dnsdist: Don't try to convert consumed bytes to a nghttp2 error

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Remove commented out leftover debug messages in outgoing DoH

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Better handling of nghttp2 errors

There are a few cases where an error returned by `nghttp2` could
have been silently ignored. Thanks to ilhamaf for reporting this!
As far as I can tell there is no actual impact, except perhaps that
we can detect errors/stale connections earlier, but I haven't been
able to cause any actual problem introduced by not handling these
errors properly.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Harden stripDomainSuffix() logic.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17151 from rgacogne/ddist-ywh-230

dnsdist: Fix handling of long HTTP/2 Date headers, handle non-POSIX locales

Drop boolean return from stripDomainSuffix().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Remove ciEqual(), clone of pdns_iequals().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17149 from miodvallat/parse_is_hard

webserver: correctly split the basic authorization cookie

Merge pull request #17148 from miodvallat/httpenury

auth: add a configurable limit of web server connections

dnsdist: Check the value of the HTTP Date header, even with a weird locale

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Use the POSIX locale to generate the HTTP Date header

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Split HTTP Date header generation, use timebuf_t

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix handling of long HTTP/2 Date headers

Some days of the year can, in some specific locales, require more than 40 bytes.
We should handle that gracefully with a larger buffer, and also just skip the
`Date` header altogether if it somehow does not fit into our buffer.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Appease ruff

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Handle missing X-Forwarded-For on existing DoH connection

If `trustForwardedForHeader` is enabled, meaning we trust an upstream
reverse-proxy to fill it with the address of the initial client, and
the header was set on at least one previous query of the current DoH
connection, but is missing from the current query, we should fall back
to the address the connection is coming from instead of using the value
of the last received `X-Forwarded-For` header.
This should never happen in practice: if we trust the reverse proxy
to set the `X-Forwarded-For` header it should always do so. But let's
handle the case nevertheless, or we will get an endless stream of
reports from LLMs about it.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Correctly split the basic authorization cookie.

This allows passwords containing colons to be correctly handled.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Add a limit of the number of concurrent connections to auth webserver.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Move connection-management.hh to shared place.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17002 from miodvallat/directbackenderror

pdnsutil: possibly helpful backend-cmd help

Merge pull request #17134 from miodvallat/gallup

auth: only perform secpoll checks when they make sense

Merge pull request #17141 from rgacogne/ddist-coverity-20260414

dnsdist: Silence performance warnings from Coverity

dnsdist: Silence performance warnings from Coverity

Coverity (CID 503155 and 503156, at least) is worried that we are
mistakenly duplicating the `std::string`s that our Lua bindings are
returning. We are doing it on purpose, so let's make it clear.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17140 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/rand-0.9.4

build(deps): bump rand from 0.9.2 to 0.9.4 in /pdns/recursordist/rec-rust-lib/rust

build(deps): bump rand in /pdns/recursordist/rec-rust-lib/rust

Bumps [rand](https://github.com/rust-random/rand) from 0.9.2 to 0.9.4.
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.4/CHANGELOG.md)
- [Commits](https://github.com/rust-random/rand/compare/rand_core-0.9.2...0.9.4)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.9.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17139 from miodvallat/codeupdate

auth: comb the dns update code

Better variable names.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Work on DNSRecord references rather than pointers whenever possible.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Reduce scope of MOADNSParser objects.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Pass the MOADNSParser d_answers field rather than the whole object.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not keep secpolling for non-releases.

Fixes: #17133
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17132 from rgacogne/ddist-fix-dnsresponse_t-lua-ffi

dnsdist: Lua FFI response actions are passed a `dnsdist_ffi_dnsresponse_t`

Allow `dnsresponse`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Lua FFI _response_ actions are passed a `dnsdist_ffi_dnsresponse_t`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17124 from rgacogne/ddist-refactor-dq-header-interface

dnsdist: Refactor access to DNS headers from Lua

Merge pull request #17126 from miodvallat/createhex

auth lua: one more bad case of createForward

Merge pull request #17044 from PowerDNS/dependabot/pip/meson/requests-2.33.0

build(deps): bump requests from 2.32.4 to 2.33.0 in /meson

Merge pull request #17046 from PowerDNS/dependabot/pip/regression-tests.api/requests-2.33.0

build(deps): bump requests from 2.32.4 to 2.33.0 in /regression-tests.api

Merge pull request #17130 from miodvallat/dynlistentome

auth: some pdns_control love

Merge pull request #17129 from rgacogne/ddist-coverity-cid-502893

dnsdist: Fix a warning from Coverity about unintentional copy

Merge pull request #17128 from omoerbeek/rec-coverity-lua

rec: minor optimization from Coverity

Give some details about control socket setup and access control.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: minor optimization from Coverity

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix a warning from Coverity about unintentional copy

It is intentional, so make it clear.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Apply documentation suggestions from Pieter (thanks!)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17127 from kpfleming/complete-rename-swagger-to-openapi

Complete the transition from Swagger to OpenAPI

Merge pull request #17125 from pieterlexis/dnsdist-padding-ecs

feat(dnsdist): Test for Frontend padding and backend ECS

Complete the transition from Swagger to OpenAPI

Remove one remaining reference to Swagger in the documentation, and
rename the API schema file to use 'openapi' instead of
'swagger'. These are all internal (build system and other) changes and
should have no effect on users.

