* Non-maintainer upload by the Debian LTS Team.
* debian/patches/CVE-2020-14196.patch: Added (CVE-2020-14196).
- Add patch to enforce 'webserver-allow-from' ACL (closes: #964103).
* debian/patches/CVE-2020-25829.patch: Added (CVE-2020-25829).
- Add patch to fix DoS (closes: #972159).
[dgit import unpatched pdns-recursor 4.1.11-1+deb10u2]
--- /dev/null
--- /dev/null
++---
++
++include:
++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
++
++variables:
++ RELEASE: 'buster'
++ SALSA_CI_COMPONENTS: 'main contrib non-free'
++ SALSA_CI_DISABLE_REPROTEST: 1
++ SALSA_CI_DISABLE_LINTIAN: 1
--- /dev/null
--- /dev/null
++See /usr/share/doc/quilt/README.source
--- /dev/null
--- /dev/null
++pdns-recursor (4.1.11-1+deb10u2) buster; urgency=medium
++
++ * Non-maintainer upload by the Debian LTS Team.
++ * debian/patches/CVE-2020-14196.patch: Added (CVE-2020-14196).
++ - Add patch to enforce 'webserver-allow-from' ACL (closes: #964103).
++ * debian/patches/CVE-2020-25829.patch: Added (CVE-2020-25829).
++ - Add patch to fix DoS (closes: #972159).
++
++ -- Daniel Leidert <dleidert@debian.org> Mon, 18 Mar 2024 23:34:27 +0100
++
++pdns-recursor (4.1.11-1+deb10u1) buster-security; urgency=high
++
++ * Fix security issues CVE-2020-10995 CVE-2020-12244 CVE-2020-10030
++
++ -- Chris Hofstaedtler <zeha@debian.org> Tue, 19 May 2020 08:52:06 +0000
++
++pdns-recursor (4.1.11-1) unstable; urgency=medium
++
++ * New upstream version 4.1.11
++ * Upstream has applied the patch introduced in 4.1.10-2, remove it.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Sun, 03 Feb 2019 15:02:43 +0000
++
++pdns-recursor (4.1.10-2) unstable; urgency=high
++
++ * Apply patch from upstream to avoid timing issue in tests
++ * Keeping urgency=high to allow migration of the security fix in 4.1.9-1
++ after the mipsel build failure.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Thu, 24 Jan 2019 16:19:32 +0000
++
++pdns-recursor (4.1.10-1) unstable; urgency=high
++
++ * New upstream version 4.1.10, fixing build without protobuf,
++ which is not a problem in Debian.
++ * Re-add stack-size patch, hoping it fixes the mipsel build failure
++ * Keeping urgency=high to allow migration of the security fix in 4.1.9-1
++ after the mipsel build failure.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Thu, 24 Jan 2019 14:53:59 +0000
++
++pdns-recursor (4.1.9-1) unstable; urgency=high
++
++ * New upstream version 4.1.9, including fixes for:
++ CVE-2019-3806 CVE-2019-3807.
++ * Remove upstream applied patches.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Mon, 21 Jan 2019 13:08:42 +0000
++
++pdns-recursor (4.1.8-2) unstable; urgency=medium
++
++ * Apply patch from upstream to avoid transient test failure on slow archs
++
++ -- Chris Hofstaedtler <zeha@debian.org> Wed, 28 Nov 2018 12:32:23 +0000
++
++pdns-recursor (4.1.8-1) unstable; urgency=medium
++
++ * New upstream version 4.1.8, including fix for CVE-2018-16855.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Mon, 26 Nov 2018 15:22:39 +0000
++
++pdns-recursor (4.1.7-1) unstable; urgency=medium
++
++ * New upstream version 4.1.7, including fixes for:
++ CVE-2018-10851 CVE-2018-14626 CVE-2018-14644
++ (Closes: #913162).
++ * Remove upstream applied patch.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Fri, 09 Nov 2018 19:44:44 +0000
++
++pdns-recursor (4.1.4-3) unstable; urgency=medium
++
++ * Run MTasker test with the stack-size pdns_recursor would use
++
++ -- Chris Hofstaedtler <zeha@debian.org> Sun, 09 Sep 2018 19:29:51 +0000
++
++pdns-recursor (4.1.4-2) unstable; urgency=medium
++
++ * Show results of make check in build logs
++ * Remove override_dh_strip, ddeb migration is complete
++ * Move lintian source overrides to non-deprecated location
++ * Use debhelper compat level 11
++
++ -- Chris Hofstaedtler <zeha@debian.org> Sun, 09 Sep 2018 16:11:21 +0000
++
++pdns-recursor (4.1.4-1) unstable; urgency=medium
++
++ * Bump Standards-Version to 4.2.1
++ * New upstream version 4.1.4
++ * Load DNSSEC root keys from dns-root-data package (Closes: #760470)
++
++ -- Chris Hofstaedtler <zeha@debian.org> Mon, 03 Sep 2018 07:55:52 +0000
++
++pdns-recursor (4.1.3-2) unstable; urgency=medium
++
++ * d/rules: sync build options from pdns package.
++ Includes: hardening=+all instead of +bindnow,+pie. Use dpkg
++ make macros to derive current version and vendor. Force enable
++ -Wall.
++ * Update copyright format URL and years
++
++ -- Chris Hofstaedtler <zeha@debian.org> Thu, 26 Jul 2018 11:31:22 +0000
++
++pdns-recursor (4.1.3-1) unstable; urgency=medium
++
++ * New upstream version 4.1.3
++ * Remove upstream applied patches (all)
++ * Bump Standards-Version to 4.1.5
++
++ -- Chris Hofstaedtler <zeha@debian.org> Mon, 23 Jul 2018 06:56:51 +0000
++
++pdns-recursor (4.1.2-1) unstable; urgency=medium
++
++ * New upstream version 4.1.2, remove upstream applied patches.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Thu, 29 Mar 2018 17:18:23 +0000
++
++pdns-recursor (4.1.1-2) unstable; urgency=medium
++
++ * Replace obsolete priority extra with optional
++ * Add a default include-dir= setting
++
++ -- Chris Hofstaedtler <zeha@debian.org> Fri, 23 Feb 2018 10:41:09 +0000
++
++pdns-recursor (4.1.1-1) unstable; urgency=medium
++
++ * New upstream version 4.1.1
++ * Drop upstream applied, refresh other patches
++
++ -- Chris Hofstaedtler <zeha@debian.org> Mon, 22 Jan 2018 19:03:19 +0000
++
++pdns-recursor (4.1.0-5) unstable; urgency=medium
++
++ * Avoid boost-context on platforms where it is broken
++
++ -- Chris Hofstaedtler <zeha@debian.org> Fri, 19 Jan 2018 22:12:09 +0000
++
++pdns-recursor (4.1.0-4) unstable; urgency=medium
++
++ * Update Maintainer: as alioth is going away
++ * Update Vcs-* URLs to point to salsa.debian.org
++ * Bump Standards-Version to 4.1.3 (no changes)
++
++ -- Chris Hofstaedtler <zeha@debian.org> Thu, 18 Jan 2018 20:46:32 +0000
++
++pdns-recursor (4.1.0-3) unstable; urgency=medium
++
++ * Add patch from James Cowgill <jcowgill@debian.org> to fix
++ crashes on mips64el. Thanks for analysis and the patch! (Closes: #887034)
++
++ -- Chris Hofstaedtler <zeha@debian.org> Fri, 12 Jan 2018 21:11:55 +0000
++
++pdns-recursor (4.1.0-2) unstable; urgency=medium
++
++ * Add patches from upstream improving test reliability.
++ * Bump Standards-Version to 4.1.2 (no changes).
++
++ -- Chris Hofstaedtler <zeha@debian.org> Tue, 12 Dec 2017 09:51:18 +0000
++
++pdns-recursor (4.1.0-1) unstable; urgency=medium
++
++ * New upstream version 4.1.0, upload to unstable.
++ * Build with libsodium for DNSSEC algo 15 support.
++ * Enable unit tests during build time.
