dnsdist: Fix invalid TCP rate limiting computation

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17297 from omoerbeek/rec-auth-corsflag

rec and auth: Implement an allow cors flag in a simlar way dnsdist has

Apply suggestions from code review

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Rename the option to [webserver-]cross-origin-request-header

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

build(deps): bump sigstore/cosign-installer from 4.1.1 to 4.1.2

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v4.1.1...v4.1.2)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

When deleting an ENT record, only delete associated NSEC3 record if orphaned.

The existing logic was assuming that operations causing ENT records to
disappear take place before actual records are added, but there is
absolutely no such ordering guarantee. rectifyZone() would then create the
proper NSEC ordering, before deleting leftover ENT; but that last step
would also delete the NSEC3 chaining, requiring users to rectify their zone
a second time.

Fixes: #16816
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Add a test demonstrating the defect described in #16816.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Move to a string instead of a boolean flag, as suggested by zeha

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add docs and rename auth setting name

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17135 from rgacogne/ddist-also-set-udp-buffer-size-for-backend

dnsdist: Also apply UDP socket buffer sizes to backend sockets

Update regression-tests.api/test_Basics.py

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Drop the origin part, fix auth regression test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17291 from rgacogne/ddist-document-api-read-write-flush

dnsdist: Document that flushing the cache is allowed in read-only mode

Merge pull request #17290 from rgacogne/ddist-remove-ffi-pp-dead-code

dnsdist: Bail out when a `NULL` pointer is passed to `dnsdist_ffi_dnsquestion_get_proxy_protocol_values`

Merge pull request #17285 from omoerbeek/rec-byterreccheck

rec: check bytes received limit immediate after increase

Implement an allow cors flag in a simlar way dnsdist has

Docs and tests missing

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17283 from omoerbeek/rec-src-rem-log

rec: be more consistent in logging source and remote

dnsdist: Document that flushing the cache is allowed in read-only mode

As reported by Prasanna Dabi (thanks!) one might expect that a read-only
API would not allow the flushing of the packet cache. This is not the case,
the read-only flag controls whether the API is allowed to alter the configuration,
but flushing the content of the packet cache is always allowed.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Catch exceptions when parsing CNAME via the Lua FFI API (YWH-PGM6095-258)

It turns out that the C++ Exception Interoperability described in
https://luajit.org/extensions.html should be understood as "No" on
at least some Linux ARM platforms, so throwing exceptions is not safe
there.
This is only an issue when the exception can be raised by attacked-provided
data, as is the case here.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Bail out when a `NULL` pointer is passed to `dnsdist_ffi_dnsquestion_get_proxy_protocol_values`

Reported by ylwango613, thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17287 from rgacogne/ddist-ebpf-add-range-rule

dnsdist: Fix `BPFFilter::addRangeRule`

Merge pull request #17288 from rgacogne/ddist-fix-null-ptr-deref-verbose-doh-healthcheck

dnsdist: Fix a crash with DoH backends in verbose health-check mode

Merge pull request #17289 from omoerbeek/rec-optimize-dns64

rec: optimize dns64 PTR processing (#YWH-PGM6095-280)

dnsdist: Fix a crash with DoH backends in verbose health-check mode

Reported by Mehtab Zafar, many thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: optimize dns64 PTR processing (#YWH-PGM6095-280)

And return ServFail on malformed DNS64 PTR queries

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix `BPFFilter::addRangeRule`

Reported by Prasanna Dabi (thanks!):
"The eBPF DDoS mitigation implementation in dnsdist contains a critical logic error that prevents new range-based block rules from being applied. When the BPFFilter::addRangeRule() function is called to block a subnet, it first checks the eBPF map to determine if the rule already exists. If the subnet is not currently in the map, the bpf_lookup_elem call returns -1. In this failure state, the local CounterAndActionValue value struct remains in its default, zeroed-out state, where the action field is automatically set to BPFFilter::MatchAction::Pass.

