Version in base suite: 4.8.4-1
Version in overlay suite: 4.8.7-1

Base version: pdns-recursor_4.8.7-1
Target version: pdns-recursor_4.8.8-1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pdns-recursor/pdns-recursor_4.8.7-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pdns-recursor/pdns-recursor_4.8.8-1.dsc

 configure               |   20 ++--
 configure.ac            |    2 
 debian/changelog        |    8 +
 effective_tld_names.dat |  215 ++++++++++++++++++++++++++++++++----------------
 pdns_recursor.1         |    2 
 pubsuffix.cc            |  121 +++++++++++++++------------
 rec_control.1           |    2 
 syncres.cc              |    5 -
 test-syncres_cc1.cc     |   48 ++++++++++
 9 files changed, 290 insertions(+), 133 deletions(-)

diff -Nru pdns-recursor-4.8.7/configure pdns-recursor-4.8.8/configure
--- pdns-recursor-4.8.7/configure	2024-03-06 13:48:46.000000000 +0000
+++ pdns-recursor-4.8.8/configure	2024-04-24 09:33:56.000000000 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for pdns-recursor 4.8.7.
+# Generated by GNU Autoconf 2.69 for pdns-recursor 4.8.8.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
 # Identity of this package.
 PACKAGE_NAME='pdns-recursor'
 PACKAGE_TARNAME='pdns-recursor'
-PACKAGE_VERSION='4.8.7'
-PACKAGE_STRING='pdns-recursor 4.8.7'
+PACKAGE_VERSION='4.8.8'
+PACKAGE_STRING='pdns-recursor 4.8.8'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1552,7 +1552,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures pdns-recursor 4.8.7 to adapt to many kinds of systems.
+\`configure' configures pdns-recursor 4.8.8 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1623,7 +1623,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of pdns-recursor 4.8.7:";;
+     short | recursive ) echo "Configuration of pdns-recursor 4.8.8:";;
    esac
   cat <<\_ACEOF
 
@@ -1810,7 +1810,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-pdns-recursor configure 4.8.7
+pdns-recursor configure 4.8.8
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2569,7 +2569,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by pdns-recursor $as_me 4.8.7, which was
+It was created by pdns-recursor $as_me 4.8.8, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3437,7 +3437,7 @@
 
 # Define the identity of the package.
  PACKAGE='pdns-recursor'
- VERSION='4.8.7'
+ VERSION='4.8.8'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -28252,7 +28252,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by pdns-recursor $as_me 4.8.7, which was
+This file was extended by pdns-recursor $as_me 4.8.8, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -28318,7 +28318,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-pdns-recursor config.status 4.8.7
+pdns-recursor config.status 4.8.8
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru pdns-recursor-4.8.7/configure.ac pdns-recursor-4.8.8/configure.ac
--- pdns-recursor-4.8.7/configure.ac	2024-03-06 13:48:40.000000000 +0000
+++ pdns-recursor-4.8.8/configure.ac	2024-04-24 09:33:50.000000000 +0000
@@ -1,6 +1,6 @@
 AC_PREREQ([2.69])
 
-AC_INIT([pdns-recursor], [4.8.7])
+AC_INIT([pdns-recursor], [4.8.8])
 AC_CONFIG_AUX_DIR([build-aux])
 AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability subdir-objects parallel-tests 1.11])
 AM_SILENT_RULES([yes])
diff -Nru pdns-recursor-4.8.7/debian/changelog pdns-recursor-4.8.8/debian/changelog
--- pdns-recursor-4.8.7/debian/changelog	2024-03-17 16:21:52.000000000 +0000
+++ pdns-recursor-4.8.8/debian/changelog	2024-04-25 06:22:09.000000000 +0000
@@ -1,3 +1,11 @@
+pdns-recursor (4.8.8-1) bookworm-security; urgency=medium
+
+  * New upstream version 4.8.8
+    * Fixes CVE-2024-25583, see
+      https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-02.html
+
+ -- Chris Hofstaedtler <zeha@debian.org>  Thu, 25 Apr 2024 08:22:09 +0200
+
 pdns-recursor (4.8.7-1) bookworm-security; urgency=medium
 