++
++ -- Chris Hofstaedtler <zeha@debian.org> Mon, 04 Dec 2017 15:20:54 +0000
++
++pdns-recursor (4.1.0~rc3-1) experimental; urgency=medium
++
++ * New upstream version 4.1.0~rc3
++ * Update upstream signing key
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 27 Nov 2017 21:02:42 +0000
++
++pdns-recursor (4.1.0~alpha1-1) experimental; urgency=medium
++
++ * New upstream version 4.1.0~alpha1
++ * Bump Standards-Version to 4.1.1 (no changes)
++ * Remove Build-Depends: satisfied by debhelper >= 10
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 10 Oct 2017 05:46:20 +0000
++
++pdns-recursor (4.0.7-1) unstable; urgency=medium
++
++ * New upstream version 4.0.7, fixes CVE-2017-15090 CVE-2017-15092
++ CVE-2017-15093 CVE-2017-15094.
++ * Update upstream signing key
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 27 Nov 2017 21:05:16 +0000
++
++pdns-recursor (4.0.6-1) unstable; urgency=medium
++
++ * New upstream version 4.0.6
++ * Drop upstream applied patches
++ * Drop RestrictAddressFamilies workaround for 32bit hosts, relevant only
++ for some versions of systemd in stretch.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 11 Jul 2017 17:56:13 +0000
++
++pdns-recursor (4.0.5-2) unstable; urgency=medium
++
++ * Move -latomic handling into upstream hands,
++ including a patch from upstream to fix FTBFS on ppc64el.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 04 Jul 2017 13:07:56 +0000
++
++pdns-recursor (4.0.5-1) unstable; urgency=medium
++
++ * New upstream version 4.0.5.
++ * Drop upstream applied patches.
++ * Bump Standards-Version to 4.0.0.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 04 Jul 2017 10:50:08 +0000
++
++pdns-recursor (4.0.4-2) unstable; urgency=medium
++
++ * Add new root trust anchor KSK-2017 to embedded root trust list.
++ (Closes: #866112)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 27 Jun 2017 12:31:08 +0000
++
++pdns-recursor (4.0.4-1) unstable; urgency=medium
++
++ * New upstream version, fixing security issues CVE-2016-7068 and
++ CVE-2016-7073 CVE-2016-7074.
++ * Also includes DNSSEC improvements, parts of which we carried as
++ patches already.
++ * Drop upstream applied patches.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sat, 14 Jan 2017 03:03:18 +0000
++
++pdns-recursor (4.0.3-6) unstable; urgency=medium
++
++ * Upload to unstable again.
++ * Import further patches from upstream to fix DNSSEC and RPZ issues.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 02 Jan 2017 22:15:58 +0000
++
++pdns-recursor (4.0.3-5+exp3) experimental; urgency=medium
++
++ * Add file missing from dist tarball so pubsuffix.cc can be rebuilt
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 02 Jan 2017 14:41:26 +0000
++
++pdns-recursor (4.0.3-5+exp2) experimental; urgency=medium
++
++ * Build-Depend on ragel to ensure dnslabeltext.cc is rebuilt.
++ * Take public suffix list from publicsuffix package at build time.
++ * Bump dh compat to 10, remove now obsolete extra args/build-depends.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 02 Jan 2017 10:54:55 +0000
++
++pdns-recursor (4.0.3-5+exp1) experimental; urgency=medium
++
++ * Allow building with boost::fcontext again, by importing
++ more patches from upstream.
++ * Target experimental, but hope that fcontext works on all
++ architectures anyway.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 02 Jan 2017 09:59:15 +0000
++
++pdns-recursor (4.0.3-5) unstable; urgency=medium
++
++ * Drop RestrictAddressFamilies from .service file on 32bit.
++ This feature is broken in systemd before v233. (See also #849817)
++ * Add patches from upstream 4.0 series branch.
++ Fixes a crash in DNSSEC validation (in getZoneCuts) and in
++ statistics code.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sat, 31 Dec 2016 15:37:18 +0000
++
++pdns-recursor (4.0.3-4) unstable; urgency=medium
++
++ * Add patches from upstream fixing DNSSEC, RPZ issues
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sun, 11 Dec 2016 11:50:37 +0000
++
++pdns-recursor (4.0.3-3) unstable; urgency=medium
++
++ * Drop our lsb-base dependency to avoid versioning it
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 11 Oct 2016 03:08:20 +0000
++
++pdns-recursor (4.0.3-2) unstable; urgency=medium
++
++ * Disable systemd integration on non-Linux archs. Patch from
++ Pino Toscano <pino@debian.org>. (Closes: #834235)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 10 Oct 2016 14:30:03 +0000
++
++pdns-recursor (4.0.3-1) unstable; urgency=medium
++
++ * New upstream version 4.0.3.
++ * Drop upstream applied patches.
++ * Disable check for boost fcontext, as its API has changed in boost 1.61.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Wed, 07 Sep 2016 08:39:15 +0000
++
++pdns-recursor (4.0.2-1) unstable; urgency=medium
++
++ * New upstream version 4.0.2
++ * Add patches from upstream to fix build with OpenSSL 1.1.0 final (again)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 05 Sep 2016 19:00:33 +0000
++
++pdns-recursor (4.0.1-1) unstable; urgency=medium
++
++ * New upstream version. (Closes: #828491)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sat, 30 Jul 2016 20:44:16 +0000
++
++pdns-recursor (4.0.0-3) unstable; urgency=medium
++
++ * postinst: Remove redundant guard around addgroup/adduser
++ * debian/watch: Fix versionmangle for rc releases
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 18 Jul 2016 07:31:27 +0000
++
++pdns-recursor (4.0.0-2) unstable; urgency=medium
++
++ * Drop --retry in initscript stop action (Closes: #768078)
++ * Drop initscript force-stop action.
++ Which would use killall and as such not be safe on a container host.
++ * Deprecate resolvconf integration and flip default to off
++ * Drop "Replaces: pdns" which has not been needed since wheezy
++ * Drop version on Depends: lsb-base, which is already fulfilled in oldstable
++ * Drop upgrade code from versions before oldoldstable
++ * Ensure daemon startup errors do not cause dpkg to fail
++ * Update package description
++ * Drop unused lintian overrides
++ * Drop unused update-rc.d parameters
++
++ -- Christian Hofstaedtler <zeha@debian.org> Wed, 13 Jul 2016 11:22:54 +0200
++
++pdns-recursor (4.0.0-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 11 Jul 2016 11:35:46 +0200
++
++pdns-recursor (4.0.0~rc1-2) unstable; urgency=medium
++
++ * Move package to pkg-dns team
++ * Update debhelper dependency for dbgsym options
++ * Improve reproducibility by sorting included files
++ * Inform lintian about OpenSSL Exception
++ * Remove unused license from debian/copyright
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sun, 03 Jul 2016 11:19:38 +0200
++
++pdns-recursor (4.0.0~rc1-1) unstable; urgency=medium
++
++ * New upstream version.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Fri, 10 Jun 2016 21:58:56 +0000
++
++pdns-recursor (4.0.0~beta1-2) unstable; urgency=medium
++
++ * Update debian/copyright.
++ * Build with upstreams systemd support and use it.
++ * Raise LimitNOFILE to match default mthread setting (again).
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sun, 29 May 2016 21:05:49 +0000
++
++pdns-recursor (4.0.0~beta1-1) unstable; urgency=medium
++
++ * New upstream version.
++ * debian/watch: fix missing versionmangle setting
++ * Drop DNSSEC disabling patch, in favor of upstreams new
++ process-no-validate default.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sat, 28 May 2016 18:24:02 +0000
++
++pdns-recursor (4.0.0~alpha3-1) unstable; urgency=medium
++
++ * New upstream version.
++ * Drop upstream applied patch for boost detection.
++ * Bump Standards-Version to 3.9.8 (no changes needed)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Thu, 12 May 2016 20:35:07 +0000
++
++pdns-recursor (4.0.0~alpha2-2) unstable; urgency=medium
++
++ * Apply patch from upstream to fix build without
++ boost::context, hopefully fixing missing builds on arm64, s390x.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 28 Mar 2016 12:15:09 +0000
++
++pdns-recursor (4.0.0~alpha2-1) unstable; urgency=medium
++
++ * New Upstream version 4.0.0~alpha2, with autotools build system.
