Version in base suite: 5.2.9-0+deb13u1 Base version: pdns-recursor_5.2.9-0+deb13u1 Target version: pdns-recursor_5.2.11-0+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pdns-recursor/pdns-recursor_5.2.9-0+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pdns-recursor/pdns-recursor_5.2.11-0+deb13u1.dsc configure | 20 +++--- configure.ac | 2 debian/changelog | 8 ++ effective_tld_names.dat | 132 +++++++++++++++++++++++++++++++++--------- ext/yahttp/yahttp/reqresp.cpp | 7 +- pdns_recursor.1 | 2 pdns_recursor.cc | 4 + pubsuffix.cc | 63 +++++++++++++++++--- rec-xfr.cc | 4 + rec-zonetocache.cc | 3 rec_control.1 | 2 recursor_cache.cc | 3 snmp-agent.cc | 2 syncres.cc | 11 ++- test-aggressive_nsec_cc.cc | 2 test-recursorcache_cc.cc | 18 ++--- zonemd.cc | 26 +++++++- 17 files changed, 241 insertions(+), 68 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmt8zkpbl/pdns-recursor_5.2.9-0+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpmt8zkpbl/pdns-recursor_5.2.11-0+deb13u1.dsc: no acceptable signature found diff -Nru pdns-recursor-5.2.9/configure pdns-recursor-5.2.11/configure --- pdns-recursor-5.2.9/configure 2026-04-07 07:49:37.000000000 +0000 +++ pdns-recursor-5.2.11/configure 2026-06-09 07:36:44.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for pdns-recursor 5.2.9. +# Generated by GNU Autoconf 2.71 for pdns-recursor 5.2.11. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -618,8 +618,8 @@ # Identity of this package. PACKAGE_NAME='pdns-recursor' PACKAGE_TARNAME='pdns-recursor' -PACKAGE_VERSION='5.2.9' -PACKAGE_STRING='pdns-recursor 5.2.9' +PACKAGE_VERSION='5.2.11' +PACKAGE_STRING='pdns-recursor 5.2.11' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1588,7 +1588,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pdns-recursor 5.2.9 to adapt to many kinds of systems. +\`configure' configures pdns-recursor 5.2.11 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1659,7 +1659,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pdns-recursor 5.2.9:";; + short | recursive ) echo "Configuration of pdns-recursor 5.2.11:";; esac cat <<\_ACEOF @@ -1859,7 +1859,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pdns-recursor configure 5.2.9 +pdns-recursor configure 5.2.11 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2348,7 +2348,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pdns-recursor $as_me 5.2.9, which was +It was created by pdns-recursor $as_me 5.2.11, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3844,7 +3844,7 @@ # Define the identity of the package. PACKAGE='pdns-recursor' - VERSION='5.2.9' + VERSION='5.2.11' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -31013,7 +31013,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pdns-recursor $as_me 5.2.9, which was +This file was extended by pdns-recursor $as_me 5.2.11, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -31081,7 +31081,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -pdns-recursor config.status 5.2.9 +pdns-recursor config.status 5.2.11 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -Nru pdns-recursor-5.2.9/configure.ac pdns-recursor-5.2.11/configure.ac --- pdns-recursor-5.2.9/configure.ac 2026-04-07 07:49:29.000000000 +0000 +++ pdns-recursor-5.2.11/configure.ac 2026-06-09 07:36:36.000000000 +0000 @@ -1,6 +1,6 @@ AC_PREREQ([2.69]) -AC_INIT([pdns-recursor], [5.2.9]) +AC_INIT([pdns-recursor], [5.2.11]) AC_CONFIG_AUX_DIR([build-aux]) AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability subdir-objects parallel-tests 1.11]) AM_SILENT_RULES([yes]) diff -Nru pdns-recursor-5.2.9/debian/changelog pdns-recursor-5.2.11/debian/changelog --- pdns-recursor-5.2.9/debian/changelog 2026-04-26 19:04:28.000000000 +0000 +++ pdns-recursor-5.2.11/debian/changelog 2026-06-16 22:19:21.000000000 +0000 @@ -1,3 +1,11 @@ +pdns-recursor (5.2.11-0+deb13u1) trixie-security; urgency=medium + + * New upstream version 5.2.11, fixing security issues + CVE-2026-33612, CVE-2026-40012, CVE-2026-42005, CVE-2026-42390, + CVE-2026-42390, CVE-2026-42388, CVE-2026-42387, CVE-2026-52690. + + -- Chris Hofstaedtler Wed, 17 Jun 2026 00:19:21 +0200 + pdns-recursor (5.2.9-0+deb13u1) trixie-security; urgency=medium * New upstream version 5.2.9, fixing CVE-2026-33257, CVE-2026-33258, diff -Nru pdns-recursor-5.2.9/effective_tld_names.dat pdns-recursor-5.2.11/effective_tld_names.dat --- pdns-recursor-5.2.9/effective_tld_names.dat 2026-04-07 07:50:25.000000000 +0000 +++ pdns-recursor-5.2.11/effective_tld_names.dat 2026-06-09 07:37:48.000000000 +0000 @@ -5,8 +5,8 @@ // Please pull this list from, and only from https://publicsuffix.org/list/public_suffix_list.dat, // rather than any other VCS sites. Pulling from any other URL is not guaranteed to be supported. -// VERSION: 2026-04-02_06-25-15_UTC -// COMMIT: ba7dbf3ec5e7d7024a32ea7fa724a3a2b2c7d56f +// VERSION: 2026-05-28_06-25-58_UTC +// COMMIT: e596036bde712ffb073b948eb8b884c72c94c6e1 // Instructions on pulling and using this list can be found at https://publicsuffix.org/list/. @@ -1403,6 +1403,7 @@ // id : https://www.iana.org/domains/root/db/id.html id ac.id +ai.id biz.id co.id desa.id @@ -6157,7 +6158,6 @@ k12.ms.us k12.mt.us k12.nc.us -// k12.nd.us - Bug 1028347 - Removed at request of Travis Rosso k12.ne.us k12.nh.us k12.nj.us @@ -6239,8 +6239,6 @@ lib.mt.us cc.nc.us lib.nc.us -cc.nd.us -lib.nd.us cc.ne.us lib.ne.us cc.nh.us @@ -6824,7 +6822,7 @@ // newGTLDs -// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-02-18T15:51:43Z +// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-04-30T16:18:08Z // This list is auto-generated, don't edit it manually. // aaa : American Automobile Association, Inc. // https://www.iana.org/domains/root/db/aaa.html @@ -7010,7 +7008,7 @@ // https://www.iana.org/domains/root/db/anz.html anz -// aol : Yahoo Inc. +// aol : AOL Media LLC // https://www.iana.org/domains/root/db/aol.html aol @@ -7566,7 +7564,7 @@ // https://www.iana.org/domains/root/db/cipriani.html cipriani -// circle : Amazon Registry Services, Inc. +// circle : Jolly Host, LLC // https://www.iana.org/domains/root/db/circle.html circle @@ -8418,7 +8416,7 @@ // https://www.iana.org/domains/root/db/gop.html gop -// got : Amazon Registry Services, Inc. +// got : Jolly Host, LLC // https://www.iana.org/domains/root/db/got.html got @@ -8790,7 +8788,7 @@ // https://www.iana.org/domains/root/db/joburg.html joburg -// jot : Amazon Registry Services, Inc. +// jot : Jolly