Version in base suite: 5.2.6-0+deb13u1

Base version: pdns-recursor_5.2.6-0+deb13u1
Target version: pdns-recursor_5.2.7-0+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pdns-recursor/pdns-recursor_5.2.6-0+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pdns-recursor/pdns-recursor_5.2.7-0+deb13u1.dsc

 configure               |   20 ++--
 configure.ac            |    2 
 debian/changelog        |    6 +
 effective_tld_names.dat |  238 ++++++++++++++++++++++++++++++++++++++++--------
 pdns_recursor.1         |    2 
 pubsuffix.cc            |   96 +++++++++++++++++--
 rec-tcp.cc              |   13 +-
 rec_control.1           |    2 
 8 files changed, 315 insertions(+), 64 deletions(-)

diff -Nru pdns-recursor-5.2.6/configure pdns-recursor-5.2.7/configure
--- pdns-recursor-5.2.6/configure	2025-09-25 09:53:42.000000000 +0000
+++ pdns-recursor-5.2.7/configure	2025-11-25 13:41:46.000000000 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for pdns-recursor 5.2.6.
+# Generated by GNU Autoconf 2.71 for pdns-recursor 5.2.7.
 #
 #
 # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
@@ -618,8 +618,8 @@
 # Identity of this package.
 PACKAGE_NAME='pdns-recursor'
 PACKAGE_TARNAME='pdns-recursor'
-PACKAGE_VERSION='5.2.6'
-PACKAGE_STRING='pdns-recursor 5.2.6'
+PACKAGE_VERSION='5.2.7'
+PACKAGE_STRING='pdns-recursor 5.2.7'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1588,7 +1588,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures pdns-recursor 5.2.6 to adapt to many kinds of systems.
+\`configure' configures pdns-recursor 5.2.7 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1659,7 +1659,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of pdns-recursor 5.2.6:";;
+     short | recursive ) echo "Configuration of pdns-recursor 5.2.7:";;
    esac
   cat <<\_ACEOF
 
@@ -1859,7 +1859,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-pdns-recursor configure 5.2.6
+pdns-recursor configure 5.2.7
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2348,7 +2348,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by pdns-recursor $as_me 5.2.6, which was
+It was created by pdns-recursor $as_me 5.2.7, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3844,7 +3844,7 @@
 
 # Define the identity of the package.
  PACKAGE='pdns-recursor'
- VERSION='5.2.6'
+ VERSION='5.2.7'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -31013,7 +31013,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by pdns-recursor $as_me 5.2.6, which was
+This file was extended by pdns-recursor $as_me 5.2.7, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -31081,7 +31081,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-pdns-recursor config.status 5.2.6
+pdns-recursor config.status 5.2.7
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff -Nru pdns-recursor-5.2.6/configure.ac pdns-recursor-5.2.7/configure.ac
--- pdns-recursor-5.2.6/configure.ac	2025-09-25 09:53:35.000000000 +0000
+++ pdns-recursor-5.2.7/configure.ac	2025-11-25 13:41:40.000000000 +0000
@@ -1,6 +1,6 @@
 AC_PREREQ([2.69])
 
-AC_INIT([pdns-recursor], [5.2.6])
+AC_INIT([pdns-recursor], [5.2.7])
 AC_CONFIG_AUX_DIR([build-aux])
 AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability subdir-objects parallel-tests 1.11])
 AM_SILENT_RULES([yes])
diff -Nru pdns-recursor-5.2.6/debian/changelog pdns-recursor-5.2.7/debian/changelog
--- pdns-recursor-5.2.6/debian/changelog	2025-10-22 16:15:32.000000000 +0000
+++ pdns-recursor-5.2.7/debian/changelog	2025-12-09 10:13:14.000000000 +0000
@@ -1,3 +1,9 @@
+pdns-recursor (5.2.7-0+deb13u1) trixie-security; urgency=medium
+
+  * New upstream version 5.2.7, fixing CVE-2025-59030.
+
+ -- Chris Hofstaedtler <zeha@debian.org>  Tue, 09 Dec 2025 11:13:14 +0100
+
 pdns-recursor (5.2.6-0+deb13u1) trixie-security; urgency=medium
 
   * New upstream version 5.2.6, fixing CVE-2025-59023.
diff -Nru pdns-recursor-5.2.6/effective_tld_names.dat pdns-recursor-5.2.7/effective_tld_names.dat
--- pdns-recursor-5.2.6/effective_tld_names.dat	2025-09-25 09:54:23.000000000 +0000
+++ pdns-recursor-5.2.7/effective_tld_names.dat	2025-11-25 13:42:30.000000000 +0000
@@ -5,8 +5,8 @@
 // Please pull this list from, and only from https://publicsuffix.org/list/public_suffix_list.dat,
 // rather than any other VCS sites. Pulling from any other URL is not guaranteed to be supported.
 
-// VERSION: 2025-09-23_13-07-02_UTC
-// COMMIT: 6defc0e19dbbe27dc2a0798256077d0b82d9c455
+// VERSION: 2025-11-24_21-12-44_UTC
+// COMMIT: 565e9dc7907cba1b3ae6b6d588120ec54d789806
 
 // Instructions on pulling and using this list can be found at https://publicsuffix.org/list/.
 