++ (Closes: #809091)
++ * Disable DNSSEC processing for this release, per upstream recommendation.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Wed, 09 Mar 2016 15:22:59 +0000
++
++pdns-recursor (4.0.0~alpha1-3) unstable; urgency=medium
++
++ * Update systemd unit file from upstream
++ * Drop pdns-recursor-dbg in favor of automated dbgsym packages
++ * Disable secpoll by default
++ * Use root hints from dns-root-data package (Closes: #760470)
++ * Drop Build-Depends: quilt, as we just rely on dpkg-source
++ * Increase LimitNOFILE to a size suitable for default mthreads
++
++ -- Christian Hofstaedtler <zeha@debian.org> Thu, 25 Feb 2016 00:02:07 +0000
++
++pdns-recursor (4.0.0~alpha1-2) unstable; urgency=medium
++
++ * Manage daemon flag in init script, not in config file.
++ For users that get this wrong in their recursor.conf.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sat, 26 Dec 2015 23:25:30 +0000
++
++pdns-recursor (4.0.0~alpha1-1) unstable; urgency=medium
++
++ * Imported Upstream version 4.0.0~alpha1
++ * debian/watch: Add upstream signature check
++ * Update debian/copyright
++ * Generate recursor.conf during build
++ * Install example files
++ * Enable reproducible build
++
++ -- Christian Hofstaedtler <zeha@debian.org> Fri, 25 Dec 2015 17:47:26 +0000
++
++pdns-recursor (3.7.3-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.7.3 (prevent short bursts of high
++ resource usage with malformed qnames).
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sun, 14 Jun 2015 21:18:28 +0200
++
++pdns-recursor (3.7.2-1) unstable; urgency=medium
++
++ * Stop recommending long gone pdns-doc package
++ * Imported Upstream version 3.7.2 (Fixes CVE-2015-1868)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 21 Apr 2015 19:13:05 +0200
++
++pdns-recursor (3.7.1-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.7.1
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 14 Apr 2015 22:30:54 +0200
++
++pdns-recursor (3.6.2-2) unstable; urgency=medium
++
++ * Set package vendor for security status polling.
++ Requires directly including buildflags.mk so d/rules can modify
++ CXXFLAGS. (Closes: #767701)
++ * d/control: Update Vcs-Git and Vcs-Browser
++ * Fix "smoke" autopkgtest.
++ The test definition was incorrectly copied from the pdns-server
++ package.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sat, 15 Nov 2014 17:42:26 +0100
++
++pdns-recursor (3.6.2-1) unstable; urgency=high
++
++ * Imported Upstream version 3.6.2, a bugfix release (Closes: #767368)
++ * Remove API key patch, which has been incorporated upstream.
++
++ -- Christian Hofstaedtler <zeha@debian.org> Thu, 30 Oct 2014 17:22:19 +0100
++
++pdns-recursor (3.6.1-3) unstable; urgency=medium
++
++ * Apply API key patch from upstream
++ * Bump Standards-Version to 3.9.6 (no further changes)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 21 Oct 2014 21:31:43 +0200
++
++pdns-recursor (3.6.1-2) unstable; urgency=medium
++
++ * Drop patch 'pdns-recursor-less-chatty'
++ * Ship native systemd unit file
++ * Enable extra hardening flags (PIE, bindnow)
++ * Add smoke test, testing example.org resolution
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sat, 13 Sep 2014 19:21:43 +0200
++
++pdns-recursor (3.6.1-1) unstable; urgency=high
++
++ * Imported Upstream version 3.6.1
++ Fixes security issue: CVE-2014-3614
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 09 Sep 2014 22:55:49 +0200
++
++pdns-recursor (3.6.0-2) unstable; urgency=medium
++
++ [ Christian Hofstaedtler ]
++ * Update debian/copyright file
++ * Remove boilerplate from debian/watch
++ * Update init script options:
++ Removed X-Start-After and X-Stop-Before, which were sent to irrelevant
++ services, and updated Description fields.
++ * Add status target to init script.
++ Thanks to Iain Georgeson <debian@iain.georgeson.me.uk> (Closes: #730684)
++
++ [ SATOH Fumiyasu ]
++ * Enable resolvconf hooks only when $RESOLVCONF is set to 'yes'
++ (Closes: #722659)
++
++ -- Christian Hofstaedtler <zeha@debian.org> Tue, 24 Jun 2014 13:27:38 +0200
++
++pdns-recursor (3.6.0-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.6.0
++ * Drop upstream applied patches 1443, 1444, 1445
++
++ -- Christian Hofstaedtler <zeha@debian.org> Fri, 20 Jun 2014 12:34:10 +0200
++
++pdns-recursor (3.6.0~rc1-2) unstable; urgency=medium
++
++ * Switch to Lua 5.2
++
++ -- Christian Hofstaedtler <zeha@debian.org> Mon, 09 Jun 2014 20:12:24 +0200
++
++pdns-recursor (3.6.0~rc1-1) unstable; urgency=medium
++
++ * Imported Upstream version 3.6.0~rc1
++ * Replace local patches with upstream PRs
++ do-not-strip-binaries, hurd-ftbfs-patch, kfreebsd-ftbfs-patch and
++ remove-pdns_hw-patch are now pending upstream approval and merge.
++ * Add myself to Uploaders
++ * Bump Standards-Version to 3.9.5
++
++ -- Christian Hofstaedtler <zeha@debian.org> Sun, 01 Jun 2014 17:39:35 +0200
++
++pdns-recursor (3.5.3-1) unstable; urgency=low
++
++ * New upstream version
++
++ -- Matthijs Möhlmann <matthijs@cacholong.nl> Sun, 22 Sep 2013 14:45:58 +0200
++
++pdns-recursor (3.5.2-2) unstable; urgency=low
++
++ * Enable on all architectures (Closes: #579194)
++
++ -- Matthijs Möhlmann <matthijs@cacholong.nl> Sat, 24 Aug 2013 16:13:37 +0200
++
++pdns-recursor (3.5.2-1) unstable; urgency=low
++
++ * New upstream version (Closes: #710048, #682851, #671592, #697355, #649724)
++ - Refresh patches
++ * Improve the patch to make pdns-recursor less chatty
++ * Standards-Version: 3.9.4 (no changes necessary)
++ * Remove pdns_hw on cleanup (Closes: #652833)
++
++ -- Matthijs Möhlmann <matthijs@cacholong.nl> Tue, 06 Aug 2013 21:43:01 +0200
++
++pdns-recursor (3.3-3) unstable; urgency=low
++
++ * new maintainer team
++ * new Vcs links
++ * add Homepage
++ * debhelper 9 (enable hardening) (Closes: 656859)
++ * prepare new version
++ * set unapply-patches
++ * set Architecture to "all but arm{el,hf}" (Closes: 661959)
++ * Standards-Version: 3.9.3 (no changes necessary)
++
++ -- Marc Haber <mh+debian-packages@zugschlus.de> Mon, 18 Jun 2012 14:45:50 +0000
++
++pdns-recursor (3.3-2) unstable; urgency=low
++
++ * Fix my name in the init script and debian/control too.
++ * Update Standards-Version to 3.9.2
++ * Use new build system dh instead of individual dh_* commands.
++
++ -- Matthijs Möhlmann <matthijs@cacholong.nl> Mon, 08 Aug 2011 11:56:58 +0200
++
++pdns-recursor (3.3-1) unstable; urgency=low
++
++ * New upstream release. (Closes: #565052)
++ * Init loop is fixed in pdns (Closes: #594805)
++ * Now my name is spelled correctly.
++ * Update Standards-Version to 3.9.1
++ * Update the recursor.conf and include new configuration parameters.
++ * Add debug package (Closes: #594243)
++
++ -- Matthijs Möhlmann <matthijs@cacholong.nl> Sat, 22 Jan 2011 16:39:02 +0100
++
++pdns-recursor (3.2-4) unstable; urgency=high
++
++ * Upgrading from a previous version fails when the pdns-recursor isn't
++ started, this is RC bug hence urgency high. (Closes: #565415)
++ * Fix watch file
++ * Fix FTBFS on hurd again.
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Tue, 20 Jul 2010 13:42:45 +0200
++
++pdns-recursor (3.2-3) unstable; urgency=low
++
++ * Add watch file
++ * Switch to dpkg-source 3.0 (quilt) format
++ * Fix FTBFS on hurd
++ * Update logcheck rules. (Closes: #588135)
++ * Update Standards-Version to 3.9.0
++ * Use dh_installinit instead of the pdns-recursor.install file.
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Mon, 19 Jul 2010 14:39:02 +0200
++
++pdns-recursor (3.2-2) unstable; urgency=low
++
++ * Remove Christoph Haas from Uploaders. Thanks for the great work!
