Merge pull request #16903 from omoerbeek/rec-test-faster

rec: test faster

Typo in comment

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16731 from miodvallat/statbag_of_tricks

auth web: stricter control of statistics rings changes

Merge pull request #16884 from miodvallat/alias_not_aliases

auth: fix and document behaviour when multiple ALIAS records in an RRset

Drop autouse, it's redundant, zap a few print() calls

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

tcpiohandler: Some versions of GnuTLS require `gnutls/socket.h` for `gnutls_transport_set_fastopen`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

meson: Add missing checks for `TLS_client_method`, `gnutls_transport_set_fastopen`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix typo in description reported by Mio

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix indentation

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Implement "allowed rcodes/total" ratio dynamic rule

The existing rcode ratio rules required listing all the response codes
that were not allowed, and to compute the ratio for each rcode.
That's useful, but what we want in most cases is to set a ratio of
"unexpected"/"invalid" response codes over "allowed"/"expected" response
codes.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: save outgoing TLSContext for later re-use

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16902 from miodvallat/removeelse

auth: loosen check in NotificationQueue::removeIf

Commit forgotten file

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tests with special auth working now

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fixture to start en stop auths per session is working

A few tests that modify auth config are skipped. Next commit should fix that.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Ignore port numbers in removeIf() if either ComboAddress lacks one.

Fixes: #13576
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16890 from rgacogne/ddist-fix-latency-again

dnsdist: Clean up the type mess around latency metrics (again)

dnsdist: Fix flaky Proxy Protocol regression test

We can only check that we did not open more than one new connection
compared to the connections that existed before, because connections
triggered by a different test can still be around.
This seems to be happening on a regular basis on slow runners with
few CPU cores.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16898 from rgacogne/ddist-do-no-start-network-listener-in-config-check

dnsdist: Don't start the NetworkListener thread in config check mode

Make status polls faster

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Don't start the NetworkListener thread in config check mode

Not only is this useless, there is a risk of race if the thread is not
created quickly enough, so when the main thread reaches the end of the
configuration and exits the new thread tries to access an object that
has been freed.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16897 from milzi234/chore/docs_spog_section

chore(docs site): add single pane of glass

chore(docs site): add single pane of glass

build-packages: move uploading and publishing packages to an action

Merge pull request #16879 from rgacogne/ddist-unset-tag

dnsdist: Add actions, methods and FFI functions to unset a tag

Merge pull request #16881 from rgacogne/ddist-excluded-entries-should-not-count-toward-super-subnet-limit

dnsdist: Subnets excluded from dynamic rules should not count towards thresholds

Merge pull request #16893 from omoerbeek/rec-prep-5.4.0-rc1

rec: Prep for rec-5.4.0-rc1 release

Merge pull request #16887 from rgacogne/ddist-fix-invalid-substr-use-dnsparser

dnsdist: Fix invalid `substr()` use in the DNS overlay parser

Prep for rec-5.4.0-rc1 release

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

If a single NSEC3 recordset should be cached, cache all of them

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix a typo in the documentation

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add a Lua callback to validate health-check responses

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Ignore extra ALIAS records and warn about them.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Test ANY requests on ALIAS records.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Clean up the type mess around latency metrics (again)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: take into account that NSEC3 can be reversed

In that case a short common prefix signifies a large range

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix invalid `substr()` use in the DNS overlay parser

`std::basic_string_view<CharT,Traits>::substr`'s second parameter is a length,
not an iterator or a position, so the existing code was misusing it and
creating a view that potentially expanded outside of the packet.
However currently the view is never used to read more than
`record.d_contentOffset` (we are passing it immediately to `makeComboAddressFromRaw`
with `record.d_contentLength` as the length) and `record.d_contentOffset`
has been validated right before to be either `4` or `16`, so
there is no out-of-bounds read.
This issue has been introduced in b6f9a21db93ee25ec665dc5f65e87eb7adebd102 and
is not included in any stable release, so no need to backport
the fix.

Reported by Nyaz360 in YWH-PGM6095-85, thanks a lot!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix DoH ACL bypass when early ACL check is disabled

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix out-of-bounds read when parsing DNS packets via Lua

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16858 from omoerbeek/rec-dot-client-cert

re: add feature to optionally use a client certificate for outgoing DoT

Better python formatting from @rgacogne

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add docs

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fix race and test and check subject of client cert and add PEM test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add test for Dot with client cert

When run individually, the new test works. But there seems to be a race
condition: in some cases old responders look to be still running, making
subsequent test fail on larger test runs.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tidy existing TLS tests a bit

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Generate cert to use as client cert in tests

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Basic infra for client cert

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Refactor key setup so it isn's tied to server-only code

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Subnets excluded from dynamic rules should not count towards thresholds