@@ -333,7 +333,22 @@
 tv.bb
 
 // bd : https://www.iana.org/domains/root/db/bd.html
-*.bd
+// Confirmed by registry <dgm.domain@btcl.gov.bd>
+bd
+ac.bd
+ai.bd
+co.bd
+com.bd
+edu.bd
+gov.bd
+id.bd
+info.bd
+it.bd
+mil.bd
+net.bd
+org.bd
+sch.bd
+tv.bd
 
 // be : https://www.iana.org/domains/root/db/be.html
 // Confirmed by registry <tech@dns.be> 2008-06-08
@@ -1103,13 +1118,14 @@
 // completely removed.
 aland.fi
 
-// fj : http://domains.fj/
-// Submitted by registry <garth.miller@cocca.org.nz> 2020-02-11
+// fj : https://www.iana.org/domains/root/db/fj.html
 fj
 ac.fj
 biz.fj
 com.fj
+edu.fj
 gov.fj
+id.fj
 info.fj
 mil.fj
 name.fj
@@ -1399,6 +1415,8 @@
 ponpes.id
 sch.id
 web.id
+// xn--9tfky.id (<bali>.id, Und-Bali)
+ᬩᬮᬶ.id
 
 // ie : https://www.iana.org/domains/root/db/ie.html
 ie
@@ -1444,12 +1462,14 @@
 // see also: https://registry.in/policies
 // Please note, that nic.in is not an official eTLD, but used by most
 // government institutions.
+// Confirmed by Gaurav Kansal <gaurav.kansal@nic.in> 2025-11-06
 in
 5g.in
 6g.in
 ac.in
 ai.in
 am.in
+bank.in
 bihar.in
 biz.in
 business.in
@@ -1463,6 +1483,7 @@
 dr.in
 edu.in
 er.in
+fin.in
 firm.in
 gen.in
 gov.in
@@ -4499,8 +4520,6 @@
 bievát.no
 bindal.no
 birkenes.no
-bjarkoy.no
-bjarkøy.no
 bjerkreim.no
 bjugn.no
 bodo.no
@@ -4777,7 +4796,6 @@
 sande.møre-og-romsdal.no
 moskenes.no
 moss.no
-mosvik.no
 muosat.no
 muosát.no
 naamesjevuemie.no
@@ -6314,6 +6332,7 @@
 org.vc
 
 // ve : https://registro.nic.ve/
+// https://nic.ve/site/user-agreement -> under "III. Clasificación de Nombres de Dominio"
 // Submitted by registry nic@nic.ve and nicve@conatel.gob.ve
 ve
 arts.ve
@@ -6326,6 +6345,7 @@
 firm.ve
 gob.ve
 gov.ve
+ia.ve
 info.ve
 int.ve
 mil.ve
@@ -6796,7 +6816,7 @@
 
 // newGTLDs
 
-// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2025-08-27T15:19:08Z
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2025-11-08T15:16:38Z
 // This list is auto-generated, don't edit it manually.
 // aaa : American Automobile Association, Inc.
 // https://www.iana.org/domains/root/db/aaa.html
@@ -7910,10 +7930,6 @@
 // https://www.iana.org/domains/root/db/dubai.html
 dubai
 
-// dunlop : The Goodyear Tire & Rubber Company
-// https://www.iana.org/domains/root/db/dunlop.html
-dunlop
-
 // dupont : DuPont Specialty Products USA, LLC
 // https://www.iana.org/domains/root/db/dupont.html
 dupont
@@ -10694,7 +10710,7 @@
 // https://www.iana.org/domains/root/db/weather.html
 weather
 
-// weatherchannel : International Business Machines Corporation
+// weatherchannel : The Weather Company, LLC
 // https://www.iana.org/domains/root/db/weatherchannel.html
 weatherchannel
 
@@ -10966,7 +10982,7 @@
 // https://www.iana.org/domains/root/db/xn--fhbei.html
 كوم
 
-// xn--fiq228c5hs : TLD REGISTRY LIMITED OY
+// xn--fiq228c5hs : Beijing TLD Registry Technology Limited
 // https://www.iana.org/domains/root/db/xn--fiq228c5hs.html
 中文网
 
@@ -11574,7 +11590,7 @@
 
 // Amazon Managed Workflows for Apache Airflow
 // Submitted by AWS Security <psl-maintainers@amazon.com>
-// Reference: 2f697e23-58d6-4b97-be6b-77a26e811dad
+// Reference: bfd043cc-2816-451d-894e-612c6b61a438
 *.airflow.af-south-1.on.aws
 *.airflow.ap-east-1.on.aws
 *.airflow.ap-northeast-1.on.aws
@@ -11621,6 +11637,7 @@
 *.ap-southeast-3.airflow.amazonaws.com
 *.ap-southeast-4.airflow.amazonaws.com
 *.ap-southeast-5.airflow.amazonaws.com
+*.ap-southeast-7.airflow.amazonaws.com
 *.ca-central-1.airflow.amazonaws.com
 *.ca-west-1.airflow.amazonaws.com
 *.eu-central-1.airflow.amazonaws.com
@@ -11640,6 +11657,46 @@
 *.us-west-1.airflow.amazonaws.com
 *.us-west-2.airflow.amazonaws.com
 