++ * Add fix for FTBFS thanks to Petr Salinger <Petr.Salinger@seznam.cz>
++ (Closes: #575006)
++ * Make pdns-recursor on startup less chatty (Closes: #438469)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Sat, 03 Apr 2010 13:46:23 +0200
++
++pdns-recursor (3.2-1) unstable; urgency=low
++
++ * New upstream version.
++ * Update Standards-Version to 3.8.4
++ * Fix boot order, thanks to Petter Reinholdtsen (Closes: #566877)
++ * All architectures enabled, needs testing (Closes: #489925)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Wed, 17 Mar 2010 10:59:28 +0100
++
++pdns-recursor (3.1.7.2-1) unstable; urgency=high
++
++ * New upstream version. (CVE-2009-4009 and CVE-2009-4010) (Closes: #564145)
++ * Make lintian happy.
++ * Now really add sh4 to the architecture list. (Closes: #551153)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Fri, 08 Jan 2010 18:14:44 +0100
++
++pdns-recursor (3.1.7.1-4) unstable; urgency=low
++
++ * Add mips, mipsel and sh4 to the supported list of architectures, only arm,
++ armel and armeb are missing. See #369453 (Closes: #551153)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Fri, 06 Nov 2009 18:09:29 +0100
++
++pdns-recursor (3.1.7.1-3) unstable; urgency=low
++
++ * Update incorrect dependencies in the init.d script. (Closes: #547033)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Sun, 11 Oct 2009 18:46:58 +0200
++
++pdns-recursor (3.1.7.1-2) unstable; urgency=low
++
++ * Fixing FTBFS on several archs (Closes: #540867, #541689)
++ * Added hppa and sparc architectures. See #489925, leaving open because of
++ more unsupported architectures.
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Sun, 16 Aug 2009 15:39:54 +0200
++
++pdns-recursor (3.1.7.1-1) unstable; urgency=low
++
++ * New upstream release (Closes: #497920)
++ * Using new patch system quilt.
++ * Updated Standards-Version to 3.8.2
++ * Enable lua scripting support (Closes: #534893)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Sun, 09 Aug 2009 12:58:06 +0200
++
++pdns-recursor (3.1.7-5) unstable; urgency=low
++
++ * Fix FTBFS bug with GCC 4.4 (closes: #506003)
++ * Make pdns-recursor available on hppa and sparc (closes: #489925)
++ by adding libc6-dev in a recent version to debian/control
++
++ -- Christoph Haas <haas@debian.org> Wed, 13 May 2009 21:36:55 +0200
++
++pdns-recursor (3.1.7-4) unstable; urgency=low
++
++ * Fix FTBFS bug (closes: #528164)
++
++ -- Christoph Haas <haas@debian.org> Mon, 11 May 2009 22:24:44 +0200
++
++pdns-recursor (3.1.7-3) unstable; urgency=low
++
++ * Fixed repository URL (SVN->Git)
++ * Increased policy version to 3.8.0 (lintian warning)
++ * Added proper description for gcc-4.2-ftbfs-fix.dpatch dpatch
++ (lintian warning)
++ * Fixed PIDFILE setting in init.d script (thanks to Serge Belyshev)
++
++ -- Christoph Haas <haas@debian.org> Sun, 14 Sep 2008 22:48:59 +0200
++
++pdns-recursor (3.1.7-2) unstable; urgency=low
++
++ * Regard return code from stopping pdns in init.d script (Closes: #478593)
++ * Fixed init.d script's force-stop function.
++
++ -- Christoph Haas <haas@debian.org> Sun, 14 Sep 2008 17:36:42 +0200
++
++pdns-recursor (3.1.7-1) unstable; urgency=low
++
++ * New upstream version (Closes: #490069) (Closes: #477130)
++ * init.d scripts gets socket-dir information from recursor.conf
++ (Closes: #471568)
++ * Added config file directives
++ * Set dont-query to nothing so it won't break pre-3.1.7 configs. (Closes: #476841)
++
++ -- Christoph Haas <haas@debian.org> Mon, 31 Mar 2008 21:51:59 +0200
++
++pdns-recursor (3.1.4-6) unstable; urgency=low
++
++ * Standards-Version 3.7.3.0
++ * Remove pdns_hw too on cleanup.
++ * Fix for truncating long TXT queries (Closes: #462114)
++ * Don't ignore build errors (Closes: #462128)
++ * Build option noopt was inoperative (Closes: #462126)
++ * Added gcc 4.3 fixes from upstream (Closes: #455631)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Wed, 13 Feb 2008 22:49:08 +0100
++
++pdns-recursor (3.1.4-5) unstable; urgency=low
++
++ * daemon=no is now working if used in /etc/powerdns/recursor.conf
++ (Closes: #440020)
++ * patch added to reflect change of L root server (Closes: #449483)
++ * Makefile patched to prevent stripping of binaries (Closes: #437765)
++
++ -- Christoph Haas <haas@debian.org> Fri, 09 Nov 2007 21:57:58 +0100
++
++pdns-recursor (3.1.4-4) unstable; urgency=low
++
++ * Update to debhelper 5.
++ * Fix lintian warning: debian-rules-sets-DH_COMPAT.
++ * Restore the changelog, it was partly removed by accident. (Closes: #421393)
++ * Fix FTBFS with gcc-4.2 (Closes: #387113)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Sun, 03 Jun 2007 15:11:22 +0200
++
++pdns-recursor (3.1.4-3) unstable; urgency=low
++
++ * Stop/stop script does not return an error code when being called as
++ 'stop' when the service is actually not running. (Closes: #406428)
++
++ -- Debian PowerDNS Maintainers <powerdns-debian@workaround.org> Wed, 21 Feb 2007 23:10:00 +0200
++
++pdns-recursor (3.1.4-2) unstable; urgency=medium
++
++ * Run pdns-recursor by default as non-privileged user. (Closes: #399669)
++ * swapcontext is supported by kfreebsd (Fixes a FTBFS) (Closes: #403746)
++ * Added lsb-base to the dependencies. (Closes: #402732)
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Mon, 25 Dec 2006 14:00:10 +0100
++
++pdns-recursor (3.1.4-1) unstable; urgency=medium
++
++ * New upstream release.
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Sun, 12 Nov 2006 23:52:20 +0100
++
++pdns-recursor (3.1.3-3) unstable; urgency=low
++
++ [ Matthijs Mohlmann ]
++ * Don't build pdns-recursor for the following architectures: arm, mips,
++ mipsel, hppa and sparc. No support for swapcontext system call.
++ (Closes: #395801)
++ * Fix a big endian problem with TCP processing large answers.
++ * Fix a crash on any record we couldn't properly print for whatever reason.
++
++ -- Matthijs Mohlmann <matthijs@cacholong.nl> Sun, 29 Oct 2006 17:50:34 +0100
++
++pdns-recursor (3.1.3-2) unstable; urgency=low
++
++ * Added patch to close a connectionless socket on an error.
++ * Added patch to fix a FD leak.
++ * Added missing lsb keyword Short-Description.
++
++ -- Debian PowerDNS Maintainers <powerdns-debian@workaround.org> Sun, 1 Oct 2006 14:52:46 +0200
++
++pdns-recursor (3.1.3-1) unstable; urgency=low
++
++ * New upstream release.
++ * Make a lsb compliant init script, fixes a lintian warning.
++
++ -- Debian PowerDNS Maintainers <powerdns-debian@workaround.org> Thu, 14 Sep 2006 21:20:56 +0200
++
++pdns-recursor (3.1.2-2) unstable; urgency=low
++
++ * Added patch to fix crashes on 64bit platforms (Closes: #380403)
++ * Added patch to prevent overwriting of auth data by unauth data.
++ * Fix a small memleak.
++
++ -- Debian PowerDNS Maintainers <powerdns-debian@workaround.org> Sun, 6 Aug 2006 13:20:45 +0200
++
++pdns-recursor (3.1.2-1) unstable; urgency=low
++
++ * New upstream release.
++ * Drop build-with-g++-4.1 patch. g++ 4.1 is default now. (Closes: #376696)
++ * Fixed minor typo in recursor.conf (Closes: #369957)
++ * Add logcheck rule for pdns-recursor to suppress logcheck warnings.
++ (Closes: #367702)
++
++ -- Debian PowerDNS Maintainers <powerdns-debian@workaround.org> Tue, 4 Jul 2006 19:16:19 +0200
++
++pdns-recursor (3.1.1-1) unstable; urgency=low
++
++ * New upstream version.
