base64: Use `unsigned` constants

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

base64: Wrap `BIO` objects in smart pointers

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Apply Miod's suggestion from code review

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16820 from miodvallat/banana_arrow

Stricter timestamp checks

Merge pull request #16756 from omoerbeek/rec-ot-instance

rec: harmonize with dnsdist PR #16741 wrt OpenTelemetry instance name

Merge pull request #16786 from omoerbeek/rec-ot-edns

Opentelemetry: add flags field in TRACEPARENT EDNS option

Perform stricter validation of timestamps.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

There are only 24 hours in a day, not 60.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16807 from clwluvw/default-soa-edit-api

auth: add default-soa-edit-api setting for API zone creation

Strongly suggest storing variants in the same backend as their regular zone.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Apply suggestions from code review

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Depending on openssl version, base 64 decode is more or less strict

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16812 from PowerDNS/dependabot/pip/regression-tests.dnsdist/protobuf-6.33.5

build(deps): bump protobuf from 6.33.4 to 6.33.5 in /regression-tests.dnsdist

Merge pull request #16811 from PowerDNS/dependabot/pip/docs/wheel-0.46.2

build(deps): bump wheel from 0.45.1 to 0.46.2 in /docs

Reformat

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

More (allocation) error checking fix a type

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

auth: add default-soa-edit-api setting for API zone creation

Add a configurable default-soa-edit-api setting that sets the
SOA-EDIT-API metadata for zones created via the API when the
zone creation request does not include the soa_edit_api field.

Signed-off-by: Seena Fallah <seenafallah@gmail.com>

Do not print recommendations if quiet.

There are people out there using shell scripts to make nails out of
pdnsutil, do not make pdnsutil output parsing more difficult.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Merge pull request #16810 from miodvallat/discount

auth: correctly compute DNSSEC public key exponent lengths when larger than 255

Merge pull request #16802 from rgacogne/ddist-quiche-congestion-bbr

dnsdist: Work around Quiche not dealing well with removed congestion algorithms

Merge pull request #16805 from rgacogne/ddist-nicer-b64-error

dnsdist: Better handling of invalid Base64 content

build(deps): bump protobuf in /regression-tests.dnsdist

Bumps [protobuf](https://github.com/protocolbuffers/protobuf) from 6.33.4 to 6.33.5.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

---
updated-dependencies:
- dependency-name: protobuf
  dependency-version: 6.33.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump wheel from 0.45.1 to 0.46.2 in /docs

Bumps [wheel](https://github.com/pypa/wheel) from 0.45.1 to 0.46.2.
- [Release notes](https://github.com/pypa/wheel/releases)
- [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst)
- [Commits](https://github.com/pypa/wheel/compare/0.45.1...0.46.2)

---
updated-dependencies:
- dependency-name: wheel
  dependency-version: 0.46.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16808 from PowerDNS/dependabot/cargo/pdns/recursordist/rec-rust-lib/rust/bytes-1.11.1

build(deps): bump bytes from 1.11.0 to 1.11.1 in /pdns/recursordist/rec-rust-lib/rust

Correctly compute public key exponent length when larger than 255.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

build(deps): bump bytes in /pdns/recursordist/rec-rust-lib/rust

Bumps [bytes](https://github.com/tokio-rs/bytes) from 1.11.0 to 1.11.1.
- [Release notes](https://github.com/tokio-rs/bytes/releases)
- [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md)
- [Commits](https://github.com/tokio-rs/bytes/compare/v1.11.0...v1.11.1)

---
updated-dependencies:
- dependency-name: bytes
  dependency-version: 1.11.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

dnsdist: Enable ipcrypt2 w/ autotools in our CI

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Disable ipcrypt2 by default w/ autotools

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Do NOT add `c++` flags to `CPPFLAGS`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix files order in the ipcrypt2 Makefile

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Better detection of whether ipcrypt2 will compile

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Disable `ipcrypt2` support when testing the "least" features set

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Add an option to disable ipcrypt2 w/ autotools

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

ext/ipcrypt2: Add missing softaes/untrinsics.h header

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Add a unit test for invalid Base64 content

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Cleanup of base64-related header and unit tests

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Better handling of invalid Base64 content

The existing code would throw an exception instead of returning
an error for some invalid content, which was harder to diagnose.

Reported by Surya Narayan Kushwaha (aka Cavid), thanks!