+// Amazon Relational Database Service
+// Submitted by: AWS Security <psl-maintainers@amazon.com>
+// Reference: 5aa87906-fd4f-4831-8727-4ffca6094159
+*.rds.cn-north-1.amazonaws.com.cn
+*.rds.cn-northwest-1.amazonaws.com.cn
+*.af-south-1.rds.amazonaws.com
+*.ap-east-1.rds.amazonaws.com
+*.ap-east-2.rds.amazonaws.com
+*.ap-northeast-1.rds.amazonaws.com
+*.ap-northeast-2.rds.amazonaws.com
+*.ap-northeast-3.rds.amazonaws.com
+*.ap-south-1.rds.amazonaws.com
+*.ap-south-2.rds.amazonaws.com
+*.ap-southeast-1.rds.amazonaws.com
+*.ap-southeast-2.rds.amazonaws.com
+*.ap-southeast-3.rds.amazonaws.com
+*.ap-southeast-4.rds.amazonaws.com
+*.ap-southeast-5.rds.amazonaws.com
+*.ap-southeast-6.rds.amazonaws.com
+*.ap-southeast-7.rds.amazonaws.com
+*.ca-central-1.rds.amazonaws.com
+*.ca-west-1.rds.amazonaws.com
+*.eu-central-1.rds.amazonaws.com
+*.eu-central-2.rds.amazonaws.com
+*.eu-west-1.rds.amazonaws.com
+*.eu-west-2.rds.amazonaws.com
+*.eu-west-3.rds.amazonaws.com
+*.il-central-1.rds.amazonaws.com
+*.me-central-1.rds.amazonaws.com
+*.me-south-1.rds.amazonaws.com
+*.mx-central-1.rds.amazonaws.com
+*.sa-east-1.rds.amazonaws.com
+*.us-east-1.rds.amazonaws.com
+*.us-east-2.rds.amazonaws.com
+*.us-gov-east-1.rds.amazonaws.com
+*.us-gov-west-1.rds.amazonaws.com
+*.us-northeast-1.rds.amazonaws.com
+*.us-west-1.rds.amazonaws.com
+*.us-west-2.rds.amazonaws.com
+
 // Amazon S3
 // Submitted by AWS Security <psl-maintainers@amazon.com>
 // Reference: ada5c9df-55e1-4195-a1ce-732d6c81e357
@@ -12150,7 +12207,7 @@
 
 // AWS Elastic Beanstalk
 // Submitted by AWS Security <psl-maintainers@amazon.com>
-// Reference: bb5a965c-dec3-4967-aa22-e306ad064797
+// Reference: e4e02a54-eaf9-4fe7-b662-39ccbc011a04
 cn-north-1.eb.amazonaws.com.cn
 cn-northwest-1.eb.amazonaws.com.cn
 elasticbeanstalk.com
@@ -12163,14 +12220,18 @@
 ap-southeast-1.elasticbeanstalk.com
 ap-southeast-2.elasticbeanstalk.com
 ap-southeast-3.elasticbeanstalk.com
+ap-southeast-5.elasticbeanstalk.com
+ap-southeast-7.elasticbeanstalk.com
 ca-central-1.elasticbeanstalk.com
 eu-central-1.elasticbeanstalk.com
 eu-north-1.elasticbeanstalk.com
 eu-south-1.elasticbeanstalk.com
+eu-south-2.elasticbeanstalk.com
 eu-west-1.elasticbeanstalk.com
 eu-west-2.elasticbeanstalk.com
 eu-west-3.elasticbeanstalk.com
 il-central-1.elasticbeanstalk.com
+me-central-1.elasticbeanstalk.com
 me-south-1.elasticbeanstalk.com
 sa-east-1.elasticbeanstalk.com
 us-east-1.elasticbeanstalk.com
@@ -12191,6 +12252,32 @@
 // Reference: d916759d-a08b-4241-b536-4db887383a6a
 awsglobalaccelerator.com
 
+// AWS Lambda Function URLs
+// Submitted by AWS Security <psl-maintainers@amazon.com>
+// Reference: 57df74ca-0820-46a5-89ea-0f0d0c4714b7
+lambda-url.af-south-1.on.aws
+lambda-url.ap-east-1.on.aws
+lambda-url.ap-northeast-1.on.aws
+lambda-url.ap-northeast-2.on.aws
+lambda-url.ap-northeast-3.on.aws
+lambda-url.ap-south-1.on.aws
+lambda-url.ap-southeast-1.on.aws
+lambda-url.ap-southeast-2.on.aws
+lambda-url.ap-southeast-3.on.aws
+lambda-url.ca-central-1.on.aws
+lambda-url.eu-central-1.on.aws
+lambda-url.eu-north-1.on.aws
+lambda-url.eu-south-1.on.aws
+lambda-url.eu-west-1.on.aws
+lambda-url.eu-west-2.on.aws
+lambda-url.eu-west-3.on.aws
+lambda-url.me-south-1.on.aws
+lambda-url.sa-east-1.on.aws
+lambda-url.us-east-1.on.aws
+lambda-url.us-east-2.on.aws
+lambda-url.us-west-1.on.aws
+lambda-url.us-west-2.on.aws
+
 // AWS re:Post Private
 // Submitted by AWS Security <psl-maintainers@amazon.com>
 // Reference: 83385945-225f-416e-9aa0-ad0632bfdcee
@@ -12354,6 +12441,10 @@
 // Submitted by Jason Kridner <jkridner@beagleboard.org>
 beagleboard.io
 
+// Bear Blog : https://bearblog.dev
+// Submitted by Herman Martinus <admin@bearblog.dev>
+bearblog.dev
+
 // Beget Ltd
 // Submitted by Lev Nekrasov <lnekrasov@beget.com>
 *.beget.app
@@ -12449,6 +12540,10 @@
 canva-apps.cn
 my.canvasite.cn
 canva-apps.com
+canva-hosted-embed.com
+canvacode.com
+rice-labs.com
+canva.run
 my.canva.site
 