++
++ -- Debian PowerDNS Maintainers <powerdns-debian@workaround.org> Wed, 24 May 2006 19:41:09 +0200
++
++pdns-recursor (3.0.1-1) unstable; urgency=low
++
++ * New upstream release (Closes: #366681)
++
++ -- Debian PowerDNS Maintainers <powerdns-debian@workaround.org> Tue, 25 Apr 2006 21:27:26 +0200
--- /dev/null
--- /dev/null
++11
--- /dev/null
--- /dev/null
++Source: pdns-recursor
++Section: net
++Priority: optional
++Standards-Version: 4.2.1
++Maintainer: pdns-recursor packagers <pdns-recursor@packages.debian.org>
++Uploaders: Chris Hofstaedtler <zeha@debian.org>,
++ Marc Haber <mh+debian-packages@zugschlus.de>
++Build-Conflicts: libboost-context-dev [mips mipsel ppc64el]
++Build-Depends: debhelper (>= 11~),
++ libboost-context-dev [amd64 arm64 armel armhf i386],
++ libboost-dev,
++ libboost-program-options-dev,
++ libboost-test-dev,
++ liblua5.2-dev,
++ libprotobuf-dev,
++ libsodium-dev,
++ libssl-dev,
++ libsystemd-dev [linux-any],
++ pkg-config,
++ protobuf-compiler,
++ publicsuffix,
++ ragel
++Vcs-Git: https://salsa.debian.org/dns-team/pdns-recursor.git
++Vcs-Browser: https://salsa.debian.org/dns-team/pdns-recursor
++Homepage: https://www.powerdns.com/
++
++Package: pdns-recursor
++Architecture: any
++Built-Using: publicsuffix (= ${build:PublicSuffixVersion})
++Depends: adduser,
++ dns-root-data,
++ ${misc:Depends},
++ ${shlibs:Depends}
++Description: PowerDNS Recursor
++ High-performance resolving name server, utilizing multiple
++ processor and including Lua scripting capabilities.
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-Name: PowerDNS
++Source: https://www.powerdns.com/downloads.html
++
++Files: *
++Copyright: 2002 - 2018 PowerDNS.COM BV and contributors
++License: GPL-2 with OpenSSL Exception
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License version 2
++ as published by the Free Software Foundation
++ .
++ In addition, for the avoidance of any doubt, permission is granted to
++ link this program with OpenSSL and to (re)distribute the binaries
++ produced as the result of such linking.
++ .
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program; if not, write to the Free Software
++ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
++ .
++ On Debian systems, the full text of the GNU General Public
++ License version 2 can be found in the file
++ `/usr/share/common-licenses/GPL-2'.
++
++Files: debian/*
++Copyright: 2002 - 2004 Wichert Akkermann <wichert@wiggy.net>
++ 2004 - 2013 Matthijs Möhlmann <matthijs@cacholong.nl>
++ 2012 - 2013 Marc Haber <mh+debian-packages@zugschlus.de>
++ 2014 - 2018 Christian Hofstaedtler <zeha@debian.org>
++ 2016 - 2018 PowerDNS.COM BV and contributors
++License: GPL-2
++
++Files: ext/yahttp/*
++Copyright: 2014 Aki Tuomi
++License: Expat
++
++Files: ext/json11/*
++Copyright: 2013 Dropbox, Inc.
++License: Expat
++
++Files: ext/luawrapper/*
++Copyright: 2013, Pierre KRIEGER
++License: BSD-3
++
++License: BSD-3
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions are met:
++ * Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++ * Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++ * Neither the name of the <organization> nor the
++ names of its contributors may be used to endorse or promote products
++ derived from this software without specific prior written permission.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
++ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
++ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
++ DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
++ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
++ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++
++License: Expat
++ Permission is hereby granted, free of charge, to any person obtaining a copy
++ of this software and associated documentation files (the "Software"), to deal
++ in the Software without restriction, including without limitation the rights
++ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ copies of the Software, and to permit persons to whom the Software is
++ furnished to do so, subject to the following conditions:
++ .
++ The above copyright notice and this permission notice shall be included in
++ all copies or substantial portions of the Software.
++ .
++ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
++ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ THE SOFTWARE.
++
++License: GPL-2
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 2 of the License.
++ .
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++ .
++ You should have received a copy of the GNU General Public License along
++ with this program; if not, write to the Free Software Foundation, Inc.,
++ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++ .
++ On Debian systems, the full text of the GNU General Public
++ License version 2 can be found in the file
++ `/usr/share/common-licenses/GPL-2'.
--- /dev/null
--- /dev/null
++[DEFAULT]
++debian-branch = buster
++pristine-tar = True
--- /dev/null
--- /dev/null
++function debian_load_rootkeys()
++ root_key_path = "/usr/share/dns/root.ds"
++ ds_list = {}
++ pdnslog("debian_load_rootkeys: Loading DNSSEC root keys from " .. root_key_path)
++ -- . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
++ for line in io.lines(root_key_path) do
++ ds = string.match(line, "^%.%s+IN%s+DS%s+(%d+%s+%d+%s+%d+%s+%S+)")
++ if ds then
++ table.insert(ds_list, ds)
++ end
++ end
++ if #ds_list > 0 then
++ pdnslog("debian_load_rootkeys: Removing built in root DS entries.")
++ clearDS()
++ for _, ds in pairs(ds_list) do
++ pdnslog("debian_load_rootkeys: Adding DS for root: " .. ds)
++ addDS(".", ds)
++ end
++ end
++end
++
++debian_load_rootkeys()
--- /dev/null
--- /dev/null
++From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
++Date: Tue, 30 Jun 2020 13:46:54 +0200
++Subject: Backport of acl check to 4.1.x
++
++An issue has been found in PowerDNS Recursor where the ACL applied to the
++internal web server via `webserver-allow-from` is not properly enforced,
++allowing a remote attacker to send HTTP queries to the internal web server,
++bypassing the restriction.
++
++Note that the web server is not enabled by default. Only installations using a
++non-default value for `webserver` and `webserver-address` are affected.
++
++Workarounds are: disable the webserver or set a password or an API key.
++Additionally, restrict the binding address using the `webserver-address`
++setting to local addresses only and/or use a firewall to disallow web requests
++from untrusted sources reaching the webserver listening address.
++
++Bug: https://www.openwall.com/lists/oss-security/2020/07/01/1
++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964103
++Origin: https://github.com/PowerDNS/pdns/commit/e81271189216dbf2850c6d4461dfc3f37c731ac8.patch
++Reviewed-by: Daniel Leidert <dleidert@debian.org>
++---
++ sstuff.hh | 2 +-
++ webserver.cc | 5 +----
++ webserver.hh | 7 +++++++
++ ws-recursor.cc | 9 +++++++++
++ ws-recursor.hh | 5 ++++-
++ 5 files changed, 22 insertions(+), 6 deletions(-)
++
++diff --git a/sstuff.hh b/sstuff.hh
++index 707b1ad..5ae6685 100644
++--- a/sstuff.hh
+++++ b/sstuff.hh
++@@ -111,7 +111,7 @@ public:
++ }
++
++ //! Check remote address against netmaskgroup ng
++- bool acl(NetmaskGroup &ng)
+++ bool acl(const NetmaskGroup &ng)
++ {
++ ComboAddress remote;
++ if (getRemote(remote))
++diff --git a/webserver.cc b/webserver.cc
++index f1a95f4..5a7054b 100644
++--- a/webserver.cc
+++++ b/webserver.cc
++@@ -344,16 +344,13 @@ void WebServer::go()
++ if(!d_server)
++ return;
++ try {
++- NetmaskGroup acl;
++- acl.toMasks(::arg()["webserver-allow-from"]);
++-
++ while(true) {
++ try {
++ auto client = d_server->accept();
++ if (!client) {
++ continue;
++ }
++- if (client->acl(acl)) {
+++ if (client->acl(d_acl)) {
++ std::thread webHandler(WebServerConnectionThreadStart, this, client);
++ webHandler.detach();
++ } else {
++diff --git a/webserver.hh b/webserver.hh
++index b3ede89..2de84fd 100644
++--- a/webserver.hh
+++++ b/webserver.hh
++@@ -139,6 +139,11 @@ class WebServer : public boost::noncopyable
++ public:
++ WebServer(const string &listenaddress, int port);
++ virtual ~WebServer() { };
+++
+++ void setACL(const NetmaskGroup &nmg) {
+++ d_acl = nmg;
+++ }
+++
++ void bind();
++ void go();
++
++@@ -160,6 +165,8 @@ protected:
++ int d_port;
++ string d_password;
++ std::shared_ptr<Server> d_server;
+++
+++ NetmaskGroup d_acl;
++ };
++
++ #endif /* WEBSERVER_HH */
++diff --git a/ws-recursor.cc b/ws-recursor.cc
++index 0f71ee4..2393d75 100644
++--- a/ws-recursor.cc
+++++ b/ws-recursor.cc
++@@ -450,6 +450,11 @@ RecursorWebServer::RecursorWebServer(FDMultiplexer* fdm)
++ registerAllStats();
++
++ d_ws = new AsyncWebServer(fdm, arg()["webserver-address"], arg().asNum("webserver-port"));
+++
+++ NetmaskGroup acl;
+++ acl.toMasks(::arg()["webserver-allow-from"]);
+++ d_ws->setACL(acl);
+++
++ d_ws->bind();
++
++ // legacy dispatch
++@@ -610,6 +615,10 @@ void AsyncServer::newConnection()
++ // This is an entry point from FDM, so it needs to catch everything.