Signed-off-by: Kevin P. Fleming <kevin@km6g.us>

Add a test with trailing hex digits for createfoward 1-2-3-4.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Reject trailing hex digits in createforward 1-2-3-4 format.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

feat(dnsdist): Test for Frontend padding and backend ECS

Make more use of all-zeros strings. NFC

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17123 from miodvallat/backtick

fix markdown error

Give more details about what happens if split-domain setting is changed.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Remove spurious backticks.

Closes: #17111
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Refactor access to DNS headers from Lua

The existing interface is error-prone: it provides a pointer to
a buffer that might get invalidated if the user keeps it around
too long. The new interface makes it clear when the modification
is actually performed, and there is no dangling pointer.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17120 from rgacogne/ddist-coverity-20260408

dnsdist: Fix some warnings reported by Coverity

dnsdist: Fix some warnings reported by Coverity

Being more consistent when moving `RemoteLogActionConfiguration` objects.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17081 from rgacogne/ddist-dont-keep-parsed-edns-options-around

dnsdist: Do not keep the parsed EDNS options around

Merge pull request #17058 from rgacogne/ddist-move-dnsname-response-ring

dnsdist: Move the existing DNSName into the response rings

build(deps): bump requests in /regression-tests.api

Bumps [requests](https://github.com/psf/requests) from 2.32.4 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.32.4...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump requests from 2.32.4 to 2.33.0 in /meson

Bumps [requests](https://github.com/psf/requests) from 2.32.4 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.32.4...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17115 from pieterlexis/dnsdist-yw-202-padding

dnsdist: Actually pad responses

Merge pull request #17119 from pieterlexis/update-py-deps

chore: Update all python dependencies

dnsdist: Pass copies of EDNS options to Lua, views are error-prone

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Do not keep the parsed EDNS options around

The idea to keep the EDNS options around to avoid parsing them
a second time was a nice one, but invalidation is error-prone and
this is rarely useful in practice.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

chore: Update all python dependencies

Merge pull request #17117 from ronhombre/fix/cpq-use-after-move-doh3

Hardened DoH3 internal error handling for cpq

chore(dnsdist): Add unit tests for addEDNSPadding

Merge pull request #17116 from pieterlexis/dnsdist-remove-debug

chore(dnsdist): clean up troubleshooting code

Plug protobuf logging at a higher level, to get more packets.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

auth: basic protobuf emission including test

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Hardened DoH3 internal error handling for cpq

Added a check for cpq before releasing DU to handle exceptional cases.

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>

fix(dnsdist): allow adding empty options in addOrReplaceEDNSOption

fix(dnsdist): actually pad responses when requested

feat(dnsdist): test self-answered, padded DOH

fix(dnsdist): do not let dnspython pad responses

chore(dnsdist): clean up troubleshooting code

Merge pull request #17114 from ronhombre/fix/cpq-use-after-move

Hardened DoQ internal error handling for cpq

Merge pull request #17110 from ronhombre/fix/give-tcp-thread-to-doq-and-doh3

Give TCP thread as default for definition USE_SINGLE_ACCEPTOR_THREAD

Hardened DoQ internal error handling for cpq

Added a check for cpq before releasing DU to handle exceptional cases.

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>

Merge branch 'PowerDNS:master' into fix/give-tcp-thread-to-doq-and-doh3

Merge pull request #17112 from jsoref/check-spelling-0.0.26

Upgrade check-spelling to v0.0.26

Simplify TCP client thread initialization

Removed conditional TCP client thread creation and make them the default for definition USE_SINGLE_ACCEPTOR_THREAD

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>

dnsdist: Document that limits apply to QUIC connections as well

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Apply TCP connections limits to DoQ/DoH3 connections

After all they are consuming memory and the TLS cost is similar.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add a unit test for the DNSCrypt divide by zero case

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #17070 from rgacogne/ddist-ywh-102

dnsdist: Fix use-after-free in EDNS options handling

Upgrade check-spelling to v0.0.26

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: whether or not

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: see

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: please

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: lowercase

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: configuration:

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: better or worse

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: be

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: auth-zone:

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: also

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

spelling: a

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Use internet archive link

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Give TCP thread for DoQ and DoH3

On OpenWRT, the dnsdist implementation isn't normally built with DoQ and DoH3 due to the lack of quiche support. However, when it is enabled and queried through QUIC, dnsdist sees that the connection we have is too big and goes out of its way to try to use TCP to make that request upstream when using PROXYv2.

This fixes that by checking if DoQ or DoH3 are enabled so that in certain configurations with only DoQ or DoH3 enabled, a TCP thread is given to the internal client.

Signed-off-by: Ron Lauren Hombre <118486316+ronhombre@users.noreply.github.com>