 // Carrd : https://carrd.co
@@ -12531,10 +12626,12 @@
 cloudns.be
 cloud-ip.biz
 cloudns.biz
+cloud-ip.cc
 cloudns.cc
 cloudns.ch
 cloudns.cl
 cloudns.club
+abrdns.com
 dnsabr.com
 ip-ddns.com
 cloudns.cx
@@ -12575,6 +12672,7 @@
 
 // Cloudflare, Inc. : https://www.cloudflare.com/
 // Submitted by Cloudflare Team <publicsuffixlist@cloudflare.com>
+cloudflare.app
 cf-ipfs.com
 cloudflare-ipfs.com
 trycloudflare.com
@@ -12632,8 +12730,9 @@
 *.devinapps.com
 
 // Combell.com : https://www.combell.com
-// Submitted by Thomas Wouters <thomas.wouters@combellgroup.com>
+// Submitted by Combell Team <support@combell.com>
 webhosting.be
+prvw.eu
 hosting-cluster.nl
 
 // Contentful GmbH : https://www.contentful.com
@@ -12762,6 +12861,15 @@
 deta.app
 deta.dev
 
+// Developed Methods LLC : https://methods.dev
+// Submitted by Patrick Lorio <security@playit.gg>
+*.at.ply.gg
+d6.ply.gg
+joinmc.link
+playit.plus
+*.at.playit.plus
+with.playit.plus
+
 // Dfinity Foundation: https://dfinity.org/
 // Submitted by Dfinity Team <domains@dfinity.org>
 icp0.io
@@ -12770,6 +12878,7 @@
 *.raw.icp1.io
 *.icp.net
 caffeine.site
+caffeine.xyz
 
 // dhosting.pl Sp. z o.o. : https://dhosting.pl/
 // Submitted by Michal Kokoszkiewicz <bok@dhosting.pl>
@@ -12801,6 +12910,10 @@
 // Submitted by Calvin Browne <calvin@dns.business>
 jozi.biz
 
+// DNSHE : https://de5.net
+// Submitted by DNSHE Team <support@dnshe.com>
+de5.net
+
 // DNShome : https://www.dnshome.de/
 // Submitted by Norbert Auler <mail@dnshome.de>
 dnshome.de
@@ -13173,6 +13286,11 @@
 elementor.cloud
 elementor.cool
 
+// Emergent : https://emergent.sh
+// Submitted by Emergent Security Team <security@emergent.sh>
+emergent.cloud
+emergent.host
+
 // En root‽ : https://en-root.org
 // Submitted by Emmanuel Raviart <emmanuel@raviart.com>
 en-root.fr
@@ -13413,6 +13531,7 @@
 // Figma : https://www.figma.com
 // Submitted by Nick Frost <psl@figma.com>
 figma.site
+figma-gov.site
 preview.site
 
 // Filegear Inc. : https://www.filegear.com
@@ -13549,6 +13668,10 @@
 // Submitted by GignoSystemJapan <kakutou-ec@gsj.bz>
 gsj.bz
 
+// GitBook Inc. : https://www.gitbook.com/
+// Submitted by Samy Pesse <devs@gitbook.com>
+gitbook.io
+
 // GitHub, Inc.
 // Submitted by Patrick Toomey <security@github.com>
 github.app
@@ -13739,6 +13862,10 @@
 // Submitted by Matt Yamkowy <info@grayjaysports.ca>
 grayjayleagues.com
 
+// Grebedoc : https://grebedoc.dev
+// Submitted by Catherine Zotova <admin@grebedoc.dev>
+grebedoc.dev
+
 // GünstigBestellen : https://günstigbestellen.de
 // Submitted by Furkan Akkoc <info@hendelzon.de>
 günstigbestellen.de
@@ -13988,10 +14115,6 @@
 // Submitted by William Harrison <webmaster@is-a-good.dev>
 is-a-good.dev
 
-// is-a.dev : https://is-a.dev
-// Submitted by William Harrison <security@is-a.dev>
-is-a.dev
-
 // IServ GmbH : https://iserv.de
 // Submitted by Kim Brodowski <info@iserv.de>
 iservschule.de
@@ -14003,6 +14126,10 @@
 iserv.dev
 iserv.host
 
+// Ispmanager : https://www.ispmanager.com/
+// Submitted by Ispmanager infrastructure team <infrastructure@ispmanager.com>
+ispmanager.name
+
 // Jelastic, Inc. : https://jelastic.com/
 // Submitted by Ihor Kolodyuk <ik@jelastic.com>
 mel.cloudlets.com.au
@@ -14088,8 +14215,9 @@
 // Submitted by Daniel Fariña <ingenieria@jotelulu.com>
 jote.cloud
 jotelulu.cloud
-jote-dr-lt1.com
-jote-rd-lt1.com
+eu1-plenit.com
+la1-plenit.com
+us1-plenit.com
 
 // JouwWeb B.V. : https://www.jouwweb.nl
 // Submitted by Camilo Sperberg <tech@webador.com>
@@ -14168,6 +14296,12 @@
 lpages.co
 lpusercontent.com
 
+// Leapcell : https://leapcell.io/
+// Submitted by Leapcell Team <support@leapcell.io>
+leapcell.app
+leapcell.dev
+leapcell.online
+
 // Liara : https://liara.ir
 // Submitted by Amirhossein Badinloo <info@liara.ir>
 liara.run
@@ -14216,10 +14350,6 @@
 // Submitted by Lann Martin <security@localcert.dev>
 *.user.localcert.dev
 