   * New upstream version 4.8.7
diff -Nru pdns-recursor-4.8.7/effective_tld_names.dat pdns-recursor-4.8.8/effective_tld_names.dat
--- pdns-recursor-4.8.7/effective_tld_names.dat	2024-03-06 13:49:35.000000000 +0000
+++ pdns-recursor-4.8.8/effective_tld_names.dat	2024-04-24 09:34:44.000000000 +0000
@@ -6710,7 +6710,7 @@
 
 // newGTLDs
 
-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2024-02-08T15:13:14Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2024-03-28T15:13:37Z
 // This list is auto-generated, don't edit it manually.
 // aaa : American Automobile Association, Inc.
 // https://www.iana.org/domains/root/db/aaa.html
@@ -6988,10 +6988,6 @@
 // https://www.iana.org/domains/root/db/autos.html
 autos
 
-// avianca : Avianca Inc.
-// https://www.iana.org/domains/root/db/avianca.html
-avianca
-
 // aws : AWS Registry LLC
 // https://www.iana.org/domains/root/db/aws.html
 aws
@@ -8356,10 +8352,6 @@
 // https://www.iana.org/domains/root/db/group.html
 group
 
-// guardian : The Guardian Life Insurance Company of America
-// https://www.iana.org/domains/root/db/guardian.html
-guardian
-
 // gucci : Guccio Gucci S.p.a.
 // https://www.iana.org/domains/root/db/gucci.html
 gucci
@@ -12084,6 +12076,7 @@
 
 // AVM : https://avm.de
 // Submitted by Andreas Weise <a.weise@avm.de>
+myfritz.link
 myfritz.net
 
 // AVStack Pte. Ltd. : https://avstack.io
@@ -12361,6 +12354,12 @@
 r2.dev
 workers.dev
 
+// cloudscale.ch AG : https://www.cloudscale.ch/
+// Submitted by Gaudenz Steinlin <support@cloudscale.ch>
+cust.cloudscale.ch
+objects.lpg.cloudscale.ch
+objects.rma.cloudscale.ch
+
 // Clovyr : https://clovyr.io
 // Submitted by Patrick Nielsen <patrick@clovyr.io>
 wnext.app
@@ -12378,22 +12377,33 @@
 
 // CDN77.com : http://www.cdn77.com
 // Submitted by Jan Krpes <jan.krpes@cdn77.com>
-c.cdn77.org
+cdn77-storage.com
+rsc.contentproxy9.cz
 cdn77-ssl.net
 r.cdn77.net
-rsc.cdn77.org
 ssl.origin.cdn77-secure.org
+c.cdn77.org
+rsc.cdn77.org
 
 // Cloud DNS Ltd : http://www.cloudns.net
-// Submitted by Aleksander Hristov <noc@cloudns.net>
+// Submitted by Aleksander Hristov <noc@cloudns.net> & Boyan Peychev <boyan@cloudns.net>
 cloudns.asia
+cloudns.be
 cloudns.biz
-cloudns.club
 cloudns.cc
+cloudns.ch
+cloudns.cl
+cloudns.club
+dnsabr.com
+cloudns.cx
 cloudns.eu
 cloudns.in
 cloudns.info
+dns-cloud.net
+dns-dynamic.net
+cloudns.nz
 cloudns.org
+cloudns.ph
 cloudns.pro
 cloudns.pw
 cloudns.us
@@ -12406,6 +12416,11 @@
 // Submitted by Moritz Marquardt <git@momar.de>
 codeberg.page
 
+// CodeSandbox B.V. : https://codesandbox.io
+// Submitted by Ives van Hoorne <abuse@codesandbox.io>
+csb.app
+preview.csb.app
+
 // CoDNS B.V.
 co.nl
 co.no
@@ -12524,6 +12539,7 @@
 // Dark, Inc. : https://darklang.com
 // Submitted by Paul Biggar <ops@darklang.com>
 builtwithdark.com
+darklang.io
 
 // DataDetect, LLC. : https://datadetect.com
 // Submitted by Andrew Banchich <abanchich@sceven.com>
@@ -12922,6 +12938,10 @@
 // Submitted by Robin H. Johnson <psl-maintainers@digitalocean.com>
 *.digitaloceanspaces.com
 
+// DigitalPlat : https://www.digitalplat.org/
+// Submitted by Edward Hsing <contact@digitalplat.org>
+us.kg
+
 // dnstrace.pro : https://dnstrace.pro/
 // Submitted by Chris Partridge <chris@partridge.tech>
 bci.dnstrace.pro
@@ -12963,6 +12983,14 @@
 // Submitted by <infracloudteam@namecheap.com>
 *.ewp.live
 
