Fix Python 3.14 compat issue

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Format

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Tidy

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Fix passing a numeric value to the YAML QType selector

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16997 from PowerDNS/dependabot/pip/regression-tests.recursor-dnssec/pyasn1-0.6.3

build(deps): bump pyasn1 from 0.4.8 to 0.6.3 in /regression-tests.recursor-dnssec

Merge pull request #17009 from PowerDNS/dependabot/pip/regression-tests.dnsdist/pyasn1-0.6.3

build(deps): bump pyasn1 from 0.4.8 to 0.6.3 in /regression-tests.dnsdist

Apply suggestion from @omoerbeek

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Port fixes from 16997: move pysnmp code to async mode

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17011 from miodvallat/obscurity

auth, rec: redact more configuration secrets in the /config endpoint

Merge pull request #17013 from rgacogne/ddist-fix-rust-lib-dependencies

dnsdist: Add missing dependencies to our Rust's lib

Reformat and add cryptography as dependency

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #17012 from pieterlexis/dnsdist-ywh-136

dnsdist: harden locateEDNSOptRR

dnsdist: Add missing dependencies to our Rust's lib

We do use the selectors and actions definition to generate the YAML
settings parsing parts of the Rust library, so it needs to be re-generated
if these change.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Update requirements.txt

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Adapt code to pysnmp 7 async API

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

chore(dnsdist): Add tests for `locateEDNSOptRR`

fix(dnsdist): Check OPT owner in `locateEDNSOptRR`

fix(dnsdist): reject QD!=0 in `locateEDNSOptRR`

fix(dnsdist): reject small packets in `locateEDNSOptRR`

This issue could not be exploited in the service, as too small packets
never reach this function during normal operation.

Discovered by Ilya Rozentsvaig and reported via YWH-136.

Rework the logic deciding whether a config setting should be redacted.

Add *-secret to the list of patterns for auth, due to edns-cookie-secret
and tcp-control-secret.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #17003 from pieterlexis/dnsdist-rmserver-log

feat(dnsdist): Log downstream removal

Merge pull request #16933 from pieterlexis/dnsdist-expungebyname-multiple

feat(dnsdist): Allow cache expunging with multiple names

Merge pull request #17008 from miodvallat/more_suspenders

auth: handle backend exceptions better during rectify

build(deps): bump pyasn1 in /regression-tests.dnsdist

Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.4.8 to 0.6.3.
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](https://github.com/pyasn1/pyasn1/compare/v0.4.8...v0.6.3)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #17007 from romeroalx/bump-version-actions

gh actions: upgrade actions to the most recent version

Merge pull request #17005 from omoerbeek/rec-rpz-skip-continue

rec: continue processing response Policies if a discarded policy is hit

Handle possible backend exceptions in DNSSECKeeper::rectifyZone().

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Do not leave dangling transactions if get() throws.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

feat(dnsdist): Log downstream removal

Closes: #17001

Merge pull request #17004 from miodvallat/lmdbetter

auth: minor lmdb fixes (for the 42nd time)

Merge pull request #16992 from rgacogne/ywh-141

Small cleanup of `EDNSSubnetOpts`

Merge pull request #16999 from omoerbeek/rec-getrr-checks

rec: more getRR return value checks

Use the serializing size constants, for readability.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Make sure local variable is always initialized.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Allow "pdnsutil backend-cmd backend" to return some help message.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

When replacing an rrset, correctly delete any ENT entries.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

rec: work on a copy of PolicyZoneData while building the new RPZ zone

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: more getRR return value checks

All cases of "cannot happen", but better safe than sorry

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16993 from rgacogne/rec-fix-auth-recs-serialization

rec: Fix serialization of cached authority records

gh actions: upgrade actions to the most recent version

Allow the LMDB domains table to be split, with the timestamps separate.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

build(deps): bump pyasn1 in /regression-tests.recursor-dnssec

Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.4.8 to 0.6.3.
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](https://github.com/pyasn1/pyasn1/compare/v0.4.8...v0.6.3)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16996 from rgacogne/ddist-fix-ot-closer--assertion

dnsdist: Prevent copies of OT closers

dnsdist: Prevent copies of OT closers

Moving them is OK, duplicating them isn't otherwise we might close
the same span several times which is bad.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: Actually test the deserialized cache content in the unit test

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: Fix serialization of cached authority records

The type needs to be present in the protobuf output before
the content, otherwise we cannot decode the content properly
when deserializing.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

rec: estimate size and refuse to cache big negcache entries

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

rec: limit size of incoming web request.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16991 from pieterlexis/dnsdist-http11-505

fix(dnsdist): respond 505 to DoH HTTP/1.1 reqs

fix(dnsdist): respond 505 to DoH HTTP/1.1 reqs

Closes: #16990

rec: only check cookie if we sent one out (YWH-PGM6095-134)

A server might sent us a cookie when we diod not sent out one, leading
to a dereference of an absent optional value.