-// LocalCert : https://localcert.net
-// Submitted by William Harrison <security@localcert.net>
-localcert.net
-
 // Localtonet : https://localtonet.com/
 // Submitted by Burak Isleyici <support@localtonet.com>
 localtonet.com
@@ -14436,6 +14566,12 @@
 typo3server.info
 project.space
 
+// Mocha : https://getmocha.com
+// Submitted by Ben Reinhart <security@getmocha.com>
+mocha.app
+mochausercontent.com
+mocha-sandbox.dev
+
 // MODX Systems LLC : https://modx.com
 // Submitted by Elizabeth Southwell <elizabeth@modx.com>
 modx.dev
@@ -14470,6 +14606,14 @@
 // Submitted by Paulus Schoutsen <infra@nabucasa.com>
 ui.nabu.casa
 
+// Needle Tools GmbH : https://needle.tools
+// Submitted by Felix Herbst <security@needle.tools>
+needle.run
+
+// Neo : https://www.neo.space
+// Submitted by Ankit Kulkarni <devops@co.site>
+co.site
+
 // Net at Work Gmbh : https://www.netatwork.de
 // Submitted by Jan Jaeschke <jan.jaeschke@netatwork.de>
 cloud.nospamproxy.com
@@ -14479,10 +14623,6 @@
 // Submitted by Philippe PITTOLI <security@netlib.re>
 netlib.re
 
-// Netfy Domains : https://netfy.domains
-// Submitted by Suranga Ranasinghe <security@mavicsoft.com>
-netfy.app
-
 // Netlify : https://www.netlify.com
 // Submitted by Jessica Parsons <jessica@netlify.com>
 netlify.app
@@ -14712,6 +14852,7 @@
 123website.nl
 123hjemmeside.no
 service.one
+website.one
 simplesite.pl
 123paginaweb.pt
 123minsida.se
@@ -15440,10 +15581,11 @@
 myspreadshop.co.uk
 
 // StackBlitz : https://stackblitz.com
-// Submitted by Dominic Elm <hello@stackblitz.com>
+// Submitted by Dominic Elm & Albert Pai <security@bolt.new>
 w-corp-staticblitz.com
 w-credentialless-staticblitz.com
 w-staticblitz.com
+bolt.host
 
 // Stackhero : https://www.stackhero.io
 // Submitted by Adrien Gillon <adrien+public-suffix-list@stackhero.io>
@@ -15467,6 +15609,10 @@
 // Submitted by Jacob Lee <jacob@stdlib.com>
 api.stdlib.com
 
+// statichost.eu : https://www.statichost.eu
+// Submitted by Eric Selin <admin@statichost.eu>
+statichost.page
+
 // stereosense GmbH : https://www.involve.me
 // Submitted by Florian Burmann <publicsuffix@involve.me>
 feedback.ac
@@ -15600,8 +15746,9 @@
 tche.br
 
 // team.blue : https://team.blue
-// Submitted by Cedric Dubois <cedric.dubois@team.blue>
+// Submitted by Cedric Dubois <psl-sh@team.blue>
 site.tb-hosting.com
+directwp.eu
 
 // Teckids e.V. : https://www.teckids.org
 // Submitted by Dominik George <dominik.george@teckids.org>
@@ -15680,6 +15827,10 @@
 site.transip.me
 *.transurl.nl
 
+// Tunnelmole: https://tunnelmole.com
+// Submitted by Robbie Cahill <support@tunnelmole.com>
+tunnelmole.net
+
 // TuxFamily : http://tuxfamily.org
 // Submitted by TuxFamily administrators <adm@staff.tuxfamily.org>
 tuxfamily.org
@@ -15723,6 +15874,10 @@
 // Submitted by ITComdomains <to@it.com>
 it.com
 
+// Umso Software Inc. : https://www.umso.com
+// Submitted by Alexis Taylor <security@umso.com>
+umso.co
+
 // Unison Computing, PBC : https://unison.cloud
 // Submitted by Simon Højberg <security@unison.cloud>
 unison-services.cloud
@@ -15813,6 +15968,10 @@
 // Submitted by Max Spector <info@walrus.xyz>
 wal.app
 
+// Wasmer: https://wasmer.io
+// Submitted by Lorentz Kinde <security@wasmer.io>
+wasmer.app
+
 // Webflow, Inc. : https://www.webflow.com
 // Submitted by Webflow Security Team <security@webflow.com>
 webflow.io
@@ -15863,11 +16022,11 @@
 wmflabs.org
 
 // William Harrison : https://wharrison.com.au
-// Submitted by William Harrison <security@wharrison.com.au>
-wdh.app
-hrsn.au
+// Submitted by William Harrison <security@hrsn.net>
 vps.hrsn.au
 hrsn.dev
+is-a.dev
+localcert.net
 
 // Windsurf : https://windsurf.com
 // Submitted by Douglas Chen <psl@windsurf.com>
@@ -15914,6 +16073,7 @@
 
 // XenonCloud GbR : https://xenoncloud.net
 // Submitted by Julian Uphoff <publicsuffixlist@xenoncloud.net>
+*.xenonconnect.de
 half.host
 
 // XnBay Technology : http://www.xnbay.com/
@@ -15928,6 +16088,10 @@
 demon.nl
 xs4all.space
 
