Merge pull request #17003 from pieterlexis/dnsdist-rmserver-log

feat(dnsdist): Log downstream removal

Merge pull request #16933 from pieterlexis/dnsdist-expungebyname-multiple

feat(dnsdist): Allow cache expunging with multiple names

Merge pull request #17008 from miodvallat/more_suspenders

auth: handle backend exceptions better during rectify

build(deps): bump pyasn1 in /regression-tests.dnsdist

Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.4.8 to 0.6.3.
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](https://github.com/pyasn1/pyasn1/compare/v0.4.8...v0.6.3)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17007 from romeroalx/bump-version-actions

gh actions: upgrade actions to the most recent version

Merge pull request #17005 from omoerbeek/rec-rpz-skip-continue

rec: continue processing response Policies if a discarded policy is hit

Handle possible backend exceptions in DNSSECKeeper::rectifyZone().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not leave dangling transactions if get() throws.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

feat(dnsdist): Log downstream removal

Closes: #17001

Merge pull request #17004 from miodvallat/lmdbetter

auth: minor lmdb fixes (for the 42nd time)

Merge pull request #16992 from rgacogne/ywh-141

Small cleanup of `EDNSSubnetOpts`

Merge pull request #16999 from omoerbeek/rec-getrr-checks

rec: more getRR return value checks

Use the serializing size constants, for readability.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure local variable is always initialized.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Allow "pdnsutil backend-cmd backend" to return some help message.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

When replacing an rrset, correctly delete any ENT entries.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: more getRR return value checks

All cases of "cannot happen", but better safe than sorry

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16993 from rgacogne/rec-fix-auth-recs-serialization

rec: Fix serialization of cached authority records

gh actions: upgrade actions to the most recent version

build(deps): bump pyasn1 in /regression-tests.recursor-dnssec

Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.4.8 to 0.6.3.
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](https://github.com/pyasn1/pyasn1/compare/v0.4.8...v0.6.3)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16996 from rgacogne/ddist-fix-ot-closer--assertion

dnsdist: Prevent copies of OT closers

dnsdist: Prevent copies of OT closers

Moving them is OK, duplicating them isn't otherwise we might close
the same span several times which is bad.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: Actually test the deserialized cache content in the unit test

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: Fix serialization of cached authority records

The type needs to be present in the protobuf output before
the content, otherwise we cannot decode the content properly
when deserializing.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16991 from pieterlexis/dnsdist-http11-505

fix(dnsdist): respond 505 to DoH HTTP/1.1 reqs

fix(dnsdist): respond 505 to DoH HTTP/1.1 reqs

Closes: #16990

Merge pull request #16989 from PowerDNS/dependabot/pip/regression-tests.dnsdist/pyopenssl-26.0.0

build(deps): bump pyopenssl from 25.3.0 to 26.0.0 in /regression-tests.dnsdist

Merge pull request #16987 from miodvallat/tkeybored

[boring] Remove explicit constructor duplicating default initialization.

build(deps): bump pyopenssl in /regression-tests.dnsdist

Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 25.3.0 to 26.0.0.
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/pyopenssl/compare/25.3.0...26.0.0)

---
updated-dependencies:
- dependency-name: pyopenssl
  dependency-version: 26.0.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Remove explicit constructor duplicating default initialization.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16978 from jsoref/index-semicolon

Add semicolon

Clean `EDNSSubnetOpts::getFromString` up as well

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Small cleanup `EDNSSubnetOpts::makeOptString()`

The existing code was relying on implicit integer conversion rules,
which was correct but brittle, so let's explicitely check that the
source is non-zero.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16984 from miodvallat/doc510

auth: 5.1.0-alpha1 documentation and secpoll updates

Make upgrade title less confusing for alpha1.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Documentation and secpoll updates for 5.1.0-alpha1

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Put Pieter Lexis back in the developer gang member names.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

feat(dnsdist): Allow cache expunging by more names

Now one can pass a list of DNSNames or strings to `expungeByName`.

Closes: #7157

Merge pull request #16977 from miodvallat/wallet-rrtype

auth: Add support to the new WALLET RRType

Merge pull request #16477 from pieterlexis/ci-python-black

ci: Force python formatting with ruff

chore: reformat all Python files with ruff

ci: Force python formatting with ruff

dnsdist: Rename a JS variable

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix HTML injection in the Web dashboard

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Clean up our JavaScript code

- Remove unused code
- Remove railing whitespaces
- Be more consistent

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16979 from rgacogne/ddist-fix-downstream-timeout-msg-verbosity

dnsdist: Downstream timeouts should be logged at verbose level

Merge pull request #16980 from rgacogne/ddist-update-quiche-0.26.1

dnsdist: Update Quiche to 0.26.1

dnsdist: Downstream timeouts should be logged at verbose level

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16973 from pieterlexis/dnsdist-ot-config

feat(dnsdist): Change OT Trace YAML config to a struct

Merge pull request #16741 from pieterlexis/dnsdist-ot-serverid-instance

feat(dnsdist): Add instance field to OT Trace messages

Merge pull request #16951 from pieterlexis/decryptus/master

auth: SortA API RRs by content if name and type are equal

feat(dnsdist): Change OT Trace YAML config to a struct

This'll allow us to add more trace feature configuration in the future
and it mirrors the `structured_logging` config.