The conditional check intended to skip redundant rules contains a logic typo: it evaluates value.action == BPFFilter::MatchAction::Pass instead of comparing the requested action parameter.Because the default state of the unpopulated struct is always Pass, the condition (res == -1 && value.action == BPFFilter::MatchAction::Pass) evaluates to true for every new rule attempt.This causes the daemon to throw a std::runtime_error and reject the mitigation."

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17286 from miodvallat/beaucoupfish

auth, dnsdist: lost+found, faster

Merge pull request #17284 from miodvallat/grossbody

auth, dnsdist: use less inefficient code in web server

Prefer std::string::find(char) when searching for a single character.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17240 from miodvallat/hardenxfr

auth: harden xfr*BitInt writers

Missing ;

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: check bytes received limit immediate after increase

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Maintain a "current size of received body" counter.

This allows us to get rid of synthesizing partial body contents as
std::string objects, only to check for their length being still within
allowed bounds.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Widen types passed to xfr*BitInt to reject too large values.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: be more consistent in logging soure and remote

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17255 from PowerDNS/dependabot/github_actions/KineticCafe/actions-dco-2.1.1

build(deps): bump KineticCafe/actions-dco from 1.3.8 to 2.1.1

Merge pull request #17254 from PowerDNS/dependabot/github_actions/sigstore/cosign-installer-4.1.1

build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1

Merge pull request #17282 from omoerbeek/omoerbeek-patch-1

rec: remove use of -v flag for cp

rec: remove use of -v flag for cp

Fixes #17241

Merge pull request #17280 from omoerbeek/rec-docs-pb

rec docs: fix description of (outgoing)ProtobufServer

rec docs: fix description of (outgoing)ProtobufServer

And remove obsolete variant.

Fixes #17278

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17238 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/rustls-webpki-0.103.13

build(deps): bump rustls-webpki from 0.103.10 to 0.103.13 in /pdns/recursordist/rec-rust-lib/rust

Merge pull request #17253 from omoerbeek/rec-docs-rpz-vs-packetcache

rec docs: add a note about RPZ vs packetcache interaction

Merge pull request #17257 from omoerbeek/dnsdist-test-signedness

dnsdist: fix a few signed vs unsigned compare warnings in tests

Merge pull request #17256 from omoerbeek/dnsdist-boost-1.91

dnsdist: make code boost-1.91 compatible

build(deps): bump KineticCafe/actions-dco from 1.3.8 to 2.1.1

Bumps [KineticCafe/actions-dco](https://github.com/kineticcafe/actions-dco) from 1.3.8 to 2.1.1.
- [Release notes](https://github.com/kineticcafe/actions-dco/releases)
- [Changelog](https://github.com/KineticCafe/actions-dco/blob/main/Changelog.md)
- [Commits](https://github.com/kineticcafe/actions-dco/compare/1c23966ecce077f76671a61caabeb13eefc72a51...6e1652ef3027ce128e65e6edd215ae053350bd16)

---
updated-dependencies:
- dependency-name: KineticCafe/actions-dco
  dependency-version: 2.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/v4.1.0...v4.1.1)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

dnsdist: fix a few signed vs unisgned compare warnings in tests

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: make code boost-1.91 compatible

Fixes #17245

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Re-order first RPZ note

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec docs: add a note about RPZ vs packetcache interaction

Discussed in #YWH-PGM6095-266 by krawall, thanks!

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17242 from miodvallat/pastis

prep for auth 5.1.0-beta1

Merge pull request #17252 from Habbie/200-entries-should-be-enough-for-anybody

rec aggressive nsec test: increase entry count so we hit the 8192 byte limit on 32 bit systems too

Merge pull request #17247 from franklouwers/master

auth docs: update EOL policy wording

Merge pull request #17248 from miodvallat/times_they_are_truncating

auth: (bind) fix one bad case of time_t truncation

increase entry count so we hit the 8192 byte limit on 32 bit systems
too

Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>

Wednesday, after all.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Update docs/appendices/EOL.rst

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Frank Louwers <24672+franklouwers@users.noreply.github.com>

auth docs: update EOL policy wording

Signed-off-by: Frank Louwers <frank@louwers.be>

Fix one bad case of time_t truncation.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17243 from mind04/no-axfr-anonymous

auth: remove extra 'A' from some AXFR log lines

auth: remove extra 'A' from some AXFR log lines

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

Merge pull request #16971 from mind04/auth-nested-catalogs

Auth: nested catalogs

auth: make gcc 15.2 happy

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: fix regression tests for --with-dynmodules