Host, LLC // https://www.iana.org/domains/root/db/jot.html jot @@ -9926,7 +9924,7 @@ // https://www.iana.org/domains/root/db/safe.html safe -// safety : Safety Registry Services, LLC. +// safety : Jolly Host, LLC // https://www.iana.org/domains/root/db/safety.html safety @@ -12336,10 +12334,18 @@ // concludes Amazon +// Anomaly : https://opencode.ai +// Submitted by Dax Raad +opentunnel.xyz + // Antagonist B.V. : https://www.antagonist.nl/ // Submitted by Sander Hoentjen antagonist.cloud +// Anthropic : https://www.anthropic.com/ +// Submitted by Sid Bidasaria +claude.app + // Apigee : https://apigee.com/ // Submitted by Apigee Security Team apigee.io @@ -12419,7 +12425,10 @@ myasustor.com // Atlassian : https://atlassian.com -// Submitted by Sam Smyth +// Submitted by Benjamin McAlary +*.atlassian-3p.com +*.atlassian-3p-us-gov-mod.com +*.atlassian-isolated-3p.com cdn.prod.atlassian-dev.net // AVM : https://avm.de @@ -12566,10 +12575,12 @@ // Submitted by Joel Aquilina canva-apps.cn my.canvasite.cn +khsj.cn canva-apps.com canva-hosted-embed.com canvacode.com rice-labs.com +canva.link canva.run my.canva.site @@ -12809,10 +12820,6 @@ // Submitted by Ales Krajnik realm.cz -// Crisp IM SAS : https://crisp.chat/ -// Submitted by Baptiste Jamin -on.crisp.email - // Cryptonomic : https://cryptonomic.net/ // Submitted by Andrew Cady *.cryptonomic.net @@ -12889,6 +12896,12 @@ deno.net sandbox.deno.net +// DeployAgent : https://deployagent.com +// Submitted by Danny +deployagent.com +piebox.site +deployagent.space + // deSEC : https://desec.io/ // Submitted by Peter Thomassen dedyn.io @@ -13468,6 +13481,10 @@ // Submitted by Eric Jiang onfabrica.com +// fachschaften.org: https://fachschaften.org/ +// Submitted by Felix Schäfer +fspages.org + // FAITID : https://faitid.org/ // Submitted by Maxim Alzoba // https://www.flexireg.net/stat_info @@ -13915,11 +13932,6 @@ // Submitted by Richard Baker pymnt.uk -// GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/ -// Submitted by Tom Whitwell -cloudapps.digital -london.cloudapps.digital - // Government of the Netherlands : https://www.government.nl // Submitted by gov.nl @@ -14025,6 +14037,10 @@ *.id.pub *.kin.pub +// HOOC AG : https://www.hooc.ch +// Submitted by Fabrizio Steiner +seprox.hooc.me + // Hoplix : https://www.hoplix.com // Submitted by Danilo De Franco hoplix.shop @@ -14045,6 +14061,10 @@ ngo.ng plc.ng +// Hostinger : https://hostinger.com +// Submitted by Valentinas Cirba +hstgr.cloud + // HostyHosting : https://hostyhosting.com hostyhosting.io @@ -14313,6 +14333,18 @@ // Submitted by Stefan Keim js.org +// K2 Cloud : https://k2.cloud/ +// Submitted by K2 Cloud +elastic.k2.cloud +lb.ru-msk.k2.cloud +s3.ru-msk.k2.cloud +website.ru-msk.k2.cloud +lb.ru-spb.k2.cloud +s3.ru-spb.k2.cloud +website.ru-spb.k2.cloud +s3.k2.cloud +website.k2.cloud + // KaasHosting : http://www.kaashosting.nl/ // Submitted by Wouter Bakker kaas.gg @@ -14600,6 +14632,7 @@ // Submitted by Jacob Cordero atmeta.com apps.fbsbx.com +*.metaaiusercontent.com // MetaCentrum, CESNET z.s.p.o. : https://www.metacentrum.cz/en/ // Submitted by Zdeněk Šustr and Radim Janča @@ -14895,6 +14928,35 @@ *.database.run *.migration.run +// Northwest