+// Electromagnetic Field : https://www.emfcamp.org
+// Submitted by <noc@emfcamp.org>
+at.emf.camp
+
+// Elefunc, Inc. : https://elefunc.com
+// Submitted by Cetin Sert <domains@elefunc.com>
+rt.ht
+
 // Elementor : Elementor Ltd.
 // Submitted by Anton Barkan <antonb@elementor.com>
 elementor.cloud
@@ -13254,7 +13282,8 @@
 id.forgerock.io
 
 // Framer : https://www.framer.com
-// Submitted by Koen Rouwhorst <koenrh@framer.com>
+// Submitted by Koen Rouwhorst <security@framer.com>
+framer.ai
 framer.app
 framercanvas.com
 framer.media
@@ -13295,6 +13324,24 @@
 // Submitted by Daniel A. Maierhofer <vorstand@funkfeuer.at>
 wien.funkfeuer.at
 
+// Future Versatile Group. ：https://www.fvg-on.net/
+// T.Kabu <webmaster@fvg-on.net>
+daemon.asia
+dix.asia
+mydns.bz
+0am.jp
+0g0.jp
+0j0.jp
+0t0.jp
+mydns.jp
+pgw.jp
+wjg.jp
+keyword-on.net
+live-on.net
+server-on.net
+mydns.tw
+mydns.vc
+
 // Futureweb GmbH : https://www.futureweb.at
 // Submitted by Andreas Schnederle-Wagner <schnederle@futureweb.at>
 *.futurecms.at
@@ -13338,6 +13385,12 @@
 lab.ms
 cdn-edges.net
 
+// Getlocalcert: https://www.getlocalcert.net
+// Submitted by Robert Alexander <support@getlocalcert.net>
+localcert.net
+localhostcert.net
+corpnet.work
+
 // Ghost Foundation : https://ghost.org
 // Submitted by Matt Hanley <security@ghost.org>
 ghost.io
@@ -13484,6 +13537,10 @@
 zombie.jp
 heteml.net
 
+// GoDaddy Registry : https://registry.godaddy
+// Submitted by Rohan Durrant <tldns@registry.godaddy>
+graphic.design
+
 // GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/
 // Submitted by Tom Whitwell <gov-uk-paas-support@digital.cabinet-office.gov.uk>
 cloudapps.digital
@@ -13603,6 +13660,10 @@
 // Submitted by <domeinnaam@minaz.nl>
 gov.nl
 
+// GrayJay Web Solutions Inc. : https://grayjaysports.ca
+// Submitted by Matt Yamkowy <info@grayjaysports.ca>
+grayjayleagues.com
+
 // Group 53, LLC : https://www.group53.com
 // Submitted by Tyler Todd <noc@nova53.net>
 awsmppl.com
@@ -13637,6 +13698,11 @@
 // Submitted by Richard Zowalla <mi-admin@hs-heilbronn.de>
 pages.it.hs-heilbronn.de
 
+// Helio Networks : https://heliohost.org
+// Submitted by Ben Frede <admin@heliohost.org>
+helioho.st
+heliohost.us
+
 // Hepforge : https://www.hepforge.org
 // Submitted by David Grellscheid <admin@hepforge.org>
 hepforge.org
@@ -13650,7 +13716,6 @@
 // Submitted by Oren Eini <oren@ravendb.net>
 ravendb.cloud
 ravendb.community
-ravendb.me
 development.run
 ravendb.run
 
@@ -13741,7 +13806,7 @@
 info.at
 
 // info.cx : http://info.cx
-// Submitted by Jacob Slater <whois@igloo.to>
+// Submitted by June Slater <whois@igloo.to>
 info.cx
 
 // Interlegis : http://www.interlegis.leg.br
@@ -13790,6 +13855,14 @@
 // Submitted by Matthew Hardeman <mhardeman@ipifony.com>
 ipifony.net
 
