Version in base suite: 5.2.8-0+deb13u1 Base version: pdns-recursor_5.2.8-0+deb13u1 Target version: pdns-recursor_5.2.9-0+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/pdns-recursor/pdns-recursor_5.2.8-0+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/pdns-recursor/pdns-recursor_5.2.9-0+deb13u1.dsc Makefile.am | 2 Makefile.in | 2 aggressive_nsec.cc | 51 ++++++++---- aggressive_nsec.hh | 3 configure | 20 ++--- configure.ac | 2 debian/changelog | 8 ++ effective_tld_names.dat | 166 +++++++++++++++++++++++++++++++----------- ext/yahttp/yahttp/reqresp.cpp | 29 +++++-- ext/yahttp/yahttp/reqresp.hpp | 16 +++- filterpo.hh | 19 ++++ negcache.cc | 21 ++++- negcache.hh | 22 +++++ pdns_recursor.1 | 2 pubsuffix.cc | 65 +++++++++++++++- rec-main.cc | 2 rec_control.1 | 2 rpzloader.cc | 6 + test-aggressive_nsec_cc.cc | 22 +++++ test-negcache_cc.cc | 33 ++++++++ zonemd.cc | 4 - 21 files changed, 404 insertions(+), 93 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbp3c6g8p/pdns-recursor_5.2.8-0+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbp3c6g8p/pdns-recursor_5.2.9-0+deb13u1.dsc: no acceptable signature found diff -Nru pdns-recursor-5.2.8/Makefile.am pdns-recursor-5.2.9/Makefile.am --- pdns-recursor-5.2.8/Makefile.am 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/Makefile.am 2026-04-07 07:48:30.000000000 +0000 @@ -583,7 +583,7 @@ .venv: docs/requirements.txt $(PYTHON) -m venv .venv - .venv/bin/pip install -U pip setuptools setuptools-git wheel + .venv/bin/pip install -U pip "setuptools<82" .venv/bin/pip install -r ${top_srcdir}/docs/requirements.txt html-docs: docs/** .venv diff -Nru pdns-recursor-5.2.8/Makefile.in pdns-recursor-5.2.9/Makefile.in --- pdns-recursor-5.2.8/Makefile.in 2026-01-21 11:13:08.000000000 +0000 +++ pdns-recursor-5.2.9/Makefile.in 2026-04-07 07:49:38.000000000 +0000 @@ -2867,7 +2867,7 @@ @HAVE_VENV_TRUE@.venv: docs/requirements.txt @HAVE_VENV_TRUE@ $(PYTHON) -m venv .venv -@HAVE_VENV_TRUE@ .venv/bin/pip install -U pip setuptools setuptools-git wheel +@HAVE_VENV_TRUE@ .venv/bin/pip install -U pip "setuptools<82" @HAVE_VENV_TRUE@ .venv/bin/pip install -r ${top_srcdir}/docs/requirements.txt @HAVE_VENV_TRUE@html-docs: docs/** .venv diff -Nru pdns-recursor-5.2.8/aggressive_nsec.cc pdns-recursor-5.2.9/aggressive_nsec.cc --- pdns-recursor-5.2.8/aggressive_nsec.cc 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/aggressive_nsec.cc 2026-04-07 07:48:30.000000000 +0000 @@ -31,6 +31,7 @@ std::unique_ptr g_aggressiveNSECCache{nullptr}; uint64_t AggressiveNSECCache::s_nsec3DenialProofMaxCost{0}; uint8_t AggressiveNSECCache::s_maxNSEC3CommonPrefix = AggressiveNSECCache::s_default_maxNSEC3CommonPrefix; +uint32_t AggressiveNSECCache::s_maxEntrySize{8192}; /* this is defined in syncres.hh and we are not importing that here */ extern std::unique_ptr g_recCache; @@ -257,6 +258,25 @@ return length > bound; } +size_t AggressiveNSECCache::ZoneEntry::CacheEntry::sizeEstimate() const +{ + size_t ret = sizeof(AggressiveNSECCache::ZoneEntry::CacheEntry); + if (d_record) { + ret += d_record->serialize(g_rootdnsname, true).size(); + } + for (const auto& entry : d_signatures) { + if (entry) { + ret += sizeof(RRSIGRecordContent); + ret += entry->d_signer.wirelength(); + ret += entry->d_signature.size(); + } + } + ret += d_owner.wirelength(); + ret += d_next.wirelength(); + ret += d_qname.wirelength(); + return ret; +} + // If the NSEC3 hashes have a long common prefix, they deny only a small subset of all possible hashes // So don't take the trouble to store those. bool AggressiveNSECCache::isSmallCoveringNSEC3(const DNSName& owner, const std::string& nextHash) @@ -341,26 +361,22 @@ zoneEntry->d_entries.clear(); } } + DNSName realOwner = owner; + if (!nsec3 && isWildcardExpanded(owner.countLabels(), *signatures.at(0))) { + realOwner = getNSECOwnerName(owner, signatures); + } + ZoneEntry::CacheEntry cacheEntry{record.getContent(), signatures, realOwner, next, qname, record.d_ttl, qtype}; + if (s_maxEntrySize > 0 && cacheEntry.sizeEstimate() > s_maxEntrySize) { + return; + } /* the TTL is already a TTD by now */ - if (!nsec3 && isWildcardExpanded(owner.countLabels(), *signatures.at(0))) { - DNSName realOwner = getNSECOwnerName(owner, signatures); - auto pair = zoneEntry->d_entries.insert({record.getContent(), signatures, realOwner, next, qname, record.d_ttl, qtype}); - if (pair.second) { - ++d_entriesCount; - } - else { - zoneEntry->d_entries.replace(pair.first, {record.getContent(), signatures, std::move(realOwner), std::move(next), qname, record.d_ttl, qtype}); - } + auto pair = zoneEntry->d_entries.emplace(cacheEntry); + if (pair.second) { + ++d_entriesCount; } else { - auto pair = zoneEntry->d_entries.insert({record.getContent(), signatures, owner, next, qname, record.d_ttl, qtype}); - if (pair.second) { - ++d_entriesCount; - } - else { - zoneEntry->d_entries.replace(pair.first, {record.getContent(), signatures, owner, std::move(next), qname, record.d_ttl, qtype}); - } + zoneEntry->d_entries.replace(pair.first, std::move(cacheEntry)); } } } @@ -865,6 +881,9 @@ VLOG_NO_PREFIX(log, ": found a possible NSEC at " << wcEntry.d_owner << " "); auto nsecContent = std::dynamic_pointer_cast(wcEntry.d_record); + if (!nsecContent) { + return false; + } denial = matchesNSEC(wc, type.getCode(), wcEntry.d_owner, *nsecContent, wcEntry.d_signatures, log); if (denial == dState::NODENIAL || denial == dState::INCONCLUSIVE) { diff -Nru pdns-recursor-5.2.8/aggressive_nsec.hh pdns-recursor-5.2.9/aggressive_nsec.hh --- pdns-recursor-5.2.8/aggressive_nsec.hh 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/aggressive_nsec.hh 2026-04-07 07:48:30.000000000 +0000 @@ -45,6 +45,7 @@ static constexpr uint8_t s_default_maxNSEC3CommonPrefix = 10; static uint64_t s_nsec3DenialProofMaxCost; static uint8_t s_maxNSEC3CommonPrefix; + static uint32_t s_maxEntrySize; AggressiveNSECCache(uint64_t entries) : d_maxEntries(entries) @@ -130,6 +131,8 @@ DNSName d_qname; // of the query data that lead to this entry being created/updated time_t d_ttd; QType d_qtype; // of the query data that lead to this entry being created/updated + + [[nodiscard]] size_t sizeEstimate() const; }; typedef multi_index_container< diff -Nru pdns-recursor-5.2.8/configure pdns-recursor-5.2.9/configure --- pdns-recursor-5.2.8/configure 2026-01-21 11:13:07.000000000 +0000 +++ pdns-recursor-5.2.9/configure 2026-04-07 07:49:37.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for pdns-recursor 5.2.8. +# Generated by GNU Autoconf 2.71 for pdns-recursor 5.2.9. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -618,8 +618,8 @@ # Identity of this package. PACKAGE_NAME='pdns-recursor' PACKAGE_TARNAME='pdns-recursor' -PACKAGE_VERSION='5.2.8' -PACKAGE_STRING='pdns-recursor 5.2.8' +PACKAGE_VERSION='5.2.9' +PACKAGE_STRING='pdns-recursor 5.2.9' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1588,7 +1588,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pdns-recursor 5.2.8 to adapt to many kinds of systems. +\`configure' configures pdns-recursor 5.2.9 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1659,7 +1659,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pdns-recursor 5.2.8:";; + short | recursive ) echo "Configuration of pdns-recursor 5.2.9:";; esac cat <<\_ACEOF @@ -1859,7 +1859,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pdns-recursor configure 5.2.8 +pdns-recursor configure 5.2.9 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2348,7 +2348,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pdns-recursor $as_me 5.2.8, which was +It was created by pdns-recursor $as_me 5.2.9, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3844,7 +3844,7 @@ # Define the identity of the package. PACKAGE='pdns-recursor' - VERSION='5.2.8' + VERSION='5.2.9' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -31013,7 +31013,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pdns-recursor $as_me 5.2.8, which was +This file was extended by pdns-recursor $as_me 5.2.9, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -31081,7 +31081,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -pdns-recursor config.status 5.2.8 +pdns-recursor config.status 5.2.9 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -Nru pdns-recursor-5.2.8/configure.ac pdns-recursor-5.2.9/configure.ac --- pdns-recursor-5.2.8/configure.ac 2026-01-21 11:12:59.000000000 +0000 +++ pdns-recursor-5.2.9/configure.ac 2026-04-07 07:49:29.000000000 +0000 @@ -1,6 +1,6 @@ AC_PREREQ([2.69]) -AC_INIT([pdns-recursor], [5.2.8]) +AC_INIT([pdns-recursor], [5.2.9]) AC_CONFIG_AUX_DIR([build-aux]) AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability subdir-objects parallel-tests 1.11]) AM_SILENT_RULES([yes]) diff -Nru pdns-recursor-5.2.8/debian/changelog pdns-recursor-5.2.9/debian/changelog --- pdns-recursor-5.2.8/debian/changelog 2026-02-11 22:05:53.000000000 +0000 +++ pdns-recursor-5.2.9/debian/changelog 2026-04-26 19:04:28.000000000 +0000 @@ -1,3 +1,11 @@ +pdns-recursor (5.2.9-0+deb13u1) trixie-security; urgency=medium + + * New upstream version 5.2.9, fixing CVE-2026-33257, CVE-2026-33258, + CVE-2026-33259, CVE-2026-33260, CVE-2026-33261, CVE-2026-33601, + CVE-2026-33600. + + -- Chris Hofstaedtler Sun, 26 Apr 2026 21:04:28 +0200 + pdns-recursor (5.2.8-0+deb13u1) trixie-security; urgency=medium * New upstream version 5.2.8, fixing CVE-2026-24027 CVE-2026-0398 diff -Nru pdns-recursor-5.2.8/effective_tld_names.dat pdns-recursor-5.2.9/effective_tld_names.dat --- pdns-recursor-5.2.8/effective_tld_names.dat 2026-01-21 11:13:52.000000000 +0000 +++ pdns-recursor-5.2.9/effective_tld_names.dat 2026-04-07 07:50:25.000000000 +0000 @@ -5,8 +5,8 @@ // Please pull this list from, and only from https://publicsuffix.org/list/public_suffix_list.dat, // rather than any other VCS sites. Pulling from any other URL is not guaranteed to be supported. -// VERSION: 2026-01-20_07-55-41_UTC -// COMMIT: d372af084b07ad6f6d26b3d63abeee1738456c09 +// VERSION: 2026-04-02_06-25-15_UTC +// COMMIT: ba7dbf3ec5e7d7024a32ea7fa724a3a2b2c7d56f // Instructions on pulling and using this list can be found at https://publicsuffix.org/list/. @@ -3824,8 +3824,14 @@ net.kg org.kg -// kh : http://www.mptc.gov.kh/dns_registration.htm -*.kh +// kh : https://trc.gov.kh +// Submitted by khnic@trc.gov.kh +kh +com.kh +edu.kh +gov.kh +net.kh +org.kh // ki : https://www.iana.org/domains/root/db/ki.html ki @@ -6421,6 +6427,7 @@ hatinh.vn haugiang.vn hoabinh.vn +hue.vn hungyen.vn khanhhoa.vn kiengiang.vn @@ -6817,7 +6824,7 @@ // newGTLDs -// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-01-08T15:25:34Z +// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-02-18T15:51:43Z // This list is auto-generated, don't edit it manually. // aaa : American Automobile Association, Inc. // https://www.iana.org/domains/root/db/aaa.html @@ -8395,10 +8402,6 @@ // https://www.iana.org/domains/root/db/golf.html golf -// goo : NTT DOCOMO, INC. -// https://www.iana.org/domains/root/db/goo.html -goo - // goodyear : The Goodyear Tire & Rubber Company // https://www.iana.org/domains/root/db/goodyear.html goodyear @@ -9479,7 +9482,7 @@ // https://www.iana.org/domains/root/db/ong.html ong -// onl : iRegistry GmbH +// onl : Jolly Host, LLC // https://www.iana.org/domains/root/db/onl.html onl @@ -9755,7 +9758,7 @@ // https://www.iana.org/domains/root/db/racing.html racing -// radio : European Broadcasting Union (EBU) +// radio : Digity, LLC // https://www.iana.org/domains/root/db/radio.html radio @@ -10707,7 +10710,7 @@ // https://www.iana.org/domains/root/db/watches.html watches -// weather : International Business Machines Corporation +// weather : The Weather Company, LLC // https://www.iana.org/domains/root/db/weather.html weather @@ -10747,7 +10750,7 @@ // https://www.iana.org/domains/root/db/whoswho.html whoswho -// wien : punkt.wien GmbH +// wien : domainworx Service & Management GmbH // https://www.iana.org/domains/root/db/wien.html wien @@ -10779,10 +10782,6 @@ // https://www.iana.org/domains/root/db/wme.html wme -// wolterskluwer : Wolters Kluwer N.V. -// https://www.iana.org/domains/root/db/wolterskluwer.html -wolterskluwer - // woodside : Woodside Petroleum Limited // https://www.iana.org/domains/root/db/woodside.html woodside @@ -11273,12 +11272,6 @@ wroc.pl zakopane.pl -// 12CHARS : https://12chars.com -// Submitted by Kenny Niehage -12chars.dev -12chars.it -12chars.pro - // 1GB LLC : https://www.1gb.ua/ // Submitted by 1GB LLC cc.ua @@ -11376,6 +11369,8 @@ // Alibaba Cloud API Gateway // Submitted by Alibaba Cloud Security alibabacloudcs.com +ms.fun +ms.show // all-inkl.com : https://all-inkl.com // Submitted by Werner Kaltofen @@ -11442,7 +11437,7 @@ // Amazon Cognito // Submitted by AWS Security -// Reference: e7c02dc1-02f4-4a23-bde3-a8527c830127 +// Reference: d7d4a954-976e-403e-a010-de9ed0cfbbd1 auth.af-south-1.amazoncognito.com auth.ap-east-1.amazoncognito.com auth.ap-northeast-1.amazoncognito.com @@ -11481,6 +11476,7 @@ auth-fips.us-west-1.amazoncognito.com auth.us-west-2.amazoncognito.com auth-fips.us-west-2.amazoncognito.com +auth.cognito-idp.eusc-de-east-1.on.amazonwebservices.eu // Amazon EC2 // Submitted by Luke Wells @@ -11704,7 +11700,7 @@ // Amazon S3 // Submitted by AWS Security -// Reference: ada5c9df-55e1-4195-a1ce-732d6c81e357 +// Reference: 6f374c1c-1cc9-47de-8b2a-69ca56a3a3b6 s3.dualstack.cn-north-1.amazonaws.com.cn s3-accesspoint.dualstack.cn-north-1.amazonaws.com.cn s3-website.dualstack.cn-north-1.amazonaws.com.cn @@ -11970,6 +11966,7 @@ s3-accesspoint.dualstack.us-gov-east-1.amazonaws.com s3-accesspoint-fips.dualstack.us-gov-east-1.amazonaws.com s3-fips.dualstack.us-gov-east-1.amazonaws.com +s3-website.dualstack.us-gov-east-1.amazonaws.com s3.us-gov-east-1.amazonaws.com s3-accesspoint.us-gov-east-1.amazonaws.com s3-accesspoint-fips.us-gov-east-1.amazonaws.com @@ -11980,6 +11977,7 @@ s3-accesspoint.dualstack.us-gov-west-1.amazonaws.com s3-accesspoint-fips.dualstack.us-gov-west-1.amazonaws.com s3-fips.dualstack.us-gov-west-1.amazonaws.com +s3-website.dualstack.us-gov-west-1.amazonaws.com s3.us-gov-west-1.amazonaws.com s3-accesspoint.us-gov-west-1.amazonaws.com s3-accesspoint-fips.us-gov-west-1.amazonaws.com @@ -12290,7 +12288,7 @@ // AWS Transfer Family web apps // Submitted by AWS Security -// Reference: 57a658c4-8899-410c-aa24-5b01e4a178d2 +// Reference: 9265cdd3-f017-42ab-98bb-08bf427d3fc9 transfer-webapp.af-south-1.on.aws transfer-webapp.ap-east-1.on.aws transfer-webapp.ap-northeast-1.on.aws @@ -12303,6 +12301,7 @@ transfer-webapp.ap-southeast-3.on.aws transfer-webapp.ap-southeast-4.on.aws transfer-webapp.ap-southeast-5.on.aws +transfer-webapp.ap-southeast-7.on.aws transfer-webapp.ca-central-1.on.aws transfer-webapp.ca-west-1.on.aws transfer-webapp.eu-central-1.on.aws @@ -12316,6 +12315,7 @@ transfer-webapp.il-central-1.on.aws transfer-webapp.me-central-1.on.aws transfer-webapp.me-south-1.on.aws +transfer-webapp.mx-central-1.on.aws