Nexus dba NuOz : https://nuoz.net/ +// An RFC 1480 locality domain delegate host +// Submitted by Peter Briggs on behalf of NuOz +aberdeen.wa.us +bainbridge-isl.wa.us +bellevue.wa.us +bremerton.wa.us +centralia.wa.us +chehalis.wa.us +forks.wa.us +gig-harbor.wa.us +hoquiam.wa.us +keyport.wa.us +kingston.wa.us +olympia.wa.us +port-angeles.wa.us +port-ludlow.wa.us +port-orchard.wa.us +port-townsend.wa.us +poulsbo.wa.us +redmond.wa.us +renton.wa.us +sea.wa.us +seattle.wa.us +sequim.wa.us +shelton.wa.us +silverdale.wa.us +yarrow-point.wa.us + // Noticeable : https://noticeable.io // Submitted by Laurent Pellegrino noticeable.news @@ -15064,10 +15126,6 @@ // Submitted by Derek Myers pgfog.com -// PageXL : https://pagexl.com -// Submitted by Yann Guichard -pagexl.com - // Pantheon Systems, Inc. : https://pantheon.io/ // Submitted by Gary Dylina gotpantheon.com @@ -15604,6 +15662,12 @@ // Submitted by Information Administration as.sh.cn +// Shanghai Oray Information Technology Co., Ltd.: https://www.oray.com/ +// Submitted by: Shanghai Oray Information Technology Co., Ltd. +vicp.fun +yicp.fun +zicp.fun + // Sheezy.Art : https://sheezy.art // Submitted by Nyoom sheezy.games @@ -15754,6 +15818,7 @@ // Stackryze : https://stackryze.com // Submitted by Sudheer Bhuvana +sryze.cc indevs.in // Staclar : https://staclar.com @@ -15944,6 +16009,11 @@ // Submitted by Christian Franke tickets.io +// Tigris Data, Inc. : https://www.tigrisdata.com +// Submitted by Bo Cao +t3.storage.dev +t3.storageapi.dev + // Tlon.io : https://tlon.io // Submitted by Mark Staarink arvo.network @@ -16101,6 +16171,11 @@ // Submitted by Deus Team deus-canvas.com +// vivenu GmbH : https://vivenu.com/ +// Submitted by Marvin Frick +vivenushop.com +vivenushop.dev + // Voorloper.com : https://voorloper.com // Submitted by Nathan van Bakel voorloper.cloud @@ -16131,11 +16206,10 @@ *.webhare.dev // WebHotelier Technologies Ltd : https://www.webhotelier.net/ -// Submitted by Apostolos Tsakpinis -bookonline.app +// Submitted by Apostolos Tsakpinis hotelwithflight.com -reserve-online.com reserve-online.net +book.online // WebPros International, LLC : https://webpros.com/ // Submitted by Nicolas Rochelemagne @@ -16285,6 +16359,8 @@ // Zerops : https://zerops.io/ // Submitted by Zerops Team *.zerops.app +prg1-zerops.zone +*.zerops.zone // Zine EOOD : https://zine.bg/ // Submitted by Martin Angelov diff -Nru pdns-recursor-5.2.9/ext/yahttp/yahttp/reqresp.cpp pdns-recursor-5.2.11/ext/yahttp/yahttp/reqresp.cpp --- pdns-recursor-5.2.9/ext/yahttp/yahttp/reqresp.cpp 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/ext/yahttp/yahttp/reqresp.cpp 2026-06-09 07:33:58.000000000 +0000 @@ -181,7 +181,12 @@ if (chunk_size == 0) { char buf[100]; // read chunk length - if ((pos = buffer.find('\n')) == std::string::npos) return false; + if ((pos = buffer.find('\n')) == std::string::npos) { + if (buffer.size() > 99) { + throw ParseError("Nonsensical chunk_size"); + } + return false; + } if (pos > 99) throw ParseError("Impossible chunk_size"); buffer.copy(buf, pos); diff -Nru pdns-recursor-5.2.9/pdns_recursor.1 pdns-recursor-5.2.11/pdns_recursor.1 --- pdns-recursor-5.2.9/pdns_recursor.1 2026-04-07 07:50:25.000000000 +0000 +++ pdns-recursor-5.2.11/pdns_recursor.1 2026-06-09 07:37:48.