++ void AsyncWebServer::serveConnection(std::shared_ptr<Socket> client) const
++ try {
+++ if (!client->acl(d_acl)) {
+++ return;
+++ }
+++
++ HttpRequest req;
++ YaHTTP::AsyncRequestLoader yarl;
++ yarl.initialize(&req);
++diff --git a/ws-recursor.hh b/ws-recursor.hh
++index 9df3a81..13a3707 100644
++--- a/ws-recursor.hh
+++++ b/ws-recursor.hh
++@@ -32,7 +32,10 @@ class HttpResponse;
++
++ class AsyncServer : public Server {
++ public:
++- AsyncServer(const string &localaddress, int port) : Server(localaddress, port) { };
+++ AsyncServer(const string &localaddress, int port) : Server(localaddress, port)
+++ {
+++ d_server_socket.setNonBlocking();
+++ };
++
++ friend void AsyncServerNewConnectionMT(void *p);
++
--- /dev/null
--- /dev/null
++From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
++Date: Mon, 12 Oct 2020 10:08:08 +0200
++Subject: Backport of CVE-2020-25829 (any-cache-update) to 4.1.x
++
++An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5,
++and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a
++given name to be updated to the Bogus DNSSEC validation state, instead of their
++actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of
++service for installation that always validate (dnssec=validate), and for
++clients requesting validation when on-demand validation is enabled
++(dnssec=process).
++
++Origin: https://github.com/PowerDNS/pdns/commit/77409aab0be43071b365760213894d6388c3df30.patch
++Bug: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-07.html
++Bug-Debian: https://bugs.debian.org/972159
++Reviewed-by: Daniel Leidert <dleidert@debian.org>
++---
++ recursor_cache.cc | 10 +++++++---
++ 1 file changed, 7 insertions(+), 3 deletions(-)
++
++diff --git a/recursor_cache.cc b/recursor_cache.cc
++index 9ccecf8..216245c 100644
++--- a/recursor_cache.cc
+++++ b/recursor_cache.cc
++@@ -413,9 +413,14 @@ bool MemRecursorCache::doAgeCache(time_t now, const DNSName& name, uint16_t qtyp
++
++ bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState)
++ {
+++ if (qt == QType::ANY || qt == QType::ADDR) {
+++ // not doing that
+++ return false;
+++ }
+++
++ bool updated = false;
++ uint16_t qtype = qt.getCode();
++- if (qtype != QType::ANY && qtype != QType::ADDR && !d_ecsIndex.empty()) {
+++ if (!d_ecsIndex.empty()) {
++ auto entry = getEntryUsingECSIndex(now, qname, qtype, requireAuth, who);
++ if (entry == d_cache.end()) {
++ return false;
++@@ -434,8 +439,7 @@ bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname,
++ i->d_state = newState;
++ updated = true;
++
++- if(qtype != QType::ANY && qtype != QType::ADDR) // normally if we have a hit, we are done
++- break;
+++ break;
++ }
++
++ return updated;
--- /dev/null
--- /dev/null
++Index: pdns-recursor/test-syncres_cc.cc
++===================================================================
++--- pdns-recursor.orig/test-syncres_cc.cc
+++++ pdns-recursor/test-syncres_cc.cc
++@@ -8299,6 +8299,59 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_n
++ BOOST_CHECK_EQUAL(queriesCount, 4);
++ }
++
+++BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nxdomain)
+++{
+++ std::unique_ptr<SyncRes> sr;
+++ initSR(sr, true);
+++
+++ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+++
+++ primeHints();
+++ const DNSName target("powerdns.com.");
+++ testkeysset_t keys;
+++
+++ auto luaconfsCopy = g_luaconfs.getCopy();
+++ luaconfsCopy.dsAnchors.clear();
+++ generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+++ generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+++ generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+++ g_luaconfs.setState(luaconfsCopy);
+++
+++ size_t queriesCount = 0;
+++
+++ sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res, bool* chained) {
+++ queriesCount++;
+++
+++ if (type == QType::DS || type == QType::DNSKEY) {
+++ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+++ }
+++ else {
+++
+++ setLWResult(res, RCode::NXDomain, true, false, true);
+++ return 1;
+++ }
+++
+++ return 0;
+++ });
+++
+++ vector<DNSRecord> ret;
+++ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+++ BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+++ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+++ BOOST_REQUIRE_EQUAL(ret.size(), 0U);
+++ /* com|NS, powerdns.com|NS, powerdns.com|A */
+++ BOOST_CHECK_EQUAL(queriesCount, 3U);
+++
+++ /* again, to test the cache */
+++ ret.clear();
+++ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+++ BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+++ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+++ BOOST_REQUIRE_EQUAL(ret.size(), 0U);
+++ /* we don't store empty results */
+++ BOOST_CHECK_EQUAL(queriesCount, 4U);
+++}
+++
++ BOOST_AUTO_TEST_CASE(test_nsec_denial_nowrap) {
++ init();
++
++Index: pdns-recursor/syncres.cc
++===================================================================
++--- pdns-recursor.orig/syncres.cc
+++++ pdns-recursor/syncres.cc
++@@ -2569,6 +2569,10 @@ bool SyncRes::processAnswer(unsigned int
++ if(lwr.d_rcode == RCode::NXDomain) {
++ LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl);
++
+++ if (state == Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
+++ updateValidationState(state, Bogus);
+++ }
+++
++ if(d_doDNSSEC)
++ addNXNSECS(ret, lwr.d_records);
++
--- /dev/null
--- /dev/null
++Index: pdns-recursor/rec-carbon.cc
++===================================================================
++--- pdns-recursor.orig/rec-carbon.cc
+++++ pdns-recursor/rec-carbon.cc
++@@ -26,9 +26,11 @@ try
++ return;
++
++ if(hostname.empty()) {
++- char tmp[80];
+++ char tmp[HOST_NAME_MAX+1];
++ memset(tmp, 0, sizeof(tmp));
++- gethostname(tmp, sizeof(tmp));
+++ if (gethostname(tmp, sizeof(tmp)) != 0) {
+++ throw std::runtime_error("The 'carbon-ourname' setting has not been set and we are unable to determine the system's hostname: " + stringerror());
+++ }
++ char *p = strchr(tmp, '.');
++ if(p) *p=0;
++
--- /dev/null
--- /dev/null
++Index: pdns-recursor/pdns_recursor.cc
++===================================================================
++--- pdns-recursor.orig/pdns_recursor.cc
+++++ pdns-recursor/pdns_recursor.cc
++@@ -3073,6 +3073,7 @@ static int serviceMain(int argc, char*ar