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

keyroller: remove Pipfile and require requirements.txt only to avoid conflicts

Merge pull request #16799 from rgacogne/update-ipcrypt2

dnsdist: Update ipcrypt2 to 1.1.10 + 1 commit

dnsdist: Add a regression test for the `bbr` congestion algo removed by Quiche

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Switch to cubic as default congestion algo for QUIC

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Work around Quiche not dealing well with removed congestion algorithms

See https://github.com/cloudflare/quiche/issues/2342

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16801 from sskender/master

docs: Fix grammar in running description

docs: Fix grammar in running description

Merge pull request #16800 from zeha/dnsdistspoof

dnsdist: SpoofAction: clarify what gets spoofed

dnsdist: SpoofAction: clarify what gets spoofed

Signed-off-by: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>

ext/ipcrypt2: Add missing softaes/untrinsics.h header

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

ext/ipcrypt2: Update to `70a4daf` (1.1.10 plus 1 commit)

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16798 from hhoffstaette/no-yml-plz

dnsdist: Only install dnsdist.yml-dist if yaml support was enabled

dnsdist: Only install dnsdist.yml-dist if yaml support was enabled

Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>

feat(dnsdist): Add `prepend` and `append` methods to Lua DNSName

Merge pull request #16793 from rgacogne/ddist-do-not-install-dnsdist-yml

dnsdist: Do not create `dnsdist.yml` in RPM system configuration directory

dnsdist: Do not create `dnsdist.yml` in RPM system configuration directory

DNSdist now looks for a `dnsdist.yml` file first, which means that any
existing `dnsdist.conf` would no longer be taken into account if we create
a default `dnsdist.yml`. Let's install a sample YAML configuration file
in `dnsdist.yml-dist` instead.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16782 from rgacogne/ddist-210-a1

dnsdist: Update security polling zone and ChangeLog for 2.1.0-alpha1

dnsdist: Fix missing tag in 2.1.0-alpha1 changelog

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix release date in 2.1.0-alpha1 changelog

Co-authored-by: Miod Vallat <miod.vallat@powerdns.com>
Signed-off-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix yet another spelling issue

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix spelling issues

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Update security polling zone and ChangeLog for 2.1.0-alpha1

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16790 from miodvallat/nopei-key

auth, rec: No longer allow passing the api-key as a query argument

No longer allow passing the api-key as a query argument.

This feature had never been documented anyway and is considered bad security
practice nowadays.

Fixes: #16785
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

Fix dnsdist regression test, spanid is now mandatory and flags was added as well

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16779 from rgacogne/ddist-remove-debian-fixperms-override

dnsdist: Stop overriding `dh_fixperms` in Deb packages

Fix regression tests to new full mandatory EDNS option

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Rename option to TRACEPARENT

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Add basic tests of EDNSOTTraceRecord and EDNSOTTraceRecordView

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Stop overriding `dh_fixperms` in Deb packages

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16784 from omoerbeek/rec-coverity-20260127

rec: Coverity 1644498 Variable copied when it could be moved

rec: Coverity 1644498 Variable copied when it could be moved

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Consistent naming

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Handle the new flag field addition to the EDNS option record

While there, fix an out of bounds access for an incomplete spanID.

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Merge pull request #16775 from omoerbeek/rec-prep-5.4.0-beta1

rec: prep for rec-5.4.0-beta1

Merge pull request #16777 from rgacogne/ddist-mention-lua-yaml-file-in-upgrade-nots

dnsdist: Mention that Lua files might get loaded in the upgrade notes

Merge pull request #16776 from pieterlexis/dnsdist-reformat

chore(dnsdist): Format all dnsdist files

dnsdist: Mention that Lua files might get loaded in the upgrade notes

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

chore(dnsdist): Format all dnsdist files

Merge pull request #16768 from rgacogne/and-in-the-darkness-bind-them

dnsdist: Implement sampling in our in-memory ring buffers

Prep for rec-5.4.0-beta1

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Move sampling-related Ring methods to header

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16770 from PowerDNS/dependabot/pip/modules/remotebackend/wheel-0.46.2

build(deps): bump wheel from 0.45.1 to 0.46.2 in /modules/remotebackend

build(deps): bump wheel from 0.45.1 to 0.46.2 in /modules/remotebackend

Bumps [wheel](https://github.com/pypa/wheel) from 0.45.1 to 0.46.2.
- [Release notes](https://github.com/pypa/wheel/releases)
- [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst)
- [Commits](https://github.com/pypa/wheel/compare/0.45.1...0.46.2)