Add semicolon

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Merge pull request #16974 from omoerbeek/rec-web-docs

docs: only expose web server on a as-needed basis

Document WALLET record type.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Add support to the new WALLET RRType.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Update Quiche to 0.26.1

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Make this meson-build compatible

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16975 from omoerbeek/rel-workflows-update

GH workflows: Update to current release branch status

Also include auth and dnsdist

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Change default of new wipe flag to true

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Make the clearing of the packet cache configurable, defaulting to false

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Enable packet cache in test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Wipe relevent packet cache entries on rpz (re)load

Only for qname matches!

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Client IP RPZ match should not result in packetcache insert

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Update to current release branch status

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Typo

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Some advice: only expose web server on a as-needed basis

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16966 from rgacogne/ddist210-beta2

dnsdist: Update ChangeLog and security polling zone for 2.1.0-beta2

Merge pull request #16944 from pieterlexis/dev-tasks

chore: Add invoke tasks to configure with meson for development

Merge pull request #16956 from miodvallat/neper

Remove error-prone logger interfaces

Merge pull request #16965 from rgacogne/auth-pp-buffer-size

auth: Use the proper size after processing a proxy protocol payload

Merge pull request #14057 from mind04/auth-catalog-cleanup

Auth: fix a crash and some cleanup in the auth-catalogzone.cc

Be less scary in logs

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

auth: improve changed catalog detection

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: don't crash when a catalog SOA is invalid

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: cleanup auth-catalogzone.cc a bit

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

chore(auth): add task to configure auth for dev

chore(rec): add task to configure recursor for dev

Remove unused "verbosity" part of the Logger.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Remove no longer useful Logger::enabled().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Remove no longer used Logr::Absent.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

chore(dndist): add task to configure dnsdist for dev

Merge pull request #16968 from rgacogne/ddist-fix-compression-dname-srv

dnsdist: Fix the use of compression for SRV and DNAME targets

dnsdist: Fix the use of compression for SRV and DNAME targets

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16967 from rgacogne/ddist-compress-when-changing-name

dnsdist: Compress DNS names when changing the name in a packet

dnsdist: Compress DNS names when changing the name in a packet

Otherwise the resulting packet might be bigger than needed.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Update ChangeLog and security polling zone for 2.1.0-beta2

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

auth: Use the proper size after processing a proxy protocol payload

Reported in #YWH-PGM6095-116. While it is a bug, I don't believe it
is a security issue because I'm not aware of any implementation
actually releasing the memory unless `shrink_to_fit()` is called,
and even then it's not always the case. The content of the memory
contains part of the existing query and it is still owned by this
buffer so there is no information disclosure.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16946 from omoerbeek/rec-rpz-defpol-test

rec: add a regresion test for defpol handling

DNSWriter: Prevent overflow when generating (too) large DNS packets

The current API expects the caller to check if the current size
exceeds 65535 bytes before calling `commit()`, and potentially
triggers an out-of-bounds write otherwise when `d_sor` wraps around.
This commit adds an additional safety layer ensuring that we do not
write out of bounds even if the caller is not careful enough.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16955 from pieterlexis/lua-headers

auth: Allow adding HTTP Headers in LUA Record ifurlup

fix(auth): Properly sort API RRSets by content

For content, we need to lexographically sort. I would have preferred
canonical ordering of the content. But as this point we have strings we
don't need to roundtrip through the parser.

This also adds an RRSet ordering test.

Sort by content if name and type are equal

Signed-off-by: Adrien Delle Cave <adrien.delle.cave@commandersact.com>

Merge pull request #16958 from miodvallat/cover_your_log

auth: coverity-induced fixes

There is no guarantee that the slog initializer is a compile-time constant.

Therefore we can not safely assume it is safe to check its value in other
global constructors.

Reported by Coverity.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Fix various inefficiencies pointed by Coverity.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16959 from omoerbeek/prep-rec-5.4.0

rec: prep for rec-5.4.0 final release

rec: prep for rec-5.4.0 final release

Code equal to rc1, one missed PR in changelog of rc1

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16957 from jsoref/codeql-set-first-query-false-for-next-query

Set `firstQuery` to false for next query