+// is-a.dev : https://www.is-a.dev
+// Submitted by William Harrison <admin@maintainers.is-a.dev>
+is-a.dev
+
+// ir.md : https://nic.ir.md
+// Submitted by Ali Soizi <info@nic.ir.md>
+ir.md
+
 // IServ GmbH : https://iserv.de
 // Submitted by Mario Hoberg <info@iserv.de>
 iservschule.de
@@ -13898,6 +13971,11 @@
 // Submitted by Daniel Fariña <ingenieria@jotelulu.com>
 jotelulu.cloud
 
+// JouwWeb B.V. : https://www.jouwweb.nl
+// Submitted by Camilo Sperberg <tech@webador.com>
+jouwweb.site
+webadorsite.com
+
 // Joyent : https://www.joyent.com/
 // Submitted by Brian Bennett <brian.bennett@joyent.com>
 *.triton.zone
@@ -13971,6 +14049,10 @@
 // Submitted by Lelux Admin <publisuffix@lelux.site>
 lelux.site
 
+// Libre IT Ltd : https://libre.nz
+// Submitted by Tomas Maggio <support@libre.nz>
+runcontainers.dev
+
 // Lifetime Hosting : https://Lifetime.Hosting/
 // Submitted by Mike Fillator <support@lifetime.hosting>
 co.business
@@ -14145,7 +14227,6 @@
 // Managed by Corporate Domains
 // Microsoft Azure : https://home.azure
 *.azurecontainer.io
-*.cloudapp.azure.com
 azure-api.net
 azureedge.net
 azurefd.net
@@ -14252,13 +14333,18 @@
 torun.pl
 
 // Nimbus Hosting Ltd. : https://www.nimbushosting.co.uk/
-// Submitted by Nicholas Ford <nick@nimbushosting.co.uk>
+// Submitted by Nicholas Ford <dev@nimbushosting.co.uk>
 nh-serv.co.uk
+nimsite.uk
 
 // NFSN, Inc. : https://www.NearlyFreeSpeech.NET/
 // Submitted by Jeff Wheelhouse <support@nearlyfreespeech.net>
 nfshost.com
 
+// NFT.Storage : https://nft.storage/
+// Submitted by Vasco Santos <vasco.santos@protocol.ai> or <support@nft.storage>
+ipfs.nftstorage.link
+
 // Noop : https://noop.app
 // Submitted by Nathaniel Schweinberg <noop@rearc.io>
 *.developer.app
@@ -14438,7 +14524,6 @@
 123minsida.se
 123miweb.es
 123paginaweb.pt
-123sait.ru
 123siteweb.fr
 123webseite.at
 123webseite.de
@@ -14456,6 +14541,13 @@
 // Submitted by Eddie Jones <eddie@onefoldmedia.com>
 nid.io
 
+// Open Domains : https://open-domains.net
+// Submitted by William Harrison <admin@open-domains.net>
+is-cool.dev
+is-not-a.dev
+localplayer.dev
+is-local.org
+
 // Open Social : https://www.getopensocial.com/
 // Submitted by Alexander Varwijk <security@getopensocial.com>
 opensocial.site
@@ -14476,6 +14568,11 @@
 // Submitted by Alexandre Linte <alexandre.linte@orange.com>
 tech.orange
 
+// OsSav Technology Ltd. : https://ossav.com/
+// TLD Nic: http://nic.can.re - TLD Whois Server: whois.can.re
+// Submitted by OsSav Technology Ltd. <support@ossav.com>
+can.re
+
 // Oursky Limited : https://authgear.com/, https://skygear.io/
 // Submitted by Authgear Team <hello@authgear.com>, Skygear Developer <hello@skygear.io>
 authgear-staging.com
@@ -14526,10 +14623,10 @@
 
 // pcarrier.ca Software Inc: https://pcarrier.ca/
 // Submitted by Pierre Carrier <pc@rrier.ca>
-bar0.net
-bar1.net
-bar2.net
-rdv.to
+*.xmit.co
+srv.us
+gh.srv.us
+gl.srv.us
 
 // .pl domains (grandfathered)
 art.pl
@@ -14687,9 +14784,12 @@
 *.sys.qcx.io
 
 // QNAP System Inc : https://www.qnap.com
-// Submitted by Nick Chang <nickchang@qnap.com>
-dev-myqnapcloud.com
+// Submitted by Nick Chang <cloudadmin@qnap.com>
+myqnapcloud.cn
 alpha-myqnapcloud.com
+dev-myqnapcloud.com
+mycloudnas.com
+mynascloud.com
 myqnapcloud.com
 