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "PDNS_RECURSOR" "1" "Apr 07, 2026" "" "PowerDNS Recursor" +.TH "PDNS_RECURSOR" "1" "Jun 09, 2026" "" "PowerDNS Recursor" .SH NAME pdns_recursor \- The PowerDNS Recursor binary .SH SYNOPSIS diff -Nru pdns-recursor-5.2.9/pdns_recursor.cc pdns-recursor-5.2.11/pdns_recursor.cc --- pdns-recursor-5.2.9/pdns_recursor.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/pdns_recursor.cc 2026-06-09 07:33:58.000000000 +0000 @@ -1608,6 +1608,10 @@ sendit:; if (g_useIncomingECS && comboWriter->d_ecsFound && !resolver.wasVariable() && !variableAnswer) { + // The moment we add an ECS option we should no longer packet cache this. An alternative is to + // overwrite the ECS info after retrieval from the packet cache, but that is much more + // complicated. + variableAnswer = true; EDNSSubnetOpts ednsOptions; ednsOptions.source = comboWriter->d_ednssubnet.source; ComboAddress sourceAddr; diff -Nru pdns-recursor-5.2.9/pubsuffix.cc pdns-recursor-5.2.11/pubsuffix.cc --- pdns-recursor-5.2.9/pubsuffix.cc 2026-04-07 07:50:25.000000000 +0000 +++ pdns-recursor-5.2.11/pubsuffix.cc 2026-06-09 07:37:48.000000000 +0000 @@ -952,6 +952,7 @@ "utazas.hu", "video.hu", "ac.id", +"ai.id", "biz.id", "co.id", "desa.id", @@ -4952,8 +4953,6 @@ "lib.mt.us", "cc.nc.us", "lib.nc.us", -"cc.nd.us", -"lib.nd.us", "cc.ne.us", "lib.ne.us", "cc.nh.us", @@ -5979,7 +5978,9 @@ "transfer-webapp.cn-northwest-1.on.amazonwebservices.com.cn", "eero.online", "eero-stage.online", +"opentunnel.xyz", "antagonist.cloud", +"claude.app", "apigee.io", "panel.dev", "siiites.com", @@ -6052,10 +6053,12 @@ "cafjs.com", "canva-apps.cn", "my.canvasite.cn", +"khsj.cn", "canva-apps.com", "canva-hosted-embed.com", "canvacode.com", "rice-labs.com", +"canva.link", "canva.run", "my.canva.site", "drr.ac", @@ -6189,7 +6192,6 @@ "static-access.net", "craft.me", "realm.cz", -"on.crisp.email", "cfolks.pl", "cyon.link", "cyon.site", @@ -6226,6 +6228,9 @@ "deno-staging.dev", "deno.net", "sandbox.deno.net", +"deployagent.com", +"piebox.site", +"deployagent.space", "dedyn.io", "deta.app", "deta.dev", @@ -6673,6 +6678,7 @@ "staging.expo.app", "on.staging.expo.app", "onfabrica.com", +"fspages.org", "ru.net", "adygeya.ru", "bashkiria.ru", @@ -6971,8 +6977,6 @@ "cloudfunctions.net", "goupile.fr", "pymnt.uk", -"cloudapps.digital", -"london.cloudapps.digital", "gov.nl", "grafana-dev.net", "grayjayleagues.com", @@ -7007,6 +7011,7 @@ "hidns.co", "hidns.vip", "homesklep.pl", +"seprox.hooc.me", "hoplix.shop", "orx.biz", "biz.ng", @@ -7021,6 +7026,7 @@ "ltd.ng", "ngo.ng", "plc.ng", +"hstgr.cloud", "hostyhosting.io", "hf.space", "static.hf.space", @@ -7186,6 +7192,15 @@ "webadorsite.com", "jouwweb.site", "js.org", +"elastic.k2.cloud", +"lb.ru-msk.k2.cloud", +"s3.ru-msk.k2.cloud", +"website.ru-msk.k2.cloud", +"lb.ru-spb.k2.cloud", +"s3.ru-spb.k2.cloud", +"website.ru-spb.k2.cloud", +"s3.k2.cloud", +"website.k2.cloud", "kaas.gg", "khplay.nl", "kapsi.fi", @@ -7510,6 +7525,31 @@ "pointto.us", "stage.nodeart.io", "noop.app", +"aberdeen.wa.us", +"bainbridge-isl.wa.us", +"bellevue.wa.us", +"bremerton.wa.us", +"centralia.wa.us", +"chehalis.wa.us", +"forks.wa.us", +"gig-harbor.wa.us", +"hoquiam.wa.us", +"keyport.wa.us", +"kingston.wa.us", +"olympia.wa.us", +"port-angeles.wa.us", +"port-ludlow.wa.us", +"port-orchard.wa.us", +"port-townsend.wa.us", +"poulsbo.wa.us", +"redmond.wa.us", +"renton.wa.us", +"sea.wa.us", +"seattle.wa.us", +"sequim.wa.us", +"shelton.wa.us", +"silverdale.wa.us", +"yarrow-point.wa.us", "noticeable.news", "notion.site", "dnsking.ch", @@ -7579,7 +7619,6 @@ "ox.rs", "oy.lc", "pgfog.com", -"pagexl.com", "gotpantheon.com", "pantheonsite.io", "xmit.dev", @@ -7829,6 +7868,9 @@ "co.ua", "pp.ua", "as.sh.cn", +"vicp.fun", +"yicp.fun", +"zicp.fun", "sheezy.games", "myshopblocks.com", "myshopify.com", @@ -7897,6 +7939,7 @@ "stackit.rocks", "stackit.run", "stackit.zone", +"sryze.cc", "indevs.in", "musician.io", "novecore.site", @@ -7989,6 +8032,8 @@ "cust.testing.thingdust.io", "reservd.testing.thingdust.io", "tickets.io", +"t3.storage.dev", +"t3.storageapi.dev", "arvo.network", "azimuth.network", "tlon.network", @@ -8053,16 +8098,17 @@ "v-info.info", "vistablog.ir", "deus-canvas.com", +"vivenushop.com", +"vivenushop.dev", "voorloper.cloud", "wafflecell.com", "wal.app", "wasmer.app", "webflow.io", "webflowtest.io", -"bookonline.app", "hotelwithflight.com", -"reserve-online.com", "reserve-online.net", +"book.online", "cprapid.com", "pleskns.com", "wp2.host", @@ -8127,6 +8173,7 @@ "za.org", "zap.cloud", "zeabur.app", +"prg1-zerops.zone", "bss.design", "basicserver.io", "virtualserver.io", diff -Nru pdns-recursor-5.2.9/rec-xfr.cc pdns-recursor-5.2.11/rec-xfr.cc --- pdns-recursor-5.2.9/rec-xfr.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/rec-xfr.cc 2026-06-09 07:33:58.000000000 +0000 @@ -225,6 +225,10 @@ zone->clear(); throw PDNSException("duplicate PTR values in catalog zone"); } + if (!soaRecordContent) { + zone->clear(); + throw PDNSException("No valid SOA found in catalog zone AXFR"); + } logger->info(Logr::Info, "Zone load completed", "nrecords", Logging::Loggable(nrecords), "soa", Logging::Loggable(soaRecordContent->getZoneRepresentation())); return soaRecordContent; } diff -Nru pdns-recursor-5.2.9/rec-zonetocache.cc pdns-recursor-5.2.11/rec-zonetocache.cc --- pdns-recursor-5.2.9/rec-zonetocache.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/rec-zonetocache.cc 2026-06-09 07:33:58.000000000 +0000 @@ -90,6 +90,9 @@ if (dnsRecord.d_class != QClass::IN) { return; } + if (!dnsRecord.d_name.isPartOf(d_zone)) { + return; + } const auto key = pair(dnsRecord.d_name, dnsRecord.d_type); dnsRecord.d_ttl += d_now; diff -Nru pdns-recursor-5.2.9/rec_control.1 pdns-recursor-5.2.11/rec_control.1 --- pdns-recursor-5.2.9/rec_control.1 2026-04-07 07:50:25.000000000 +0000 +++ pdns-recursor-5.2.11/rec_control.1 2026-06-09 07:37:48.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "REC_CONTROL" "1" "Apr 07, 2026" "" "PowerDNS Recursor" +.TH "REC_CONTROL" "1" "Jun 09, 2026" "" "PowerDNS Recursor" .SH NAME rec_control \- Command line tool to control a running Recursor .SH SYNOPSIS diff -Nru pdns-recursor-5.2.9/recursor_cache.cc pdns-recursor-5.2.11/recursor_cache.cc --- pdns-recursor-5.2.9/recursor_cache.