+// xTool : https://xtool.com
+// Submitted by Echo <admin@xtool.com>
+xtooldevice.com
+
 // Yandex.Cloud LLC : https://cloud.yandex.com
 // Submitted by Alexander Lodin <security+psl@yandex-team.ru>
 yandexcloud.net
diff -Nru pdns-recursor-5.2.6/pdns_recursor.1 pdns-recursor-5.2.7/pdns_recursor.1
--- pdns-recursor-5.2.6/pdns_recursor.1	2025-09-25 09:54:23.000000000 +0000
+++ pdns-recursor-5.2.7/pdns_recursor.1	2025-11-25 13:42:29.000000000 +0000
@@ -27,7 +27,7 @@
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "PDNS_RECURSOR" "1" "Sep 25, 2025" "" "PowerDNS Recursor"
+.TH "PDNS_RECURSOR" "1" "Nov 25, 2025" "" "PowerDNS Recursor"
 .SH NAME
 pdns_recursor \- The PowerDNS Recursor binary
 .SH SYNOPSIS
diff -Nru pdns-recursor-5.2.6/pubsuffix.cc pdns-recursor-5.2.7/pubsuffix.cc
--- pdns-recursor-5.2.6/pubsuffix.cc	2025-09-25 09:54:23.000000000 +0000
+++ pdns-recursor-5.2.7/pubsuffix.cc	2025-11-25 13:42:30.000000000 +0000
@@ -223,6 +223,20 @@
 "org.bb",
 "store.bb",
 "tv.bb",
+"ac.bd",
+"ai.bd",
+"co.bd",
+"com.bd",
+"edu.bd",
+"gov.bd",
+"id.bd",
+"info.bd",
+"it.bd",
+"mil.bd",
+"net.bd",
+"org.bd",
+"sch.bd",
+"tv.bd",
 "ac.be",
 "gov.bf",
 "0.bg",
@@ -782,7 +796,9 @@
 "ac.fj",
 "biz.fj",
 "com.fj",
+"edu.fj",
 "gov.fj",
+"id.fj",
 "info.fj",
 "mil.fj",
 "name.fj",
@@ -971,6 +987,7 @@
 "ac.in",
 "ai.in",
 "am.in",
+"bank.in",
 "bihar.in",
 "biz.in",
 "business.in",
@@ -984,6 +1001,7 @@
 "dr.in",
 "edu.in",
 "er.in",
+"fin.in",
 "firm.in",
 "gen.in",
 "gov.in",
@@ -3630,7 +3648,6 @@
 "bievat.no",
 "bindal.no",
 "birkenes.no",
-"bjarkoy.no",
 "bjerkreim.no",
 "bjugn.no",
 "bodo.no",
@@ -3849,7 +3866,6 @@
 "sande.more-og-romsdal.no",
 "moskenes.no",
 "moss.no",
-"mosvik.no",
 "muosat.no",
 "naamesjevuemie.no",
 "namdalseid.no",
@@ -5018,6 +5034,7 @@
 "firm.ve",
 "gob.ve",
 "gov.ve",
+"ia.ve",
 "info.ve",
 "int.ve",
 "mil.ve",
@@ -5871,14 +5888,18 @@
 "ap-southeast-1.elasticbeanstalk.com",
 "ap-southeast-2.elasticbeanstalk.com",
 "ap-southeast-3.elasticbeanstalk.com",
+"ap-southeast-5.elasticbeanstalk.com",
+"ap-southeast-7.elasticbeanstalk.com",
 "ca-central-1.elasticbeanstalk.com",
 "eu-central-1.elasticbeanstalk.com",
 "eu-north-1.elasticbeanstalk.com",
 "eu-south-1.elasticbeanstalk.com",
+"eu-south-2.elasticbeanstalk.com",
 "eu-west-1.elasticbeanstalk.com",
 "eu-west-2.elasticbeanstalk.com",
 "eu-west-3.elasticbeanstalk.com",
 "il-central-1.elasticbeanstalk.com",
+"me-central-1.elasticbeanstalk.com",
 "me-south-1.elasticbeanstalk.com",
 "sa-east-1.elasticbeanstalk.com",
 "us-east-1.elasticbeanstalk.com",
@@ -5888,6 +5909,28 @@
 "us-west-1.elasticbeanstalk.com",
 "us-west-2.elasticbeanstalk.com",
 "awsglobalaccelerator.com",
+"lambda-url.af-south-1.on.aws",
+"lambda-url.ap-east-1.on.aws",
+"lambda-url.ap-northeast-1.on.aws",
+"lambda-url.ap-northeast-2.on.aws",
+"lambda-url.ap-northeast-3.on.aws",
+"lambda-url.ap-south-1.on.aws",
+"lambda-url.ap-southeast-1.on.aws",
+"lambda-url.ap-southeast-2.on.aws",
+"lambda-url.ap-southeast-3.on.aws",
+"lambda-url.ca-central-1.on.aws",
+"lambda-url.eu-central-1.on.aws",
+"lambda-url.eu-north-1.on.aws",
+"lambda-url.eu-south-1.on.aws",
+"lambda-url.eu-west-1.on.aws",
+"lambda-url.eu-west-2.on.aws",
+"lambda-url.eu-west-3.on.aws",
+"lambda-url.me-south-1.on.aws",
+"lambda-url.sa-east-1.on.aws",
+"lambda-url.us-east-1.on.aws",
+"lambda-url.us-east-2.on.aws",
+"lambda-url.us-west-1.on.aws",
+"lambda-url.us-west-2.on.aws",
 "transfer-webapp.af-south-1.on.aws",
 "transfer-webapp.ap-east-1.on.aws",
 "transfer-webapp.ap-northeast-1.on.aws",
@@ -5964,6 +6007,7 @@
 "shopselect.net",
 "base.shop",
 "beagleboard.io",
+"bearblog.dev",
 "pages.gay",
 "bnr.la",
 "bitbucket.io",
@@ -5997,6 +6041,10 @@
 "canva-apps.cn",
 "my.canvasite.cn",
 "canva-apps.com",
+"canva-hosted-embed.com",
+"canvacode.com",
+"rice-labs.com",
+"canva.run",
 "my.canva.site",
 "drr.ac",
 "uwu.ai",
@@ -6044,10 +6092,12 @@
 "cloudns.be",
 "cloud-ip.biz",
 "cloudns.biz",
+"cloud-ip.cc",
 "cloudns.cc",
 "cloudns.ch",
 "cloudns.cl",
 "cloudns.club",
+"abrdns.com",
 "dnsabr.com",
 "ip-ddns.com",
 "cloudns.cx",
@@ -6072,6 +6122,7 @@
 "freesite.host",
 "cloudaccess.net",