 // Quip : https://quip.com
@@ -14919,6 +15019,10 @@
 // Submitted by Shante Adam <shante@skyhat.io>
 scrysec.com
 
+// Scrypted : https://scrypted.app
+// Submitted by Koushik Dutta <public-suffix-list@scrypted.app>
+client.scrypted.io
+
 // Securepoint GmbH : https://www.securepoint.de
 // Submitted by Erik Anders <erik.anders@securepoint.de>
 firewall-gateway.com
@@ -15028,9 +15132,9 @@
 vp4.me
 
 // Snowflake Inc : https://www.snowflake.com/
-// Submitted by Faith Olapade <faith.olapade@snowflake.com>
-snowflake.app
-privatelink.snowflake.app
+// Submitted by Sam Haar <psl@snowflake.com>
+*.snowflake.app
+*.privatelink.snowflake.app
 streamlit.app
 streamlitapp.com
 
@@ -15042,6 +15146,12 @@
 // Submitted by Drew DeVault <sir@cmpwn.com>
 srht.site
 
+// StackBlitz : https://stackblitz.com
+// Submitted by Dominic Elm <hello@stackblitz.com>
+w-corp-staticblitz.com
+w-credentialless-staticblitz.com
+w-staticblitz.com
+
 // Stackhero : https://www.stackhero.io
 // Submitted by Adrien Gillon <adrien+public-suffix-list@stackhero.io>
 stackhero-network.com
@@ -15343,6 +15453,10 @@
 // Submitted by ITComdomains <to@it.com>
 it.com
 
+// Unison Computing, PBC : https://unison.cloud
+// Submitted by Simon Højberg <security@unison.cloud>
+unison-services.cloud
+
 // UNIVERSAL DOMAIN REGISTRY : https://www.udr.org.yt/
 // see also: whois -h whois.udr.org.yt help
 // Submitted by Atanunu Igbunuroghene <publicsuffixlist@udr.org.yt>
@@ -15392,47 +15506,6 @@
 // Submitted by Nathan van Bakel <info@voorloper.com>
 voorloper.cloud
 
-// Voxel.sh DNS : https://voxel.sh/dns/
-// Submitted by Mia Rehlinger <dns@voxel.sh>
-neko.am
-nyaa.am
-be.ax
-cat.ax
-es.ax
-eu.ax
-gg.ax
-mc.ax
-us.ax
-xy.ax
-nl.ci
-xx.gl
-app.gp
-blog.gt
-de.gt
-to.gt
-be.gy
-cc.hn
-io.kg
-jp.kg
-tv.kg
-uk.kg
-us.kg
-de.ls
-at.md
-de.md
-jp.md
-to.md
-indie.porn
-vxl.sh
-ch.tc
-me.tc
-we.tc
-nyan.to
-at.vg
-blog.vu
-dev.vu
-me.vu
-
 // V.UA Domain Administrator : https://domain.v.ua/
 // Submitted by Serhii Rostilo <sergey@rostilo.kiev.ua>
 v.ua
@@ -15461,6 +15534,10 @@
 bookonline.app
 hotelwithflight.com
 