transfer-webapp.sa-east-1.on.aws transfer-webapp.us-east-1.on.aws transfer-webapp.us-east-2.on.aws @@ -12465,9 +12465,10 @@ // Submitted by Herman Martinus bearblog.dev -// Beget Ltd -// Submitted by Lev Nekrasov +// Beget LLC : https://beget.com +// Submitted by Lev Nekrasov & Nikita Radchenko *.beget.app +*.begetcdn.cloud // Besties : https://besties.house // Submitted by Hazel Cora @@ -12622,7 +12623,8 @@ cx.ua // Civilized Discourse Construction Kit, Inc. : https://www.discourse.org/ -// Submitted by Rishabh Nambiar & Michael Brown +// Submitted by Rishabh Nambiar, Michael Brown, Rafael dos Santos Silva +discourse.diy discourse.group discourse.team @@ -12769,7 +12771,11 @@ // Submitted by James Cowling convex.app convex.cloud +eu-west-1.convex.cloud +us-east-1.convex.cloud convex.site +eu-west-1.convex.site +us-east-1.convex.site // Coordination Center for TLD RU and XN--P1AI : https://cctld.ru/en/domains/domens_ru/reserved/ // Submitted by George Georgievsky @@ -12779,6 +12785,10 @@ int.ru mil.ru +// CoreSpeed, Inc. : https://corespeed.io +// Submitted by CoreSpeed Team +corespeed.app + // COSIMO GmbH : http://www.cosimo.de // Submitted by Rene Marticke dyn.cosidns.de @@ -12877,6 +12887,7 @@ deno.dev deno-staging.dev deno.net +sandbox.deno.net // deSEC : https://desec.io/ // Submitted by Peter Thomassen @@ -12912,7 +12923,11 @@ caffeine.xyz // dhosting.pl Sp. z o.o. : https://dhosting.pl/ -// Submitted by Michal Kokoszkiewicz +// Submitted by Szczepan Redzioch +mybox.company +intouch.email +mybox.me +mybox.page dfirma.pl dkonto.pl you2.pl @@ -13270,21 +13285,33 @@ mypets.ws // Dynu.com : https://www.dynu.com/ -// Submitted by Sue Ye +// Submitted by Sue Ye +1cooldns.com +bumbleshrimp.com ddnsfree.com ddnsgeek.com +ddnsguru.com +dynuddns.com +dynuhosting.com giize.com gleeze.com kozow.com loseyourip.com ooguy.com +pivohosting.com theworkpc.com +wiredbladehosting.com casacam.net dynu.net +dynuddns.net +mysynology.net +opik.net +spryt.net accesscam.org camdvr.org freeddns.org mywire.org +roxa.org webredirect.org myddns.rocks @@ -13426,10 +13453,16 @@ relay.evervault.app relay.evervault.dev +// Exe : https://exe.dev +// Submitted by Josh Bleecher Snyder +exe.xyz + // Expo : https://expo.dev/ -// Submitted by James Ide +// Submitted by Phil Pluckthun expo.app +on.expo.app staging.expo.app +on.staging.expo.app // Fabrica Technologies, Inc. : https://www.fabrica.dev/ // Submitted by Eric Jiang @@ -13567,6 +13600,7 @@ // Figma : https://www.figma.com // Submitted by Nick Frost +payload.dev figma.site figma-gov.site preview.site @@ -14051,6 +14085,7 @@ // Imagine : https://imagine.dev // Submitted by Steven Nguyen +imagine.diy imagine-proxy.work // Incsub, LLC : https://incsub.com/ @@ -14274,11 +14309,6 @@ webadorsite.com jouwweb.site -// Joyent : https://www.joyent.com/ -// Submitted by Brian Bennett -*.cns.joyent.com -*.triton.zone - // JS.ORG : http://dns.js.org // Submitted by Stefan Keim js.org @@ -14292,11 +14322,22 @@ // Submitted by Tomi Juntunen kapsi.fi +// KataBump : https://katabump.com +// Submitted by Thibault Lapeyre +kdns.fr + // Katholieke Universiteit Leuven : https://www.kuleuven.be // Submitted by Abuse KU Leuven ezproxy.kuleuven.be kuleuven.cloud +// Keenetic : https://keenetic.com +// Submitted by Alexey Nikitin +keenetic.io +keenetic.link +keenetic.name +keenetic.pro + // Kevin Service : https://kevsrv.me // Submitted by Kevin Service Team ae.kg @@ -14339,6 +14380,8 @@ // Laravel Holdings, Inc. : https://laravel.com // Submitted by André Valentin & James Brooks +shiptoday.app +shiptoday.build laravel.cloud on-forge.com on-vapor.com @@ -14524,10 +14567,6 @@ mayfirst.info mayfirst.org -// Maze Play : https://www.mazeplay.com -// Submitted by Adam Humpherys -mazeplay.com - // McHost : https://mchost.ru // Submitted by Evgeniy Subbotin mcdir.me @@ -14602,9 +14641,15 @@ azurewebsites.net cloudapp.net trafficmanager.net +blob.core.usgovcloudapi.net +file.core.usgovcloudapi.net +web.core.usgovcloudapi.net servicebus.usgovcloudapi.net usgovcloudapp.net +usgovtrafficmanager.net blob.core.windows.net +file.core.windows.net +web.core.windows.net servicebus.windows.net azure-api.us azurewebsites.us @@ -14625,6 +14670,11 @@ // Submitted by Robert Böttinger csx.cc +// Miren, Inc. : https://miren.dev +// Submitted by Miren Product Team +miren.app +miren.systems + // Mittwald CM Service GmbH & Co. KG : https://mittwald.de // Submitted by Marco Rieger mydbserver.com @@ -14654,6 +14704,10 @@ org.ru pp.ru +// MyOwn srl : https://www.myown.eu/ +// Submitted by Stephane Bouvard +my.be + // Mythic Beasts : https://www.mythic-beasts.com // Submitted by Paul Cammish hostedpi.com @@ -15036,6 +15090,10 @@ // Submitted by Steve Leung mypep.link +// Perplexity AI : https://www.perplexity.ai/ +// Submitted by Alec Xiang +pplx.app + // Perspecta : https://perspecta.com/ // Submitted by Kenneth Van Alstyne perspecta.cloud @@ -15399,7 +15457,20 @@ *.dev-builder.code.com *.stg-builder.code.com *.001.test.code-builder-stg.platform.salesforce.com +*.aa.crm.dev +*.ab.crm.dev +*.ac.crm.dev +*.ad.crm.dev +*.ae.crm.dev +*.af.crm.dev +*.ci.crm.dev *.d.crm.dev +*.pa.crm.dev +*.pb.crm.dev +*.pc.crm.dev +*.pd.crm.dev +*.pe.crm.dev +*.pf.crm.dev *.w.crm.dev *.wa.crm.dev *.wb.crm.dev @@ -15607,6 +15678,10 @@ // Submitted by Michal Zalewski mafelo.net +// Solana Name Service : https://sns.id +// Submitted by Solana Name Service +sol.site + // Sony Interactive Entertainment LLC : https://sie.com/ // Submitted by David Coles playstation-cloud.com @@ -15913,6 +15988,10 @@ site.transip.me *.transurl.nl +// Triton Data Center project : https://tritondatacenter.com +// Submitted by Triton Data Center staff +*.triton.zone + // Tunnelmole: https://tunnelmole.com // Submitted by Robbie Cahill tunnelmole.net @@ -16103,6 +16182,11 @@ windsurf.app windsurf.build +// WirelessCar : https://wirelesscar.com +// Submitted by Martin Lindberg +drive-platform.com +drive-platform.io + // WISP : https://wisp.gg // Submitted by Stepan Fedotov panel.gg diff -Nru pdns-recursor-5.2.8/ext/yahttp/yahttp/reqresp.cpp pdns-recursor-5.2.9/ext/yahttp/yahttp/reqresp.cpp --- pdns-recursor-5.2.8/ext/yahttp/yahttp/reqresp.cpp 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/ext/yahttp/yahttp/reqresp.cpp 2026-04-07 07:48:30.000000000 +0000 @@ -40,7 +40,19 @@ } template - bool AsyncLoader::feed(const std::string& somedata) { + bool AsyncLoader::feed(const std::string& somedata) + { + if (state < 2) { + headersize += somedata.length(); // maye include some body data, we don't know yet... + if (headersize > target->max_header_size) { + if (target->kind == YAHTTP_TYPE_REQUEST) { + throw ParseError("Request header too large"); + } + else { + throw ParseError("Response header too large"); + } + } + } buffer.append(somedata); while(state < 2) { int cr=0; @@ -155,8 +167,8 @@ maxbody = minbody; } if (minbody < 1) return true; // guess there isn't anything left. - if (target->kind == YAHTTP_TYPE_REQUEST && static_cast(minbody) > target->max_request_size) throw ParseError("Max request body size exceeded"); - else if (target->kind == YAHTTP_TYPE_RESPONSE && static_cast(minbody) > target->max_response_size) throw ParseError("Max response body size exceeded"); + if (target->kind == YAHTTP_TYPE_REQUEST && minbody > target->max_request_size) throw ParseError("Max request body size exceeded"); + else if (target->kind == YAHTTP_TYPE_RESPONSE && minbody > target->max_response_size) throw ParseError("Max response body size exceeded"); } if (maxbody == 0) hasBody = false; @@ -175,20 +187,23 @@ buffer.copy(buf, pos); buf[pos]=0; // just in case... buffer.erase(buffer.begin(), buffer.begin()+pos+1); // remove line from buffer - if (sscanf(buf, "%x", &chunk_size) != 1) { + if (sscanf(buf, "%zx", &chunk_size) != 1) { throw ParseError("Unable to parse chunk size"); } if (chunk_size == 0) { state = 3; break; } // last chunk - if (chunk_size > (std::numeric_limits::max() - 2)) { + if (chunk_size > (std::numeric_limits::max() - 2) || chunk_size > maxbody) { throw ParseError("Chunk is too large"); } } else { int crlf=1; - if (buffer.size() < static_cast(chunk_size+1)) return false; // expect newline + if (buffer.size() < chunk_size+1) return false; // expect newline if (buffer.at(chunk_size) == '\r') { - if (buffer.size() < static_cast(chunk_size+2) || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return + if (buffer.size() < chunk_size+2 || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return crlf=2; } else if (buffer.at(chunk_size) != '\n') return false; + if (bodybuf.str().length() + chunk_size > maxbody) { + throw ParseError("Chunked body is too large"); + } std::string tmp = buffer.substr(0, chunk_size); buffer.erase(buffer.begin(), buffer.begin()+chunk_size+crlf); bodybuf << tmp; diff -Nru pdns-recursor-5.2.8/ext/yahttp/yahttp/reqresp.hpp pdns-recursor-5.2.9/ext/yahttp/yahttp/reqresp.hpp --- pdns-recursor-5.2.8/ext/yahttp/yahttp/reqresp.hpp 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/ext/yahttp/yahttp/reqresp.hpp 2026-04-07 07:48:30.000000000 +0000 @@ -20,6 +20,10 @@ #include +#ifndef YAHTTP_MAX_HEADER_SIZE +#define YAHTTP_MAX_HEADER_SIZE (100 * 1024) +#endif + #ifndef YAHTTP_MAX_REQUEST_SIZE #define YAHTTP_MAX_REQUEST_SIZE 2097152 #endif @@ -108,6 +112,7 @@ #endif max_request_size = YAHTTP_MAX_REQUEST_SIZE; max_response_size = YAHTTP_MAX_RESPONSE_SIZE; + max_header_size = YAHTTP_MAX_HEADER_SIZE; url = ""; method = ""; statusText = ""; @@ -130,6 +135,7 @@ this->parameters = rhs.parameters; this->getvars = rhs.getvars; this->body = rhs.body; this->max_request_size = rhs.max_request_size; this->max_response_size = rhs.max_response_size; this->version = rhs.version; + this->max_header_size = rhs.max_header_size; #ifdef HAVE_CPP_FUNC_PTR this->renderer = rhs.renderer; #endif @@ -143,6 +149,7 @@ this->parameters = rhs.parameters; this->getvars = rhs.getvars; this->body = rhs.body; this->max_request_size = rhs.max_request_size; this->max_response_size = rhs.max_response_size; this->version = rhs.version; + this->max_header_size = rhs.max_header_size; #ifdef HAVE_CPP_FUNC_PTR this->renderer = rhs.renderer; #endif @@ -166,8 +173,9 @@ std::string body; // renderer; //target = target_; hasBody = false; buffer = ""; + headersize = 0; this->target->initialize(); }; //(*other.d_zoneData)), // deep copy, d_zoneData is never nullptr + d_serial(other.d_serial), + d_refresh(other.d_refresh) + { + } + + Zone& operator=(const Zone&) = delete; + Zone& operator=(Zone&&) = delete; + Zone(Zone&&) = delete; + ~Zone() = default; + void clear() { d_qpolAddr.clear(); diff -Nru pdns-recursor-5.2.8/negcache.cc pdns-recursor-5.2.9/negcache.cc --- pdns-recursor-5.2.8/negcache.cc 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/negcache.cc 2026-04-07 07:48:30.000000000 +0000 @@ -29,6 +29,7 @@ // For a description on how ServeStale works, see recursor_cache.cc, the general structure is the same. uint16_t NegCache::s_maxServedStaleExtensions; +uint32_t NegCache::s_maxEntrySize{8192}; // Same default as positive cache NegCache::NegCache(size_t mapsCount) : d_maps(mapsCount == 0 ? 1 : mapsCount) @@ -44,6 +45,17 @@ return count; } +size_t NegCache::NegCacheEntry::sizeEstimate() const +{ + auto ret = sizeof(NegCacheEntry); + ret += authoritySOA.sizeEstimate(); + ret += DNSSECRecords.sizeEstimate(); + ret += d_name.wirelength(); + ret += d_auth.wirelength(); + + return ret; +} + /*! * Set ne to the NegCacheEntry for the last label in qname and return true if there * was one. @@ -139,12 +151,15 @@ * * \param ne The NegCacheEntry to add to the cache */ -void NegCache::add(const NegCacheEntry& ne) +void NegCache::add(const NegCacheEntry& negEntry) { + if (s_maxEntrySize > 0 && negEntry.sizeEstimate() > s_maxEntrySize) { + return; + } bool inserted = false; - auto& map = getMap(ne.d_name); + auto& map = getMap(negEntry.d_name); auto content = map.lock(); - inserted = lruReplacingInsert(content->d_map, ne); + inserted = lruReplacingInsert(content->d_map, negEntry); if (inserted) { map.incEntriesCount(); } diff -Nru pdns-recursor-5.2.8/negcache.hh pdns-recursor-5.2.9/negcache.hh --- pdns-recursor-5.2.8/negcache.hh 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/negcache.hh 2026-04-07 07:48:30.000000000 +0000 @@ -45,11 +45,27 @@ * * typedef vector recordsAndSignatures; */ -typedef struct +struct recordsAndSignatures { vector records; vector signatures; -} recordsAndSignatures; + + [[nodiscard]] size_t sizeEstimate() const + { + size_t ret = sizeof(recordsAndSignatures); + for (const auto& entry : records) { + ret += sizeof(DNSRecord); + ret += entry.d_name.wirelength(); + ret += entry.getContent()->serialize(entry.d_name, true).size(); + } + for (const auto& entry : signatures) { + ret += sizeof(DNSRecord); + ret += entry.d_name.wirelength(); + ret += entry.getContent()->serialize(entry.d_name, true).size(); + } + return ret; + } +}; class NegCache : public boost::noncopyable { @@ -61,6 +77,7 @@ static uint16_t s_maxServedStaleExtensions; // The time a stale cache entry is extended static constexpr uint32_t s_serveStaleExtensionPeriod = 30; + static uint32_t s_maxEntrySize; struct NegCacheEntry { @@ -90,6 +107,7 @@ // When serving stale, we consider expired records return d_ttd > now || serveStale || d_servedStale != 0; } + [[nodiscard]] size_t sizeEstimate() const; }; void add(const NegCacheEntry& ne); diff -Nru pdns-recursor-5.2.8/pdns_recursor.1 pdns-recursor-5.2.9/pdns_recursor.1 --- pdns-recursor-5.2.8/pdns_recursor.1 2026-01-21 11:13:52.000000000 +0000 +++ pdns-recursor-5.2.9/pdns_recursor.1 2026-04-07 07:50:25.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "PDNS_RECURSOR" "1" "Jan 21, 2026" "" "PowerDNS Recursor" +.TH "PDNS_RECURSOR" "1" "Apr 07, 2026" "" "PowerDNS Recursor" .SH NAME pdns_recursor \- The PowerDNS Recursor binary .SH SYNOPSIS diff -Nru pdns-recursor-5.2.8/pubsuffix.cc pdns-recursor-5.2.9/pubsuffix.cc --- pdns-recursor-5.2.8/pubsuffix.cc 2026-01-21 11:13:53.000000000 +0000 +++ pdns-recursor-5.2.9/pubsuffix.cc 2026-04-07 07:50:25.000000000 +0000 @@ -3194,6 +3194,11 @@ "mil.kg", "net.kg", "org.kg", +"com.kh", +"edu.kh", +"gov.kh", +"net.kh", +"org.kh", "biz.ki", "com.ki", "edu.ki", @@ -5096,6 +5101,7 @@ "hatinh.vn", "haugiang.vn", "hoabinh.vn", +"hue.vn", "hungyen.vn", "khanhhoa.vn", "kiengiang.vn", @@ -5187,9 +5193,6 @@ "poznan.pl", "wroc.pl", "zakopane.pl", -"12chars.dev", -"12chars.it", -"12chars.pro", "cc.ua", "inf.ua", "ltd.ua", @@ -5233,6 +5236,8 @@ "edgesuite-staging.net", "barsy.ca", "alibabacloudcs.com", +"ms.fun", +"ms.show", "kasserver.com", "altervista.org", "alwaysdata.net", @@ -5310,6 +5315,7 @@ "auth-fips.us-west-1.amazoncognito.com", "auth.us-west-2.amazoncognito.com", "auth-fips.us-west-2.amazoncognito.com", +"auth.cognito-idp.eusc-de-east-1.on.amazonwebservices.eu", "us-east-1.amazonaws.com", "emrappui-prod.cn-north-1.amazonaws.com.cn", "emrnotebooks-prod.cn-north-1.amazonaws.com.cn", @@ -5675,6 +5681,7 @@ "s3-accesspoint.dualstack.us-gov-east-1.amazonaws.com", "s3-accesspoint-fips.dualstack.us-gov-east-1.amazonaws.com", "s3-fips.dualstack.us-gov-east-1.amazonaws.com", +"s3-website.dualstack.us-gov-east-1.amazonaws.com", "s3.us-gov-east-1.amazonaws.com", "s3-accesspoint.us-gov-east-1.amazonaws.com", "s3-accesspoint-fips.us-gov-east-1.amazonaws.com", @@ -5685,6 +5692,7 @@ "s3-accesspoint.dualstack.us-gov-west-1.amazonaws.com", "s3-accesspoint-fips.dualstack.us-gov-west-1.amazonaws.com", "s3-fips.dualstack.us-gov-west-1.amazonaws.com", +"s3-website.dualstack.us-gov-west-1.amazonaws.com", "s3.us-gov-west-1.amazonaws.com", "s3-accesspoint.us-gov-west-1.amazonaws.com", "s3-accesspoint-fips.us-gov-west-1.amazonaws.com", @@ -5943,6 +5951,7 @@ "transfer-webapp.ap-southeast-3.on.aws", "transfer-webapp.ap-southeast-4.on.aws", "transfer-webapp.ap-southeast-5.on.aws", +"transfer-webapp.ap-southeast-7.on.aws", "transfer-webapp.ca-central-1.on.aws", "transfer-webapp.ca-west-1.on.aws", "transfer-webapp.eu-central-1.on.aws", @@ -5956,6 +5965,7 @@ "transfer-webapp.il-central-1.on.aws", "transfer-webapp.me-central-1.on.aws", "transfer-webapp.me-south-1.on.aws", +"transfer-webapp.mx-central-1.on.aws", "transfer-webapp.sa-east-1.on.aws", "transfer-webapp.us-east-1.on.aws", "transfer-webapp.us-east-2.on.aws", @@ -6082,6 +6092,7 @@ "ae.org", "com.se", "cx.ua", +"discourse.diy", "discourse.group", "discourse.team", "clerk.app", @@ -6156,12 +6167,17 @@ "ctfcloud.net", "convex.app", "convex.cloud", +"eu-west-1.convex.cloud", +"us-east-1.convex.cloud", "convex.site", +"eu-west-1.convex.site", +"us-east-1.convex.site", "ac.ru", "edu.ru", "gov.ru", "int.ru", "mil.ru", +"corespeed.app", "dyn.cosidns.de", "dnsupdater.de", "dynamisches-dns.de", @@ -6209,6 +6225,7 @@ "deno.dev", "deno-staging.dev", "deno.net", +"sandbox.deno.net", "dedyn.io", "deta.app", "deta.dev", @@ -6222,6 +6239,10 @@ "icp1.io", "caffeine.site", "caffeine.xyz", +"mybox.company", +"intouch.email", +"mybox.me", +"mybox.page", "dfirma.pl", "dkonto.pl", "you2.pl", @@ -6529,20 +6550,32 @@ "stuff-4-sale.us", "dyndns.ws", "mypets.ws", +"1cooldns.com", +"bumbleshrimp.com", "ddnsfree.com", "ddnsgeek.com", +"ddnsguru.com", +"dynuddns.com", +"dynuhosting.com", "giize.com", "gleeze.com", "kozow.com", "loseyourip.com", "ooguy.com", +"pivohosting.com", "theworkpc.com", +"wiredbladehosting.com", "casacam.net", "dynu.net", +"dynuddns.net", +"mysynology.net", +"opik.net", +"spryt.net", "accesscam.org", "camdvr.org", "freeddns.org", "mywire.org", +"roxa.org", "webredirect.org", "myddns.rocks", "dynv6.net", @@ -6634,8 +6667,11 @@ "us-4.evennode.com", "relay.evervault.app", "relay.evervault.dev", +"exe.xyz", "expo.app", +"on.expo.app", "staging.expo.app", +"on.staging.expo.app", "onfabrica.com", "ru.net", "adygeya.ru", @@ -6738,6 +6774,7 @@ "app.os.stg.fedoraproject.org", "mydobiss.com", "fh-muenster.io", +"payload.dev", "figma.site", "figma-gov.site", "preview.site", @@ -6995,6 +7032,7 @@ "iki.fi", "ibxos.it", "iliadboxos.it", +"imagine.diy", "imagine-proxy.work", "smushcdn.com", "wphostedmail.com", @@ -7151,8 +7189,13 @@ "kaas.gg", "khplay.nl", "kapsi.fi", +"kdns.fr", "ezproxy.kuleuven.be", "kuleuven.cloud", +"keenetic.io", +"keenetic.link", +"keenetic.name", +"keenetic.pro", "ae.kg", "keymachine.de", "kiloapps.ai", @@ -7165,6 +7208,8 @@ "krellian.net", "oya.to", "co.de", +"shiptoday.app", +"shiptoday.build", "laravel.cloud", "on-forge.com", "on-vapor.com", @@ -7262,7 +7307,6 @@ "polyspace.com", "mayfirst.info", "mayfirst.org", -"mazeplay.com", "mcdir.me", "mcdir.ru", "vps.mcdir.ru", @@ -7302,9 +7346,15 @@ "azurewebsites.net", "cloudapp.net", "trafficmanager.net", +"blob.core.usgovcloudapi.net", +"file.core.usgovcloudapi.net", +"web.core.usgovcloudapi.net", "servicebus.usgovcloudapi.net", "usgovcloudapp.net", +"usgovtrafficmanager.net", "blob.core.windows.net", +"file.core.windows.net", +"web.core.windows.net", "servicebus.windows.net", "azure-api.us", "azurewebsites.us", @@ -7315,6 +7365,8 @@ "same-app.com", "same-preview.com", "csx.cc", +"miren.app", +"miren.systems", "mydbserver.com", "webspaceconfig.de", "mittwald.info", @@ -7329,6 +7381,7 @@ "net.ru", "org.ru", "pp.ru", +"my.be", "hostedpi.com", "caracal.mythic-beasts.com", "customer.mythic-beasts.com", @@ -7535,6 +7588,7 @@ "gh.srv.us", "gl.srv.us", "mypep.link", +"pplx.app", "perspecta.cloud", "forgeblocks.com", "id.forgerock.io", @@ -7804,6 +7858,7 @@ "streamlitapp.com", "try-snowplow.com", "mafelo.net", +"sol.site", "playstation-cloud.com", "srht.site", "apps.lair.io", @@ -8028,6 +8083,8 @@ "localcert.net", "windsurf.app", "windsurf.build", +"drive-platform.com", +"drive-platform.io", "panel.gg", "daemon.panel.gg", "base44.app", diff -Nru pdns-recursor-5.2.8/rec-main.cc pdns-recursor-5.2.9/rec-main.cc --- pdns-recursor-5.2.8/rec-main.cc 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/rec-main.cc 2026-04-07 07:48:30.000000000 +0000 @@ -3313,6 +3313,8 @@ } MemRecursorCache::s_maxEntrySize = ::arg().asNum("max-recordcache-entry-size"); + NegCache::s_maxEntrySize = MemRecursorCache::s_maxEntrySize; + AggressiveNSECCache::s_maxEntrySize = MemRecursorCache::s_maxEntrySize; RecursorPacketCache::s_maxEntrySize = ::arg().asNum("max-packetcache-entry-size"); g_recCache = std::make_unique(::arg().asNum("record-cache-shards")); g_negCache = std::make_unique(::arg().asNum("record-cache-shards") / 8); diff -Nru pdns-recursor-5.2.8/rec_control.1 pdns-recursor-5.2.9/rec_control.1 --- pdns-recursor-5.2.8/rec_control.1 2026-01-21 11:13:52.000000000 +0000 +++ pdns-recursor-5.2.9/rec_control.1 2026-04-07 07:50:25.000000000 +0000 @@ -27,7 +27,7 @@ .