Merge pull request #15394 from rgacogne/fix-auth-apt-404

tasks: Run apt-get update before installing auth test deps

12 months agotasks: Run apt-get update before installing auth test deps 15394/head
Remi Gacogne [Fri, 4 Apr 2025 10:09:33 +0000 (12:09 +0200)] 
tasks: Run apt-get update before installing auth test deps

Otherwise we might be trying to install a version that is no longer
present in the repository, yielding a 404 error.

12 months agoReplace nested if with switch. 15393/head
Miod Vallat [Fri, 4 Apr 2025 09:10:30 +0000 (11:10 +0200)] 
Replace nested if with switch.

12 months agoKeep the retarget loop logic in one place.
Miod Vallat [Fri, 4 Apr 2025 08:56:14 +0000 (10:56 +0200)] 
Keep the retarget loop logic in one place.

12 months agoThrow enough bones to clang-tidy
Miod Vallat [Fri, 4 Apr 2025 08:22:58 +0000 (10:22 +0200)] 
Throw enough bones to clang-tidy

12 months agoSplit handling of Query opcode, step 2/2.
Miod Vallat [Fri, 4 Apr 2025 07:10:38 +0000 (09:10 +0200)] 
Split handling of Query opcode, step 2/2.

Gets rid of the "retargeted" goto label.

12 months agoSplit handling of Query opcode, step 1/2.
Miod Vallat [Fri, 4 Apr 2025 06:16:09 +0000 (08:16 +0200)] 
Split handling of Query opcode, step 1/2.

Gets rid of the "sendit" goto label.

12 months agoSplit PacketHandler::doQuestion into per-opcode routines.
Miod Vallat [Fri, 4 Apr 2025 05:39:56 +0000 (07:39 +0200)] 
Split PacketHandler::doQuestion into per-opcode routines.

12 months agoFix build errors with no DoH, address PR comments
Oliver Chen [Fri, 4 Apr 2025 03:27:21 +0000 (03:27 +0000)] 
Fix build errors with no DoH, address PR comments

12 months agodnsdist: Do not try to get the version/path of Python if not found 15392/head
Remi Gacogne [Thu, 3 Apr 2025 15:21:54 +0000 (17:21 +0200)] 
dnsdist: Do not try to get the version/path of Python if not found

12 months agoAllow the default ZoneParserTNG TTL to be modified. 15389/head
Miod Vallat [Thu, 3 Apr 2025 10:08:48 +0000 (12:08 +0200)] 
Allow the default ZoneParserTNG TTL to be modified.

Fixes #8494

12 months agoEnhancement to support rule action for query timeout case
Oliver Chen [Thu, 3 Apr 2025 02:40:45 +0000 (02:40 +0000)] 
Enhancement to support rule action for query timeout case

The dnsdist already supports all types of error response code rule action
except timeout. Users may want to use the same feature for timeout case.

12 months agoMerge pull request #15385 from rgacogne/ddist-enable-quiche-sni-tests
Remi Gacogne [Wed, 2 Apr 2025 13:53:01 +0000 (15:53 +0200)] 
Merge pull request #15385 from rgacogne/ddist-enable-quiche-sni-tests

dnsdist: Enable the DoQ and DoH3 parts of the SNI tests in our CI

12 months agodnsdist: Check identical frontends get the same STEK
Remi Gacogne [Wed, 2 Apr 2025 13:31:26 +0000 (15:31 +0200)] 
dnsdist: Check identical frontends get the same STEK

12 months agodnsdist: Remove now useless comment in the SNI regression tests 15385/head
Remi Gacogne [Wed, 2 Apr 2025 10:54:48 +0000 (12:54 +0200)] 
dnsdist: Remove now useless comment in the SNI regression tests

12 months agodnsdist: Don't try to get TLS contexts for DoQ and DoH3 frontends
Remi Gacogne [Mon, 3 Mar 2025 15:57:42 +0000 (16:57 +0100)] 
dnsdist: Don't try to get TLS contexts for DoQ and DoH3 frontends

Right now the BoringSSL context is handled by Quiche and we do not
mess with it.