++ SyncRes::s_serverdownthrottletime=::arg().asNum("server-down-throttle-time");
++ SyncRes::s_serverID=::arg()["server-id"];
++ SyncRes::s_maxqperq=::arg().asNum("max-qperq");
+++ SyncRes::s_maxnsaddressqperq=::arg().asNum("max-ns-address-qperq");
++ SyncRes::s_maxtotusec=1000*::arg().asNum("max-total-msec");
++ SyncRes::s_maxdepth=::arg().asNum("max-recursion-depth");
++ SyncRes::s_rootNXTrust = ::arg().mustDo( "root-nx-trust");
++@@ -3553,6 +3554,7 @@ int main(int argc, char **argv)
++ ::arg().set("edns-outgoing-bufsize", "Outgoing EDNS buffer size")="1680";
++ ::arg().set("minimum-ttl-override", "Set under adverse conditions, a minimum TTL")="0";
++ ::arg().set("max-qperq", "Maximum outgoing queries per query")="50";
+++ ::arg().set("max-ns-address-qperq", "Maximum outgoing NS address queries per query")="10";
++ ::arg().set("max-total-msec", "Maximum total wall-clock time per query in milliseconds, 0 for unlimited")="7000";
++ ::arg().set("max-recursion-depth", "Maximum number of internal recursion calls per query, 0 for unlimited")="40";
++ ::arg().set("max-udp-queries-per-round", "Maximum number of UDP queries processed per recvmsg() round, before returning back to normal processing")="10000";
++Index: pdns-recursor/test-syncres_cc.cc
++===================================================================
++--- pdns-recursor.orig/test-syncres_cc.cc
+++++ pdns-recursor/test-syncres_cc.cc
++@@ -119,7 +119,8 @@ static void init(bool debug=false)
++ t_RC = std::unique_ptr<MemRecursorCache>(new MemRecursorCache());
++
++ SyncRes::s_maxqperq = 50;
++- SyncRes::s_maxtotusec = 1000*7000;
+++ SyncRes::s_maxnsaddressqperq = 10;
+++ SyncRes::s_maxtotusec = 1000 * 7000;
++ SyncRes::s_maxdepth = 40;
++ SyncRes::s_maxnegttl = 3600;
++ SyncRes::s_maxcachettl = 86400;
++@@ -10229,6 +10230,48 @@ BOOST_AUTO_TEST_CASE(test_getDSRecords_m
++ }
++ #endif // HAVE_BOTAN110
++
+++BOOST_AUTO_TEST_CASE(test_completely_flawed_big_nsset)
+++{
+++ std::unique_ptr<SyncRes> sr;
+++ initSR(sr);
+++
+++ primeHints();
+++
+++ const DNSName target("powerdns.com.");
+++ size_t queriesCount = 0;
+++
+++ sr->setAsyncCallback([&queriesCount, target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res, bool* chained) {
+++ queriesCount++;
+++
+++ if (isRootServer(ip) && domain == target) {
+++ setLWResult(res, 0, false, false, true);
+++ // 20 NS records
+++ for (int i = 0; i < 20; i++) {
+++ string n = string("pdns-public-ns") + std::to_string(i) + string(".powerdns.com.");
+++ addRecordToLW(res, domain, QType::NS, n, DNSResourceRecord::AUTHORITY, 172800);
+++ }
+++ return 1;
+++ }
+++ else if (domain.toString().length() > 14 && domain.toString().substr(0, 14) == "pdns-public-ns") {
+++ setLWResult(res, 0, true, false, true);
+++ addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+++ return 1;
+++ }
+++ return 0;
+++ });
+++
+++ vector<DNSRecord> ret;
+++ try {
+++ sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+++ BOOST_CHECK(0);
+++ } catch (const ImmediateServFailException& ex) {
+++ BOOST_CHECK_EQUAL(ret.size(), 0U);
+++ // one query to get NSs, then A and AAAA for each NS, 5th NS hits the limit
+++ // limit is reduced to 5, because zone publishes many (20) NS
+++ BOOST_CHECK_EQUAL(queriesCount, 11);
+++ }
+++}
+++
++ /*
++ // cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
++
++Index: pdns-recursor/syncres.cc
++===================================================================
++--- pdns-recursor.orig/syncres.cc
+++++ pdns-recursor/syncres.cc
++@@ -49,6 +49,7 @@ SyncRes::LogMode SyncRes::s_lm;
++ unsigned int SyncRes::s_maxnegttl;
++ unsigned int SyncRes::s_maxcachettl;
++ unsigned int SyncRes::s_maxqperq;
+++unsigned int SyncRes::s_maxnsaddressqperq;
++ unsigned int SyncRes::s_maxtotusec;
++ unsigned int SyncRes::s_maxdepth;
++ unsigned int SyncRes::s_minimumTTL;
++@@ -658,7 +659,7 @@ struct speedOrderCA
++
++ /** This function explicitly goes out for A or AAAA addresses
++ */
++-vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly)
+++vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly, unsigned int& addressQueriesForNS)
++ {
++ typedef vector<DNSRecord> res_t;
++ res_t res;
++@@ -670,6 +671,7 @@ vector<ComboAddress> SyncRes::getAddrs(c
++ bool oldCacheOnly = d_cacheonly;
++ bool oldRequireAuthData = d_requireAuthData;
++ bool oldValidationRequested = d_DNSSECValidationRequested;
+++ const unsigned int startqueries = d_outqueries;
++ d_requireAuthData = false;
++ d_DNSSECValidationRequested = false;
++ d_cacheonly = cacheOnly;
++@@ -719,6 +721,10 @@ vector<ComboAddress> SyncRes::getAddrs(c
++ }
++ }
++
+++ if (ret.empty() && d_outqueries > startqueries) {
+++ // We did 1 or more outgoing queries to resolve this NS name but returned empty handed
+++ addressQueriesForNS++;
+++ }
++ d_requireAuthData = oldRequireAuthData;
++ d_DNSSECValidationRequested = oldValidationRequested;
++ d_cacheonly = oldCacheOnly;
++@@ -1425,13 +1431,13 @@ bool SyncRes::nameserverIPBlockedByRPZ(c
++ return false;
++ }
++
++-vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly)
+++vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly, unsigned int& retrieveAddressesForNS)
++ {
++ vector<ComboAddress> result;
++
++ if(!tns->empty()) {
++ LOG(prefix<<qname<<": Trying to resolve NS '"<<*tns<< "' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl);
++- result = getAddrs(*tns, depth+2, beenthere, cacheOnly);
+++ result = getAddrs(*tns, depth+2, beenthere, cacheOnly, retrieveAddressesForNS);
++ pierceDontQuery=false;
++ }
++ else {
++@@ -2643,10 +2649,24 @@ int SyncRes::doResolveAt(NsSet &nameserv
++
++ LOG(endl);
++
+++ unsigned int addressQueriesForNS = 0;
++ for(;;) { // we may get more specific nameservers
++ vector<DNSName > rnameservers = shuffleInSpeedOrder(nameservers, doLog() ? (prefix+qname.toString()+": ") : string() );
++
+++ // We allow s_maxnsaddressqperq (default 10) queries with empty responses when resolving NS names.
+++ // If a zone publishes many (more than s_maxnsaddressqperq) NS records, we allow less.
+++ // This is to "punish" zones that publish many non-resolving NS names.
+++ // We always allow 5 NS name resolving attempts with empty results.