Until now we only looked at whether a subnet was excluded from dynamic rules
when deciding to insert a block. This introduced an issue when the dynamic
rules were configured to group clients into subnets via the `setMasks` directive,
because then queries received from an excluded client were still counted towards
the thresholds for the final subnet. For example, when grouping IPv4 clients
into `/24` subnets and excluding `192.0.2.1`, we would end up blocking the
whole `192.0.2.0/24` subnet if the number of queries or responses received
from `192.0.2.1` were over the threshold.
From now on excluded subnets will no longer count toward the thresholds.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16872 from PowerDNS/feature/update-repo-test-script-20260212

Update Repo Test Script

dnsdist: Fix c/p mistake spotted by Miod (thanks!)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Use `not in` instead of a fugly line of `and`s.

Undo some whitespace changes so diff looks good.

Reinstate `while` usage.

dnsdist: Add actions, methods and FFI functions to unset a tag

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Remove `auth-47` as it is not maintained anymore.

Comment by @miodvallat in #16872.

Merge pull request #16871 from miodvallat/gettingtoooldtowritecode

auth: fix stupid logic error in lmdb-write-update-notification=no

Update repo test script.

This had not been synced to the repo for a while.

Perform DomainInfo consolidation before filtering.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Fix polarity of setting description.

This was forgotten after this setting changed name and polarity.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16868 from rgacogne/rust-audit-pr

CI: Run the Rust deps audit check on the correct branch for pull requests

CI: Run the Rust deps check workflow on PR to master

As suggested by Alexis, many thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16862 from omoerbeek/rec-janitor-lwres

rec: cleanup lwres.??

Run the Rust deps audit check on the current branch for PRs

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

CI: Do not run the Rust deps audit on all branches for PRs

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16861 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/time-0.3.47

build(deps): bump time from 0.3.45 to 0.3.47 in /pdns/recursordist/rec-rust-lib/rust

build(deps): bump time in /pdns/recursordist/rec-rust-lib/rust

Bumps [time](https://github.com/time-rs/time) from 0.3.45 to 0.3.47.
- [Release notes](https://github.com/time-rs/time/releases)
- [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md)
- [Commits](https://github.com/time-rs/time/compare/v0.3.45...v0.3.47)

---
updated-dependencies:
- dependency-name: time
  dependency-version: 0.3.47
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16855 from omoerbeek/rec-ws-pkcs12

rec: add feature to read TLS key info from an encrypted PKCS12 (pfx) file for the embedded web server

Better var name

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Process review comments from Miod

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

skip test on class level

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Mention the PKCS12 feature is not available everywhere.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Make pkcs12 feature dependent on rust version

Also add test infra to test for rec features

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add password field in yaml generation from map

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Better comments and function names

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add docs

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add test, pin time crate to avoid depending on rustc 1.88

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: add feature to read webserver key and cert from (encrypted) pkcs12 file

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16857 from PowerDNS/dependabot/pip/regression-tests.recursor-dnssec/cryptography-46.0.5

build(deps): bump cryptography from 46.0.4 to 46.0.5 in /regression-tests.recursor-dnssec

Merge pull request #16856 from omoerbeek/rustc-update-to-1.93

rec and dnsdist: Update rustc and cargo to 1.93

build(deps): bump cryptography in /regression-tests.recursor-dnssec

Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.4 to 46.0.5.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.4...46.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16852 from PowerDNS/dependabot/pip/regression-tests.dnsdist/cryptography-46.0.5

build(deps): bump cryptography from 46.0.4 to 46.0.5 in /regression-tests.dnsdist

Merge pull request #16823 from rgacogne/ddist-export-dns-flags-via-protobuf

dnsdist: Export DNS flags via ProtoBuf

Reduce include files to much smaller set

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: cleanup in lwres related code

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16854 from miodvallat/wolf

auth: get rid of a "may be uninitialized" warning.

Also test for empty record contents.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Update rustc and cargo to 1.93

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Get rid of a "may be uninitialized" warning.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16849 from rgacogne/quiche-0.24.9

dnsdist: Update Quiche to 0.24.9

Merge pull request #16846 from rgacogne/ddist-fix-pool-zero-scope-version

dnsdist: Fix version added for `ServerPool:{g,s}etZeroScope`

Merge pull request #16853 from omoerbeek/rec-regr-test-robustness

rec: improve regression test startup/teardown robustness

Type in var name from Miod

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

build(deps): bump cryptography in /regression-tests.dnsdist

Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.4 to 46.0.5.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.4...46.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Make sure all teardown class methods are called before raising a potential exception

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix version added for `ServerPool:{g,s}etZeroScope`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Call super().tearDownClass() if possible

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Wrong type of object used

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Update Quiche to 0.24.9

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>