12 months agodnsdist: Share tickets key between identical frontends created via YAML
Remi Gacogne [Mon, 3 Mar 2025 10:57:54 +0000 (11:57 +0100)] 
dnsdist: Share tickets key between identical frontends created via YAML

Using the same Session Ticket Encryption Key on identical frontends
allow TLS sessions to be resumed in a much more efficient way, reducing
the latency and CPU usage. While it was already possible to do so by
manually managing the STEK, the default behaviour was to create and use
a different STEK for each frontend, because our Lua configuration makes
it almost impossible to ensure that two frontends are identical.
This is not an issue with the new YAML configuration format, so let's
share the STEK automatically in this case.

This needs a regression test.

12 months agodnsdist: Enable the DoQ and DoH3 parts of the SNI tests in our CI
Remi Gacogne [Wed, 2 Apr 2025 08:07:01 +0000 (10:07 +0200)] 
dnsdist: Enable the DoQ and DoH3 parts of the SNI tests in our CI

We now build with Quiche >= 0.23.2 so we can enable them.

12 months agodnsdist: Add regression tests for the new TCP/TLS DoS mitigation options
Remi Gacogne [Mon, 31 Mar 2025 14:19:31 +0000 (16:19 +0200)] 
dnsdist: Add regression tests for the new TCP/TLS DoS mitigation options

12 months agodnsdist: Add mitigations against misbehaving TCP/TLS clients
Remi Gacogne [Fri, 28 Mar 2025 14:52:08 +0000 (15:52 +0100)] 
dnsdist: Add mitigations against misbehaving TCP/TLS clients

This commit adds several mitigations against misbehaving TCP/TLS clients:
- when a client is near the limit of concurrent TCP connections it is
allowed to have, the number of DNS queries over a single TCP connection
is restricted to 1 and the idle timout is reduced to 500 ms
- the same restrictions are applied to all connections if the frontend
is near the limit of concurrent TCP connections
- a limit of 50 read I/O events per query is enforced on incoming TCP
connections, to prevent a connection from continuously sending very small
packets to keep the worker busy. Clients exceeding this limit can
be prevented from opening new TCP connections for a configurable
amount of time
- three new configurable rates are introduced: new TCP connections
per second per client, new TLS sessions per second per client,
resumed TLS sessions per secondper client. Clients exceeding these
rates can be prevented from opening new TCP connections for a
configurable amount of time

12 months agoMerge pull request #15380 from rgacogne/ddist-async-tests-unlink-exception
Remi Gacogne [Mon, 31 Mar 2025 09:50:37 +0000 (11:50 +0200)] 
Merge pull request #15380 from rgacogne/ddist-async-tests-unlink-exception

dnsdist: Fix a TOCTOU in the Async regression tests

12 months agodnsdist: Fix a TOCTOU in the Async regression tests 15380/head
Remi Gacogne [Mon, 31 Mar 2025 09:10:34 +0000 (11:10 +0200)] 
dnsdist: Fix a TOCTOU in the Async regression tests

The existing code was catching all exceptions based on `OSError`
raised by a call to `os.unlink()` , and re-throwing if the file
actually existed, in an attempt to only ignore the case where
the file did not exist and still fail if the process did not
have enough rights to remove it, for example.
Unfortunately this construct introduced a TOCTOU issue, where the
initial exception might have been raised because the file did not
exist at the time of the call, resulting in a `FileNotFoundError`
exception being raised, but had been created before the existence
check, resulting in a puzzling message:
```
ready: 8/8 workersException in thread Asynchronous Responder:
Traceback (most recent call last):
  File "/usr/lib/python3.13/threading.py", line 992, in run
    self._target(*self._args, **self._kwargs)
    ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/pdns/regression-tests.dnsdist/test_Async.py", line 17, in AsyncResponder
    os.unlink(listenPath)
    ~~~~~~~~~^^^^^^^^^^^^
8 workers [816 items]
```

The new code only catches `FileNotFoundError` instead, so that
other errors are still causing a failure without needing a second
check.

12 months agoMerge pull request #15306 from rgacogne/ddist-exit-callbacks
Remi Gacogne [Mon, 31 Mar 2025 08:17:31 +0000 (10:17 +0200)] 
Merge pull request #15306 from rgacogne/ddist-exit-callbacks

dnsdist: Add support for calling Lua methods when exiting

12 months agoPass -DPDNS_AUTH when building the authoritative server. 15379/head
Miod Vallat [Mon, 31 Mar 2025 06:39:50 +0000 (08:39 +0200)] 
Pass -DPDNS_AUTH when building the authoritative server.