 "cloudbeesusercontent.io",
+"cloudflare.app",
 "cf-ipfs.com",
 "cloudflare-ipfs.com",
 "trycloudflare.com",
@@ -6098,6 +6149,7 @@
 "co.nl",
 "co.no",
 "webhosting.be",
+"prvw.eu",
 "hosting-cluster.nl",
 "ctfcloud.net",
 "convex.app",
@@ -6158,9 +6210,14 @@
 "dedyn.io",
 "deta.app",
 "deta.dev",
+"d6.ply.gg",
+"joinmc.link",
+"playit.plus",
+"with.playit.plus",
 "icp0.io",
 "icp1.io",
 "caffeine.site",
+"caffeine.xyz",
 "dfirma.pl",
 "dkonto.pl",
 "you2.pl",
@@ -6172,6 +6229,7 @@
 "discordsays.com",
 "discordsez.com",
 "jozi.biz",
+"de5.net",
 "dnshome.de",
 "online.th",
 "shop.th",
@@ -6490,6 +6548,8 @@
 "rt.ht",
 "elementor.cloud",
 "elementor.cool",
+"emergent.cloud",
+"emergent.host",
 "en-root.fr",
 "mytuleap.com",
 "tuleap-partners.com",
@@ -6669,6 +6729,7 @@
 "mydobiss.com",
 "fh-muenster.io",
 "figma.site",
+"figma-gov.site",
 "preview.site",
 "filegear.me",
 "firebaseapp.com",
@@ -6730,6 +6791,7 @@
 "gentlentapis.com",
 "cdn-edges.net",
 "gsj.bz",
+"gitbook.io",
 "github.app",
 "githubusercontent.com",
 "githubpreview.dev",
@@ -6868,6 +6930,7 @@
 "gov.nl",
 "grafana-dev.net",
 "grayjayleagues.com",
+"grebedoc.dev",
 "hackclub.app",
 "hashbang.sh",
 "hasura.app",
@@ -6983,7 +7046,6 @@
 "ipifony.net",
 "ir.md",
 "is-a-good.dev",
-"is-a.dev",
 "iservschule.de",
 "mein-iserv.de",
 "schuldock.de",
@@ -6992,6 +7054,7 @@
 "test-iserv.de",
 "iserv.dev",
 "iserv.host",
+"ispmanager.name",
 "mel.cloudlets.com.au",
 "cloud.interhostsolutions.be",
 "alp1.ae.flow.ch",
@@ -7065,8 +7128,9 @@
 "myjino.ru",
 "jote.cloud",
 "jotelulu.cloud",
-"jote-dr-lt1.com",
-"jote-rd-lt1.com",
+"eu1-plenit.com",
+"la1-plenit.com",
+"us1-plenit.com",
 "webadorsite.com",
 "jouwweb.site",
 "js.org",
@@ -7093,6 +7157,9 @@
 "leadpages.co",
 "lpages.co",
 "lpusercontent.com",
+"leapcell.app",
+"leapcell.dev",
+"leapcell.online",
 "liara.run",
 "iran.liara.run",
 "libp2p.direct",
@@ -7111,7 +7178,6 @@
 "we.bs",
 "filegear-sg.me",
 "ggff.net",
-"localcert.net",
 "localtonet.com",
 "lodz.pl",
 "pabianice.pl",
@@ -7232,6 +7298,9 @@
 "mittwaldserver.info",
 "typo3server.info",
 "project.space",
+"mocha.app",
+"mochausercontent.com",
+"mocha-sandbox.dev",
 "modx.dev",
 "bmoattachments.org",
 "net.ru",
@@ -7251,10 +7320,11 @@
 "yali.mythic-beasts.com",
 "cust.retrosnub.co.uk",
 "ui.nabu.casa",
+"needle.run",
+"co.site",
 "cloud.nospamproxy.com",
 "o365.cloud.nospamproxy.com",
 "netlib.re",
-"netfy.app",
 "netlify.app",
 "4u.com",
 "nfshost.com",
@@ -7408,6 +7478,7 @@
 "123website.nl",
 "123hjemmeside.no",
 "service.one",
+"website.one",
 "simplesite.pl",
 "123paginaweb.pt",
 "123minsida.se",
@@ -7740,6 +7811,7 @@
 "w-corp-staticblitz.com",
 "w-credentialless-staticblitz.com",
 "w-staticblitz.com",
+"bolt.host",
 "stackhero-network.com",
 "runs.onstackit.cloud",
 "stackit.gg",
@@ -7749,6 +7821,7 @@
 "musician.io",
 "novecore.site",
 "api.stdlib.com",
+"statichost.page",
 "feedback.ac",
 "forms.ac",
 "assessments.cx",
@@ -7816,6 +7889,7 @@
 "p.tawkto.email",
 "tche.br",
 "site.tb-hosting.com",
+"directwp.eu",
 "edugit.io",
 "s3.teckids.org",
 "telebit.app",
@@ -7857,6 +7931,7 @@
 "webspace.rocks",
 "lima.zone",
 "site.transip.me",
+"tunnelmole.net",
 "tuxfamily.org",
 "dd-dns.de",
 "dray-dns.de",
@@ -7879,6 +7954,7 @@
 "ltd.hk",
 "hk.org",
 "it.com",
+"umso.co",
 "unison-services.cloud",
 "virtual-user.de",
 "virtualuser.de",
@@ -7909,6 +7985,7 @@
 "voorloper.cloud",
 "wafflecell.com",
 "wal.app",
+"wasmer.app",
 "webflow.io",
 "webflowtest.io",
 "bookonline.app",
@@ -7929,10 +8006,10 @@
 "wmcloud.org",
 "beta.wmcloud.org",
 "wmflabs.org",
-"wdh.app",
-"hrsn.au",
 "vps.hrsn.au",
 "hrsn.dev",
+"is-a.dev",
+"localcert.net",
 "windsurf.app",
 "windsurf.build",
 "panel.gg",
@@ -7961,6 +8038,7 @@
 "cistron.nl",
 "demon.nl",
 "xs4all.space",
+"xtooldevice.com",
 "yandexcloud.net",
 "storage.yandexcloud.net",
 "website.yandexcloud.net",
diff -Nru pdns-recursor-5.2.6/rec-tcp.cc pdns-recursor-5.2.7/rec-tcp.cc
--- pdns-recursor-5.2.6/rec-tcp.cc	2025-09-25 09:52:40.000000000 +0000
+++ pdns-recursor-5.2.7/rec-tcp.cc	2025-11-25 13:24:50.000000000 +0000
@@ -250,7 +250,7 @@
   int d_fd{-1};
 };
 