This is YWH-PGM6095-134

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16989 from PowerDNS/dependabot/pip/regression-tests.dnsdist/pyopenssl-26.0.0

build(deps): bump pyopenssl from 25.3.0 to 26.0.0 in /regression-tests.dnsdist

Merge pull request #16987 from miodvallat/tkeybored

[boring] Remove explicit constructor duplicating default initialization.

build(deps): bump pyopenssl in /regression-tests.dnsdist

Bumps [pyopenssl](https://github.com/pyca/pyopenssl) from 25.3.0 to 26.0.0.
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/pyopenssl/compare/25.3.0...26.0.0)

---
updated-dependencies:
- dependency-name: pyopenssl
  dependency-version: 26.0.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Remove explicit constructor duplicating default initialization.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16978 from jsoref/index-semicolon

Add semicolon

Clean `EDNSSubnetOpts::getFromString` up as well

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Small cleanup `EDNSSubnetOpts::makeOptString()`

The existing code was relying on implicit integer conversion rules,
which was correct but brittle, so let's explicitely check that the
source is non-zero.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16984 from miodvallat/doc510

auth: 5.1.0-alpha1 documentation and secpoll updates

Make upgrade title less confusing for alpha1.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Documentation and secpoll updates for 5.1.0-alpha1

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Put Pieter Lexis back in the developer gang member names.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

feat(dnsdist): Allow cache expunging by more names

Now one can pass a list of DNSNames or strings to `expungeByName`.

Closes: #7157

Merge pull request #16977 from miodvallat/wallet-rrtype

auth: Add support to the new WALLET RRType

Merge pull request #16477 from pieterlexis/ci-python-black

ci: Force python formatting with ruff

rec: Prevent null-pointer dereference in aggressive NSEC cache

This might happen if the zone is transitioning from NSEC to
NSEC3 just in the middle of the `getDenial` processing.

Reported in #YWH-PGM6095-135.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

chore: reformat all Python files with ruff

ci: Force python formatting with ruff

dnsdist: Rename a JS variable

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix HTML injection in the Web dashboard

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Clean up our JavaScript code

- Remove unused code
- Remove railing whitespaces
- Be more consistent

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16979 from rgacogne/ddist-fix-downstream-timeout-msg-verbosity

dnsdist: Downstream timeouts should be logged at verbose level

Merge pull request #16980 from rgacogne/ddist-update-quiche-0.26.1

dnsdist: Update Quiche to 0.26.1

dnsdist: Downstream timeouts should be logged at verbose level

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16973 from pieterlexis/dnsdist-ot-config

feat(dnsdist): Change OT Trace YAML config to a struct

Merge pull request #16741 from pieterlexis/dnsdist-ot-serverid-instance

feat(dnsdist): Add instance field to OT Trace messages

Merge pull request #16951 from pieterlexis/decryptus/master

auth: SortA API RRs by content if name and type are equal

feat(dnsdist): Change OT Trace YAML config to a struct

This'll allow us to add more trace feature configuration in the future
and it mirrors the `structured_logging` config.

Add semicolon

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Merge pull request #16974 from omoerbeek/rec-web-docs

docs: only expose web server on a as-needed basis

Document WALLET record type.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Add support to the new WALLET RRType.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

dnsdist: Update Quiche to 0.26.1

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Make this meson-build compatible

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16975 from omoerbeek/rel-workflows-update

GH workflows: Update to current release branch status

Also include auth and dnsdist

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Change default of new wipe flag to true

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Make the clearing of the packet cache configurable, defaulting to false

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Enable packet cache in test

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Wipe relevent packet cache entries on rpz (re)load

Only for qname matches!

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Client IP RPZ match should not result in packetcache insert

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Update to current release branch status

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Typo

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Some advice: only expose web server on a as-needed basis

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16966 from rgacogne/ddist210-beta2

dnsdist: Update ChangeLog and security polling zone for 2.1.0-beta2

Merge pull request #16944 from pieterlexis/dev-tasks

chore: Add invoke tasks to configure with meson for development

Merge pull request #16956 from miodvallat/neper

Remove error-prone logger interfaces

Merge pull request #16965 from rgacogne/auth-pp-buffer-size

auth: Use the proper size after processing a proxy protocol payload

Merge pull request #14057 from mind04/auth-catalog-cleanup

Auth: fix a crash and some cleanup in the auth-catalogzone.cc

Be less scary in logs

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>