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/recursor_cache.cc 2026-06-09 07:33:58.000000000 +0000 @@ -1029,12 +1029,13 @@ for (const auto& authRec : recordSet->d_authorityRecs) { protozero::pbf_builder auth(message, PBCacheEntry::repeated_message_authRecord); auth.add_bytes(PBAuthRecord::required_bytes_name, authRec->d_name.toString()); - auth.add_bytes(PBAuthRecord::required_bytes_rdata, authRec->getContent()->serialize(authRec->d_name, true)); auth.add_uint32(PBAuthRecord::required_uint32_type, authRec->d_type); auth.add_uint32(PBAuthRecord::required_uint32_class, authRec->d_class); auth.add_uint32(PBAuthRecord::required_uint32_ttl, authRec->d_ttl); auth.add_uint32(PBAuthRecord::required_uint32_place, authRec->d_place); auth.add_uint32(PBAuthRecord::required_uint32_clen, authRec->d_clen); + /* content needs to be done last otherwise we have a problem when deserializing because we don't know the correct type! */ + auth.add_bytes(PBAuthRecord::required_bytes_rdata, authRec->getContent()->serialize(authRec->d_name, true)); } message.add_bytes(PBCacheEntry::required_bytes_authZone, recordSet->d_authZone.toString()); encodeComboAddress(message, PBCacheEntry::required_message_from, recordSet->d_from); diff -Nru pdns-recursor-5.2.9/snmp-agent.cc pdns-recursor-5.2.11/snmp-agent.cc --- pdns-recursor-5.2.9/snmp-agent.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/snmp-agent.cc 2026-06-09 07:33:58.000000000 +0000 @@ -92,6 +92,7 @@ NETSNMP_LARGE_FD_ZERO(&fdset); NETSNMP_LARGE_FD_SET(fd, &fdset); snmp_read2(&fdset); + netsnmp_large_fd_set_cleanup(&fdset); } void SNMPAgent::handleTrapsCB(int /* fd */, FDMultiplexer::funcparam_t& var) @@ -173,6 +174,7 @@ } } } + netsnmp_large_fd_set_cleanup(&fdset); } #endif /* HAVE_NET_SNMP */ } diff -Nru pdns-recursor-5.2.9/syncres.cc pdns-recursor-5.2.11/syncres.cc --- pdns-recursor-5.2.9/syncres.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/syncres.cc 2026-06-09 07:33:58.000000000 +0000 @@ -1596,13 +1596,16 @@ for (int tries = 0; tries < 2; ++tries) { - if (mode == EDNSStatus::NOEDNS) { + // We might have recorded (due to transient or spoofing issues) the target as not supporting + // EDNS. But if we plan to do DNSSEC validation, actually force EDNS for the first try so DNSSEC + // has a chance. + if ((tries == 0 && ednsMANDATORY) || mode != EDNSStatus::NOEDNS) { + EDNSLevel = 1; + } + else { t_Counters.at(rec::Counter::noEdnsOutQueries)++; EDNSLevel = 0; // level != mode } - else if (ednsMANDATORY || mode != EDNSStatus::NOEDNS) { - EDNSLevel = 1; - } DNSName sendQname(domain); if (g_lowercaseOutgoing) { diff -Nru pdns-recursor-5.2.9/test-aggressive_nsec_cc.cc pdns-recursor-5.2.11/test-aggressive_nsec_cc.cc --- pdns-recursor-5.2.9/test-aggressive_nsec_cc.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/test-aggressive_nsec_cc.cc 2026-06-09 07:33:58.000000000 +0000 @@ -1143,7 +1143,7 @@ rec.d_ttl = now.tv_sec + 10; rec.setContent(getRecordContent(QType::NSEC3, "1 0 500 ab HASG==== A RRSIG NSEC3")); std::vector> sigs; - for (auto i = 0; i < 100; i++) { + for (auto i = 0; i < 200; i++) { auto rrsig = std::make_shared("NSEC3 5 3 10 20370101000000 20370101000000 24567 dummy. data"); sigs.emplace_back(std::move(rrsig)); } diff -Nru pdns-recursor-5.2.9/test-recursorcache_cc.cc pdns-recursor-5.2.11/test-recursorcache_cc.cc --- pdns-recursor-5.2.9/test-recursorcache_cc.