+// WebWaddle Ltd: https://webwaddle.com/
+// Submitted by Merlin Glander <hostmaster@webwaddle.com>
+*.wadl.top
+
 // WeDeploy by Liferay, Inc. : https://www.wedeploy.com
 // Submitted by Henrique Vicente <security@wedeploy.com>
 wedeploy.io
diff -Nru pdns-recursor-4.8.7/pdns_recursor.1 pdns-recursor-4.8.8/pdns_recursor.1
--- pdns-recursor-4.8.7/pdns_recursor.1	2024-03-06 13:49:35.000000000 +0000
+++ pdns-recursor-4.8.8/pdns_recursor.1	2024-04-24 09:34:43.000000000 +0000
@@ -27,7 +27,7 @@
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "PDNS_RECURSOR" "1" "Mar 06, 2024" "" "PowerDNS Recursor"
+.TH "PDNS_RECURSOR" "1" "Apr 24, 2024" "" "PowerDNS Recursor"
 .SH NAME
 pdns_recursor \- The PowerDNS Recursor binary
 .SH SYNOPSIS
diff -Nru pdns-recursor-4.8.7/pubsuffix.cc pdns-recursor-4.8.8/pubsuffix.cc
--- pdns-recursor-4.8.7/pubsuffix.cc	2024-03-06 13:49:35.000000000 +0000
+++ pdns-recursor-4.8.8/pubsuffix.cc	2024-04-24 09:34:44.000000000 +0000
@@ -5780,6 +5780,7 @@
 "cdn.prod.atlassian-dev.net",
 "translated.page",
 "autocode.dev",
+"myfritz.link",
 "myfritz.net",
 "onavstack.net",
 "ecommerce-shop.pl",
@@ -5890,27 +5891,43 @@
 "pages.dev",
 "r2.dev",
 "workers.dev",
+"cust.cloudscale.ch",
+"objects.lpg.cloudscale.ch",
+"objects.rma.cloudscale.ch",
 "wnext.app",
 "co.ca",
 "co.cz",
-"c.cdn77.org",
+"cdn77-storage.com",
+"rsc.contentproxy9.cz",
 "cdn77-ssl.net",
 "r.cdn77.net",
-"rsc.cdn77.org",
 "ssl.origin.cdn77-secure.org",
+"c.cdn77.org",
+"rsc.cdn77.org",
 "cloudns.asia",
+"cloudns.be",
 "cloudns.biz",
-"cloudns.club",
 "cloudns.cc",
+"cloudns.ch",
+"cloudns.cl",
+"cloudns.club",
+"dnsabr.com",
+"cloudns.cx",
 "cloudns.eu",
 "cloudns.in",
 "cloudns.info",
+"dns-cloud.net",
+"dns-dynamic.net",
+"cloudns.nz",
 "cloudns.org",
+"cloudns.ph",
 "cloudns.pro",
 "cloudns.pw",
 "cloudns.us",
 "cnpy.gdn",
 "codeberg.page",
+"csb.app",
+"preview.csb.app",
 "co.nl",
 "co.no",
 "webhosting.be",
@@ -5959,6 +5976,7 @@
 "store.dk",
 "dyndns.dappnode.io",
 "builtwithdark.com",
+"darklang.io",
 "demo.datadetect.com",
 "instance.datadetect.com",
 "edgestack.me",
@@ -6277,6 +6295,7 @@
 "definima.net",
 "definima.io",
 "ondigitalocean.app",
+"us.kg",
 "bci.dnstrace.pro",
 "ddnsfree.com",
 "ddnsgeek.com",
@@ -6299,6 +6318,8 @@
 "e4.cz",
 "easypanel.app",
 "easypanel.host",
+"at.emf.camp",
+"rt.ht",
 "elementor.cloud",
 "elementor.cool",
 "en-root.fr",
@@ -6500,6 +6521,7 @@
 "flynnhosting.net",
 "forgeblocks.com",
 "id.forgerock.io",
+"framer.ai",
 "framer.app",
 "framercanvas.com",
 "framer.media",
@@ -6517,6 +6539,21 @@
 "freedesktop.org",
 "freemyip.com",
 "wien.funkfeuer.at",
+"daemon.asia",
+"dix.asia",
+"mydns.bz",
+"0am.jp",
+"0g0.jp",
+"0j0.jp",
+"0t0.jp",
+"mydns.jp",
+"pgw.jp",
+"wjg.jp",
+"keyword-on.net",
+"live-on.net",
+"server-on.net",
+"mydns.tw",
+"mydns.vc",
 "futurehosting.at",
 "futuremailing.at",
 "aliases121.com",
@@ -6536,6 +6573,9 @@
 "gentlentapis.com",
 "lab.ms",
 "cdn-edges.net",
+"localcert.net",
+"localhostcert.net",
+"corpnet.work",
 "ghost.io",
 "gsj.bz",
 "githubusercontent.com",
@@ -6655,6 +6695,7 @@
 "whitesnow.jp",
 "zombie.jp",
 "heteml.net",
+"graphic.design",
 "cloudapps.digital",
 "london.cloudapps.digital",
 "pymnt.uk",
@@ -6748,6 +6789,7 @@
 "blogspot.vn",
 "goupile.fr",
 "gov.nl",
+"grayjayleagues.com",
 "awsmppl.com",
 "fin.ci",
 "free.hr",
@@ -6760,12 +6802,13 @@
 "hasura.app",
 "hasura-app.io",
 "pages.it.hs-heilbronn.de",
+"helioho.st",
+"heliohost.us",
 "hepforge.org",
 "herokuapp.com",
 "herokussl.com",
 "ravendb.cloud",
 "ravendb.community",
-"ravendb.me",
 "development.run",
 "ravendb.run",
 "homesklep.pl",