-static void handleNotify(std::unique_ptr<DNSComboWriter>& comboWriter, const DNSName& qname)
+[[nodiscard]] static bool handleNotify(std::unique_ptr<DNSComboWriter>& comboWriter, const DNSName& qname)
 {
   if (!t_allowNotifyFrom || !t_allowNotifyFrom->match(comboWriter->d_mappedSource)) {
     if (!g_quiet) {
@@ -259,18 +259,19 @@
     }
 
     t_Counters.at(rec::Counter::sourceDisallowedNotify)++;
-    return;
+    return false;
   }
 
   if (!isAllowNotifyForZone(qname)) {
     if (!g_quiet) {
       SLOG(g_log << Logger::Error << "[" << g_multiTasker->getTid() << "] dropping TCP NOTIFY from " << comboWriter->d_mappedSource.toString() << ", for " << qname.toLogString() << ", zone not matched by allow-notify-for" << endl,
-           g_slogtcpin->info(Logr::Error, "Dropping TCP NOTIFY,  zone not matched by allow-notify-for", "source", Logging::Loggable(comboWriter->d_mappedSource), "zone", Logging::Loggable(qname)));
+           g_slogtcpin->info(Logr::Error, "Dropping TCP NOTIFY, zone not matched by allow-notify-for", "source", Logging::Loggable(comboWriter->d_mappedSource), "zone", Logging::Loggable(qname)));
     }
 
     t_Counters.at(rec::Counter::zoneDisallowedNotify)++;
-    return;
+    return false;
   }
+  return true;
 }
 
 static void doProtobufLogQuery(bool logQuery, LocalStateHolder<LuaConfigItems>& luaconfsLocal, const std::unique_ptr<DNSComboWriter>& comboWriter, const DNSName& qname, QType qtype, QClass qclass, const dnsheader* dnsheader, const shared_ptr<TCPConnection>& conn, const boost::optional<uint32_t>& ednsVersion)
@@ -429,7 +430,9 @@
     }
 
     if (comboWriter->d_mdp.d_header.opcode == static_cast<unsigned>(Opcode::Notify)) {
-      handleNotify(comboWriter, qname);
+      if (!handleNotify(comboWriter, qname)) {
+        return;
+      }
     }
 
     string response;
diff -Nru pdns-recursor-5.2.6/rec_control.1 pdns-recursor-5.2.7/rec_control.1
--- pdns-recursor-5.2.6/rec_control.1	2025-09-25 09:54:23.000000000 +0000
+++ pdns-recursor-5.2.7/rec_control.1	2025-11-25 13:42:29.000000000 +0000
@@ -27,7 +27,7 @@
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "REC_CONTROL" "1" "Sep 25, 2025" "" "PowerDNS Recursor"
+.TH "REC_CONTROL" "1" "Nov 25, 2025" "" "PowerDNS Recursor"
 .SH NAME
 rec_control \- Command line tool to control a running Recursor
 .SH SYNOPSIS