---
updated-dependencies:
- dependency-name: wheel
  dependency-version: 0.46.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16774 from PowerDNS/dependabot/pip/pdns/wheel-0.46.2

build(deps): bump wheel from 0.45.1 to 0.46.2 in /pdns

dnsdist: Disable cross-origin HTTP requests by default

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16769 from rgacogne/ddist-lock-ot-data

dnsdist: Protect more OT Tracer data behind the lock

build(deps): bump wheel from 0.45.1 to 0.46.2 in /pdns

Bumps [wheel](https://github.com/pypa/wheel) from 0.45.1 to 0.46.2.
- [Release notes](https://github.com/pypa/wheel/releases)
- [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst)
- [Commits](https://github.com/pypa/wheel/compare/0.45.1...0.46.2)

---
updated-dependencies:
- dependency-name: wheel
  dependency-version: 0.46.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Merge pull request #16767 from jsoref/dependabot-matchers

Add dependabot problem matchers

Merge pull request #16771 from rgacogne/ddist-update-quiche-0.24.8

dnsdist: Update Quiche to 0.24.8

Merge pull request #16765 from rgacogne/ddist-sl-fixes

dnsdist: Structured logging fixes

Merge pull request #16709 from omoerbeek/rec-lua-yaml-conf

rec: handle applicable dynamic parts of YAML only config when reloading Lua config

Merge pull request #16710 from pieterlexis/rec-ywh-PGM6095-53-SVCB-Params

Fix: harden SVCB record parsing

Merge pull request #16773 from omoerbeek/rec-docs-nits

rec docs: two nits

rec docs: two nits

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

Apply suggestions from code review

Co-authored-by: Remi Gacogne <github@coredump.fr>
Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

dnsdist: Update Quiche to 0.24.8

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: "Fix" formatting

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Protect more OT Tracer data behind the lock

I was investigating a crash that occurred on our CI:

```
2026-01-23T14:33:07.1755774Z === configs/dnsdist_TestOpenTelemetryTracingStripIncomingTraceParent.log ===
2026-01-23T14:33:07.1757303Z msg="dnsdist 0.0.0-git1 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2" subsystem="setup" level="0" prio="Info" ts="1769178505.183"
2026-01-23T14:33:07.1758153Z msg="Raised send buffer size" subsystem="setup" level="0" prio="Info" ts="1769178505.203" frontend.address="127.0.0.1:14303" network.send_buffer_size="212992"
2026-01-23T14:33:07.1758909Z msg="Raised receive buffer size" subsystem="setup" level="0" prio="Info" ts="1769178505.203" buffer_size="1048576" frontend.address="127.0.0.1:14303"
2026-01-23T14:33:07.1759563Z msg="Listening on Do53 frontend" subsystem="setup" level="0" prio="Info" ts="1769178505.203" frontend.address="127.0.0.1:14303"
2026-01-23T14:33:07.1760608Z msg="Allowing queries from" subsystem="setup" level="0" prio="Info" ts="1769178505.204" acl="10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, ::1/128, fc00::/7, fe80::/10"
2026-01-23T14:33:07.1761243Z msg="Allowing console connections from" subsystem="setup" level="0" prio="Info" ts="1769178505.204" acl="127.0.0.0/8, ::1/128"
2026-01-23T14:33:07.1762396Z msg="Setting initial status for backend" subsystem="backend" level="0" prio="Info" ts="1769178505.209" backend.address="127.0.0.1:14002" backend.health_check.status="up" backend.name="" backend.protocol="DoUDP"
2026-01-23T14:33:07.1763777Z dnsdist: ../../../../../../tmp/dnsdist-meson-dist-build/meson-dist/dnsdist-0.0.0-git1/dnsdist-opentelemetry.cc:168: void pdns::trace::dnsdist::Tracer::closeSpan(const SpanID &): Assertion `d_spanIDStack.back() == spanID' failed.
```

While trying to work out how this condition could fail, I quickly realized
it was hard for me to follow which fields were protected behind a lock and
which weren't, and in some cases it looked like there could be a race.
Since performance is not critical in this code, and I would rather trade
correctness for performance whenever possible anyway, this commit is
moving all the related fields behind the lock.
It might or might not fix the issue, as I haven't been able to reproduce it
yet, but in any case I believe it will make it easier to reason about it.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

dnsdist: Fix indentation

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

Merge pull request #16757 from PowerDNS/dependabot/pip/regression-tests.ixfrdist/wheel-0.46.2

build(deps): bump wheel from 0.45.1 to 0.46.2 in /regression-tests.ixfrdist

Merge pull request #16758 from PowerDNS/dependabot/pip/regression-tests.dnsdist/wheel-0.46.2

build(deps): bump wheel from 0.45.1 to 0.46.2 in /regression-tests.dnsdist

Merge pull request #16759 from PowerDNS/dependabot/pip/regression-tests.api/wheel-0.46.2

build(deps): bump wheel from 0.45.1 to 0.46.2 in /regression-tests.api