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.TH "REC_CONTROL" "1" "Jan 21, 2026" "" "PowerDNS Recursor" +.TH "REC_CONTROL" "1" "Apr 07, 2026" "" "PowerDNS Recursor" .SH NAME rec_control \- Command line tool to control a running Recursor .SH SYNOPSIS diff -Nru pdns-recursor-5.2.8/rpzloader.cc pdns-recursor-5.2.9/rpzloader.cc --- pdns-recursor-5.2.8/rpzloader.cc 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/rpzloader.cc 2026-04-07 07:48:30.000000000 +0000 @@ -291,8 +291,14 @@ last = time(nullptr); } } + + if (!soaRecordContent) { + throw PDNSException("No valid SOA found"); + } + SLOG(g_log << Logger::Info << "Done: " << nrecords << " policy records active, SOA: " << soaRecordContent->getZoneRepresentation() << endl, logger->info(Logr::Info, "RPZ load completed", "nrecords", Logging::Loggable(nrecords), "soa", Logging::Loggable(soaRecordContent->getZoneRepresentation()))); + return soaRecordContent; } diff -Nru pdns-recursor-5.2.8/test-aggressive_nsec_cc.cc pdns-recursor-5.2.9/test-aggressive_nsec_cc.cc --- pdns-recursor-5.2.8/test-aggressive_nsec_cc.cc 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/test-aggressive_nsec_cc.cc 2026-04-07 07:48:30.000000000 +0000 @@ -1130,6 +1130,28 @@ BOOST_CHECK(diff1 < diff2 * 2 && diff2 < diff1 * 2); } +BOOST_AUTO_TEST_CASE(test_aggressive_nsec_very_big_replace) +{ + auto cache = make_unique(1000); + + struct timeval now{}; + Utility::gettimeofday(&now, nullptr); + + DNSRecord rec; + rec.d_name = DNSName("powerdns.com"); + rec.d_type = QType::NSEC3; + rec.d_ttl = now.tv_sec + 10; + rec.setContent(getRecordContent(QType::NSEC3, "1 0 500 ab HASG==== A RRSIG NSEC3")); + std::vector> sigs; + for (auto i = 0; i < 100; i++) { + auto rrsig = std::make_shared("NSEC3 5 3 10 20370101000000 20370101000000 24567 dummy. data"); + sigs.emplace_back(std::move(rrsig)); + } + cache->insertNSEC(DNSName("powerdns.com"), rec.d_name, rec, sigs, true); + + BOOST_CHECK_EQUAL(cache->getEntriesCount(), 0U); +} + BOOST_AUTO_TEST_CASE(test_aggressive_nsec_wiping) { auto cache = make_unique(10000); diff -Nru pdns-recursor-5.2.8/test-negcache_cc.cc pdns-recursor-5.2.9/test-negcache_cc.cc --- pdns-recursor-5.2.8/test-negcache_cc.cc 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/test-negcache_cc.cc 2026-04-07 07:48:30.000000000 +0000 @@ -73,6 +73,39 @@ BOOST_CHECK_EQUAL(ne.d_auth, auth); } +BOOST_AUTO_TEST_CASE(test_get_verybig_entry) +{ + /* Try adddd a full name negative entry to the cache that's to big and attempt to get an entry for + * the A record. Should not yield the full name not exist entry + */ + DNSName qname("www2.powerdns.com"); + DNSName auth("powerdns.com"); + + struct timeval now; + Utility::gettimeofday(&now, 0); + + NegCache cache; + + auto entry = genNegCacheEntry(qname, auth, now); + for (auto i = 0; i < 100; i++) { + DNSRecord rec; + rec.d_name = qname; + rec.d_type = QType::RRSIG; + rec.d_ttl = 600; + rec.d_place = DNSResourceRecord::AUTHORITY; + rec.setContent(std::make_shared(QType(QType::A).toString() + " 5 3 600 2037010100000000 2037010100000000 24567 dummy data")); + entry.DNSSECRecords.signatures.emplace_back(std::move(rec)); + } + cache.add(entry); + + BOOST_CHECK_EQUAL(cache.size(), 0U); + + NegCache::NegCacheEntry ne; + bool ret = cache.get(qname, QType(1), now, ne); + + BOOST_CHECK(!ret); +} + BOOST_AUTO_TEST_CASE(test_get_entry2038) { /* Add a full name negative entry to the cache and attempt to get an entry for diff -Nru pdns-recursor-5.2.8/zonemd.cc pdns-recursor-5.2.9/zonemd.cc --- pdns-recursor-5.2.8/zonemd.cc 2026-01-21 11:11:42.000000000 +0000 +++ pdns-recursor-5.2.9/zonemd.cc 2026-04-07 07:48:30.000000000 +0000 @@ -261,7 +261,7 @@ // Final verify for (const auto& [k, v] : d_zonemdRecords) { auto [zonemd, duplicate] = v; - if (zonemd->d_hashalgo == 1) { + if (zonemd->d_hashalgo == 1 && sha384digest) { validationDone = true; auto computed = sha384digest->digest(); if (constantTimeStringEquals(zonemd->d_digest, computed)) { @@ -269,7 +269,7 @@ break; // Per RFC: a single succeeding validation is enough } } - else if (zonemd->d_hashalgo == 2) { + else if (zonemd->d_hashalgo == 2 && sha512digest) { validationDone = true; auto computed = sha512digest->digest(); if (constantTimeStringEquals(zonemd->d_digest, computed)) {