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/test-recursorcache_cc.cc 2026-06-09 07:33:58.000000000 +0000 @@ -1300,7 +1300,7 @@ dr.d_name = DNSName("hi"); dr.d_type = QType::AAAA; dr.d_ttl = 3600; - dr.setContent(std::make_shared(ComboAddress("1::2:3:4"))); + dr.setContent(std::make_shared(ComboAddress("1::2:3:4"))); authRecords.emplace_back(std::make_shared(dr)); std::vector> signatures; @@ -1325,18 +1325,18 @@ const ComboAddress somebody("::1"); const time_t ttl_time = 90; - auto checker = [&] { - const size_t expected = 100; + const size_t expected = 100; - for (size_t counter = 0; counter < expected; ++counter) { - DNSName a = DNSName("hello ") + DNSName(std::to_string(counter)); - BOOST_CHECK_EQUAL(DNSName(a.toString()), a); + for (size_t counter = 0; counter < expected; ++counter) { + DNSName name = DNSName("hello ") + DNSName(std::to_string(counter)); + BOOST_CHECK_EQUAL(DNSName(name.toString()), name); - MRC.replace(now, a, QType(QType::A), rset0, signatures, authRecords, true, authZone, boost::none, boost::none, vState::Insecure, somebody, false, ttl_time); - } + MRC.replace(now, name, QType(QType::A), rset0, signatures, authRecords, true, authZone, boost::none, boost::none, vState::Insecure, somebody, false, ttl_time); + } - BOOST_CHECK_EQUAL(MRC.size(), expected); + BOOST_CHECK_EQUAL(MRC.size(), expected); + auto checker = [&] { size_t matches = 0; for (size_t counter = 0; counter < expected + 10; counter++) { diff -Nru pdns-recursor-5.2.9/zonemd.cc pdns-recursor-5.2.11/zonemd.cc --- pdns-recursor-5.2.9/zonemd.cc 2026-04-07 07:48:30.000000000 +0000 +++ pdns-recursor-5.2.11/zonemd.cc 2026-06-09 07:33:58.000000000 +0000 @@ -117,6 +117,9 @@ } break; } + default: + // nothing + break; } } } @@ -153,6 +156,9 @@ } break; } + default: + // nothing + break; } } RRSetKey_t key = std::pair(record.d_name, record.d_type); @@ -226,6 +232,9 @@ for (auto& resourceRecord : rrset.second) { if (qtype == QType::RRSIG) { const auto rrsig = std::dynamic_pointer_cast(resourceRecord); + if (rrsig == nullptr) { + continue; + } if (rrsig->d_type == QType::ZONEMD && qname == d_zone) { continue; } @@ -248,7 +257,10 @@ // RRSIG is special, since original TTL depends on qtype covered by RRSIG // which can be different per record for (const auto& rrsig : sorted) { - auto rrsigc = std::dynamic_pointer_cast(rrsig); + const auto rrsigc = std::dynamic_pointer_cast(rrsig); + if (rrsigc == nullptr) { + continue; + } RRSIGRecordContent rrc; rrc.d_originalttl = d_resourceRecordSetTTLs[pair(rrset.first.first, rrsigc->d_type)]; rrc.d_type = qtype; @@ -259,8 +271,16 @@ } // Final verify - for (const auto& [k, v] : d_zonemdRecords) { - auto [zonemd, duplicate] = v; + for (const auto& record : d_zonemdRecords) { + const auto scheme = record.first.first; + const auto duplicate = record.second.duplicate; + if (scheme != 1 || duplicate) { + continue; + } + const auto zonemd = record.second.record; + if (zonemd->d_serial != d_soaRecordContent->d_st.serial) { + continue; + } if (zonemd->d_hashalgo == 1 && sha384digest) { validationDone = true; auto computed = sha384digest->digest();