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

auth: implement nested catalogs

Signed-off-by: Kees Monshouwer <mind04@monshouwer.org>

Documentation & secpoll updates for auth-5.1.0-beta1

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Advertize lmdb comments.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Fix year

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

build(deps): bump rustls-webpki in /pdns/recursordist/rec-rust-lib/rust

Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.13.
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](https://github.com/rustls/webpki/compare/v/0.103.10...v/0.103.13)

---
updated-dependencies:
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17234 from romeroalx/fix-pinning-py-0426

requirements.txt: update version of pinned packages

Merge pull request #17237 from rgacogne/ddist-clang-tidy-warnings-20260423

dnsdist: Fix clang-tidy warnings

dnsdist: Fix clang-tidy warnings

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17231 from rgacogne/ddist-udp-max-outstanding

dnsdist: Set default number of outstanding queries per backend to 65536

dnsdist: Set default number of outstanding queries per backend to 65536

The existing default was off by one, wasting one possible state.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17235 from omoerbeek/dnsparser-unquoted-bound

common: Check boundary in getUnquotedText() as we do in getText()

Tidy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

requirements.txt: update version of pinned packages

Check boundary as we do in getText()

From YWH-PGM6095-137. We still stay inside the packet, so no security
issue.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17232 from omoerbeek/auth-fix-missing-test-file

auth unit tests: add missing test file for the autotools case

Merge pull request #16522 from Habbie/lmdb-full-comments

auth lmdb: full support for comments

Merge pull request #17218 from rgacogne/ddist-1.9.14-2.0.5-changelog-secpoll

dnsdist: Update ChangeLog and security polling zone for 1.9.14, 2.0.5

auth unit tests: add missing test file for the autotools case

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17180 from edmonds/dnsdist/per-backend-max-udp-outstanding

dnsdist: Add per-backend `max_udp_outstanding` YAML config setting

Merge pull request #17205 from omoerbeek/rec-priv-rpz-soa

rec: throw if no valid SOA found (YWH-PGM6095-168)

Merge pull request #17203 from omoerbeek/rec-private-zonemd

rec: zonemd null pointer dereference on non-standard schemes (#YWH-PGM6095-156)

Merge pull request #17216 from rgacogne/ddist-ywh-189

dnsdist: Prevent division by zero when computing DNSCrypt padding

Merge pull request #17214 from rgacogne/ddist-ywh-170

dnsdist: Clean QUIC stream-related data after errors

Merge pull request #17210 from rgacogne/ywh-159

dnsdist: Handle SVCB response without any usable address

Merge pull request #17208 from rgacogne/ywh-138

dnsdist: Apply TCP connections limits to DoQ/DoH3 connections

Merge pull request #17202 from omoerbeek/rec-priv-cookie-optional

rec: only check cookie if we sent one out (YWH-PGM6095-134)

Merge pull request #17201 from omoerbeek/ywh-135

rec: Prevent null-pointer dereference in aggressive NSEC cache

Merge pull request #17228 from miodvallat/system_of_a_markdawn

auth: buglets in the 2026-05 SA

Merge pull request #17199 from omoerbeek/rec-rpz-race

rec: work on a copy of PolicyZoneData while building the new RPZ zone

Merge pull request #17204 from rgacogne/ddist-sa-follow-up

dnsdist: Fix CVSS links in security advisory 2026-04

Merge pull request #17209 from rgacogne/ywh-148

dnsdist: Fix out-of-bounds check for UDP responses from backend

Merge pull request #17211 from rgacogne/ywh-163

dnsdist: Check record length before calling the visitor function

Merge pull request #17212 from rgacogne/ywh-165

dnsdist: Use `DNSName` in `StatNode` to avoid encoding issues

Merge pull request #17213 from rgacogne/ywh-166

dnsdist: Prevent ID overflow in outgoing TCP connections