@@ -6837,6 +6880,8 @@
 "na4u.ru",
 "iopsys.se",
 "ipifony.net",
+"is-a.dev",
+"ir.md",
 "iservschule.de",
 "mein-iserv.de",
 "schulplattform.de",
@@ -6926,6 +6971,8 @@
 "mircloud.us",
 "myjino.ru",
 "jotelulu.cloud",
+"jouwweb.site",
+"webadorsite.com",
 "js.org",
 "kaas.gg",
 "khplay.nl",
@@ -6950,6 +6997,7 @@
 "lpages.co",
 "lpusercontent.com",
 "lelux.site",
+"runcontainers.dev",
 "co.business",
 "co.education",
 "co.events",
@@ -7092,7 +7140,9 @@
 "ngrok.pro",
 "torun.pl",
 "nh-serv.co.uk",
+"nimsite.uk",
 "nfshost.com",
+"ipfs.nftstorage.link",
 "noop.app",
 "noticeable.news",
 "dnsking.ch",
@@ -7222,7 +7272,6 @@
 "123minsida.se",
 "123miweb.es",
 "123paginaweb.pt",
-"123sait.ru",
 "123siteweb.fr",
 "123webseite.at",
 "123webseite.de",
@@ -7236,11 +7285,16 @@
 "simplesite.gr",
 "simplesite.pl",
 "nid.io",
+"is-cool.dev",
+"is-not-a.dev",
+"localplayer.dev",
+"is-local.org",
 "opensocial.site",
 "opencraft.hosting",
 "orsites.com",
 "operaunite.com",
 "tech.orange",
+"can.re",
 "authgear-staging.com",
 "authgearapps.com",
 "skygearapp.com",
@@ -7252,10 +7306,9 @@
 "pgfog.com",
 "pagefrontapp.com",
 "pagexl.com",
-"bar0.net",
-"bar1.net",
-"bar2.net",
-"rdv.to",
+"srv.us",
+"gh.srv.us",
+"gl.srv.us",
 "art.pl",
 "gliwice.pl",
 "krakow.pl",
@@ -7308,8 +7361,11 @@
 "ras.ru",
 "qa2.com",
 "qcx.io",
-"dev-myqnapcloud.com",
+"myqnapcloud.cn",
 "alpha-myqnapcloud.com",
+"dev-myqnapcloud.com",
+"mycloudnas.com",
+"mynascloud.com",
 "myqnapcloud.com",
 "vapor.cloud",
 "vaporcloud.io",
@@ -7445,6 +7501,7 @@
 "gov.scot",
 "service.gov.scot",
 "scrysec.com",
+"client.scrypted.io",
 "firewall-gateway.com",
 "firewall-gateway.de",
 "my-gateway.de",
@@ -7492,12 +7549,13 @@
 "veterinaire.fr",
 "small-web.org",
 "vp4.me",
-"snowflake.app",
-"privatelink.snowflake.app",
 "streamlit.app",
 "streamlitapp.com",
 "try-snowplow.com",
 "srht.site",
+"w-corp-staticblitz.com",
+"w-credentialless-staticblitz.com",
+"w-staticblitz.com",
 "stackhero-network.com",
 "runs.onstackit.cloud",
 "stackit.gg",
@@ -7653,6 +7711,7 @@
 "ltd.hk",
 "inc.hk",
 "it.com",
+"unison-services.cloud",
 "name.pm",
 "sch.tf",
 "biz.wf",
@@ -7671,44 +7730,6 @@
 "router.management",
 "v-info.info",
 "voorloper.cloud",
-"neko.am",
-"nyaa.am",
-"be.ax",
-"cat.ax",
-"es.ax",
-"eu.ax",
-"gg.ax",
-"mc.ax",
-"us.ax",
-"xy.ax",
-"nl.ci",
-"xx.gl",
-"app.gp",
-"blog.gt",
-"de.gt",
-"to.gt",
-"be.gy",
-"cc.hn",
-"io.kg",
-"jp.kg",
-"tv.kg",
-"uk.kg",
-"us.kg",
-"de.ls",
-"at.md",
-"de.md",
-"jp.md",
-"to.md",
-"indie.porn",
-"vxl.sh",
-"ch.tc",
-"me.tc",
-"we.tc",
-"nyan.to",
-"at.vg",
-"blog.vu",
-"dev.vu",
-"me.vu",
 "v.ua",
 "wafflecell.com",
 "webflow.io",
diff -Nru pdns-recursor-4.8.7/rec_control.1 pdns-recursor-4.8.8/rec_control.1
--- pdns-recursor-4.8.7/rec_control.1	2024-03-06 13:49:35.000000000 +0000
+++ pdns-recursor-4.8.8/rec_control.1	2024-04-24 09:34:43.000000000 +0000
@@ -27,7 +27,7 @@
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "REC_CONTROL" "1" "Mar 06, 2024" "" "PowerDNS Recursor"
+.TH "REC_CONTROL" "1" "Apr 24, 2024" "" "PowerDNS Recursor"
 .SH NAME
 rec_control \- Command line tool to control a running Recursor
 .SH SYNOPSIS
diff -Nru pdns-recursor-4.8.7/syncres.cc pdns-recursor-4.8.8/syncres.cc
--- pdns-recursor-4.8.7/syncres.cc	2024-03-06 13:48:26.000000000 +0000
+++ pdns-recursor-4.8.8/syncres.cc	2024-04-24 09:33:29.000000000 +0000
@@ -4317,7 +4317,10 @@
         break;
       }
       initial = cnameIt->second;
-      wildcardCandidates.emplace(initial, false);
+      if (!wildcardCandidates.emplace(initial, false).second) {
+        // CNAME loop
+        break;
+      }
     }
   }
 
diff -Nru pdns-recursor-4.8.7/test-syncres_cc1.cc pdns-recursor-4.8.8/test-syncres_cc1.cc
--- pdns-recursor-4.8.7/test-syncres_cc1.cc	2024-03-06 13:48:26.000000000 +0000
+++ pdns-recursor-4.8.8/test-syncres_cc1.cc	2024-04-24 09:33:29.000000000 +0000
@@ -1579,6 +1579,54 @@
   }
 }
 
+BOOST_AUTO_TEST_CASE(test_cname_loop_forwarder)
+{
+  std::unique_ptr<SyncRes> resolver;
+  initSR(resolver);
+
+  primeHints();
+
+  size_t count = 0;
+  const DNSName target("cname.powerdns.com.");
+  const DNSName cname1("cname1.cname.powerdns.com.");
+  const DNSName cname2("cname2.cname.powerdns.com.");
+
+  SyncRes::AuthDomain ad;
+  const std::vector<ComboAddress> forwardedNSs{ComboAddress("192.0.2.42:53")};
+  ad.d_rdForward = true;
+  ad.d_servers = forwardedNSs;
+  (*SyncRes::t_sstorage.domainmap)[target] = ad;
+
+  resolver->setAsyncCallback([&](const ComboAddress& address, const DNSName& domain, int /* type */, bool /* doTCP */, bool /* sendRDQuery */, int /* EDNS0Level */, struct timeval* /* now */, boost::optional<Netmask>& /* srcmask */, boost::optional<const ResolveContext&> /* context */, LWResult* res, bool* /* chained */) {
+    count++;
+
+    if (isRootServer(address)) {
+
+      setLWResult(res, 0, false, false, true);
+      addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+      addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+      return LWResult::Result::Success;
+    }
+    if (address == ComboAddress("192.0.2.42:53")) {
+
+      if (domain == target) {
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::CNAME, cname1.toString());
+        addRecordToLW(res, cname1, QType::CNAME, cname2.toString());
+        addRecordToLW(res, cname2, QType::CNAME, domain.toString());
+        return LWResult::Result::Success;
+      }
+
+      return LWResult::Result::Success;
+    }
+
+    return LWResult::Result::Timeout;
+  });
+
+  vector<DNSRecord> ret;
+  BOOST_REQUIRE_THROW(resolver->beginResolve(target, QType(QType::A), QClass::IN, ret), ImmediateServFailException);
+}
+
 BOOST_AUTO_TEST_CASE(test_cname_long_loop)
 {
   std::unique_ptr<SyncRes> sr;