+++ unsigned int nsLimit = s_maxnsaddressqperq;
+++ if (rnameservers.size() > nsLimit) {
+++ int newLimit = static_cast<int>(nsLimit) - (rnameservers.size() - nsLimit);
+++ nsLimit = std::max(5, newLimit);
+++ }
+++
++ for(auto tns=rnameservers.cbegin();;++tns) {
+++ if (addressQueriesForNS >= nsLimit) {
+++ throw ImmediateServFailException(std::to_string(nsLimit)+" (adjusted max-ns-address-qperq) or more queries with empty results for NS addresses sent resolving "+qname.toLogString());
+++ }
++ if(tns==rnameservers.cend()) {
++ LOG(prefix<<qname<<": Failed to resolve via any of the "<<(unsigned int)rnameservers.size()<<" offered NS at level '"<<auth<<"'"<<endl);
++ if(!auth.isRoot() && flawedNSSet) {
++@@ -2698,7 +2718,7 @@ int SyncRes::doResolveAt(NsSet &nameserv
++ }
++ else {
++ /* if tns is empty, retrieveAddressesForNS() knows we have hardcoded servers (i.e. "forwards") */
++- remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet, cacheOnly);
+++ remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet, cacheOnly, addressQueriesForNS);
++
++ if(remoteIPs.empty()) {
++ LOG(prefix<<qname<<": Failed to get IP for NS "<<*tns<<", trying next if available"<<endl);
++Index: pdns-recursor/syncres.hh
++===================================================================
++--- pdns-recursor.orig/syncres.hh
+++++ pdns-recursor/syncres.hh
++@@ -677,6 +677,7 @@ public:
++ static string s_serverID;
++ static unsigned int s_minimumTTL;
++ static unsigned int s_maxqperq;
+++ static unsigned int s_maxnsaddressqperq;
++ static unsigned int s_maxtotusec;
++ static unsigned int s_maxdepth;
++ static unsigned int s_maxnegttl;
++@@ -743,13 +744,13 @@ private:
++
++ inline vector<DNSName> shuffleInSpeedOrder(NsSet &nameservers, const string &prefix);
++ bool moreSpecificThan(const DNSName& a, const DNSName &b) const;
++- vector<ComboAddress> getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly);
+++ vector<ComboAddress> getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly, unsigned int& addressQueriesForNS);
++
++ bool nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers);
++ bool nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress&);
++ bool throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery);
++
++- vector<ComboAddress> retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly);
+++ vector<ComboAddress> retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly, unsigned int& addressQueriesForNS);
++ RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery);
++ bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount);
++
--- /dev/null
--- /dev/null
++testrunner-log-verbosity
++stack-size
++bogus-empty-nxd-4.1.15.diff
++hostname-4.1.15.diff
++ns-ampl-4.1.15.diff
++CVE-2020-14196.patch
++CVE-2020-25829.patch
--- /dev/null
--- /dev/null
++diff --git a/test-mtasker.cc b/test-mtasker.cc
++index f6f1b5b46..fd7e52899 100644
++--- a/test-mtasker.cc
+++++ b/test-mtasker.cc
++@@ -48,7 +48,7 @@ static void willThrow(void* p)
++
++ BOOST_AUTO_TEST_CASE(test_MtaskerException) {
++ BOOST_CHECK_THROW( {
++- MTasker<> mt;
+++ MTasker<> mt(200000); // stack-size default value from pdns_recursor.cc.
++ mt.makeThread(willThrow, 0);
++ struct timeval now;
++
--- /dev/null
--- /dev/null
++Index: pdns-recursor/Makefile.am
++===================================================================
++--- pdns-recursor.orig/Makefile.am
+++++ pdns-recursor/Makefile.am
++@@ -74,7 +74,7 @@ TESTS=test_libcrypto
++
++ if UNIT_TESTS
++ noinst_PROGRAMS = testrunner
++-TESTS_ENVIRONMENT = env BOOST_TEST_LOG_LEVEL=message SRCDIR='$(srcdir)'
+++TESTS_ENVIRONMENT = env BOOST_TEST_LOG_LEVEL=test_suite BOOST_TEST_REPORT_LEVEL=detailed SRCDIR='$(srcdir)'
++ TESTS += testrunner
++ else
++ check-local:
--- /dev/null
--- /dev/null
++# Variables for PowerDNS recursor init script.
++# Not honored when systemd is the running init.
++#
++# Set START to yes to start the pdns-recursor
++START=yes
++# Run resolvconf? (Deprecated feature.)
++RESOLVCONF=no
--- /dev/null
--- /dev/null
++etc/powerdns/recursor.d
--- /dev/null
--- /dev/null
++rrd
--- /dev/null
--- /dev/null
++#!/bin/sh
++### BEGIN INIT INFO
++# Provides: pdns-recursor
++# Required-Start: $network $remote_fs $syslog
++# Required-Stop: $network $remote_fs $syslog
++# Default-Start: 2 3 4 5
++# Default-Stop: 0 1 6
++# Short-Description: PowerDNS Recursor - Recursive DNS Server
++# Description: PowerDNS Recursor - Recursive DNS Server
++### END INIT INFO
++
++#
++# Authors: Matthijs Möhlmann <matthijs@cacholong.nl>
++# Christoph Haas <haas@debian.org>
++#
++# Thanks to:
++# Thomas Hood <jdthood@aglu.demon.nl>
++#
++# initscript for PowerDNS recursor
++
++# Load lsb stuff for systemd redirection (if available).
++if [ -e /lib/lsb/init-functions ]; then
++ . /lib/lsb/init-functions
++fi
++
++PATH=/sbin:/bin:/usr/sbin:/usr/bin
++DESC="PowerDNS Recursor"
++NAME=pdns_recursor
++DAEMON=/usr/sbin/$NAME
++# Derive the socket-dir setting from /etc/powerdns/recursor.conf
++# or fall back to the default /var/run if not specified there.
++PIDDIR=$(awk -F= '/^socket-dir=/ {print $2}' /etc/powerdns/recursor.conf)
++if [ -z "$PIDDIR" ]; then PIDDIR=/var/run; fi
++PIDFILE=$PIDDIR/$NAME.pid
++
++# Gracefully exit if the package has been removed.
++test -x $DAEMON || exit 0
++
++# Read config file if it is present.
++if [ -r /etc/default/pdns-recursor ]; then
++ . /etc/default/pdns-recursor
++fi
++
++start() {
++# Return
++# 0 if daemon has been started / was already running
++# >0 if daemon could not be started
++ start-stop-daemon --start --oknodo --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null || return 0
++ start-stop-daemon --start --oknodo --quiet --pidfile $PIDFILE --exec $DAEMON -- --daemon=yes || return 2
++}
++
++start_resolvconf() {
++ if [ "X$RESOLVCONF" = "Xyes" ] && [ -x /sbin/resolvconf ]; then
++ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.pdns-recursor
++ fi
++ return 0
++}
++
++stop() {
++# Return
++# 0 if daemon has been stopped
++# 1 if daemon was already stopped
++# 2 if daemon could not be stopped
++# other if a failure occured
++ start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME
++ RETVAL="$?"
++ [ "$RETVAL" = 2 ] && return 2
++ rm -f $PIDFILE
++ return "$RETVAL"
++}
++
++stop_resolvconf() {
++ if [ "X$RESOLVCONF" = "Xyes" ] && [ -x /sbin/resolvconf ]; then
++ /sbin/resolvconf -d lo.pdns-recursor
++ fi
++ return 0
++}
++
++isrunning()
++{
++ /usr/bin/rec_control ping > /dev/null
++ return $?
++}
++
++case "$1" in
++ start)
++ if [ "$START" != "yes" ]; then
++ echo "Not starting $DESC -- disabled."
++ exit 0
++ fi
++ echo -n "Starting $DESC: $NAME ..."
++ start
++ case "$?" in
++ 0)
++ start_resolvconf
++ echo done
++ break
++ ;;
++ 1)
++ echo "already running"
++ break
++ ;;
++ *)
++ echo "failed"
++ exit 1
++ ;;
++ esac
++ ;;
++ stop)
++ stop_resolvconf
++ echo -n "Stopping $DESC: $NAME ..."
++ stop
++ case "$?" in
++ 0)
++ echo done
++ break
++ ;;
++ 1)
++ echo "not running"
++ break
++ ;;
++ *)
++ echo "failed"
++ exit 1
++ ;;
++ esac
++ ;;
++ restart|force-reload)
++ if [ "$START" != "yes" ]; then
++ $0 stop
++ exit 0
++ fi
++ echo -n "Restarting $DESC ..."
++ stop
++ case "$?" in
++ 0|1)
++ start
++ case "$?" in
++ 0)
++ echo done
++ exit 0
++ ;;
++ 1)
++ echo "failed -- old process still running"
++ exit 1
++ ;;
++ *)
++ echo "failed to start"
++ exit 1
++ ;;
++ esac
++ ;;
++ *)
++ echo "failed to stop"
++ exit 1
++ ;;
++ esac
++ ;;
++ status)
++ if isrunning; then
++ echo "$NAME is running"
++ exit 0
++ else
++ echo "$NAME is not running or not responding"
++ exit 3
++ fi
++ ;;
++ *)
++ echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
++ exit 3
++ ;;
++esac
++
++exit 0
++
--- /dev/null
--- /dev/null
++# Source carries OpenSSL Exception
++pdns-recursor: possible-gpl-code-linked-with-openssl
++# We load lsb-functions conditionally.
++pdns-recursor: init.d-script-needs-depends-on-lsb-base
--- /dev/null
--- /dev/null
++^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pdns_recursor\[[0-9]+\]: stats: .*
--- /dev/null
--- /dev/null
++pdns_recursor.1
++rec_control.1
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++case "$1" in
++ configure)
++ addgroup --system pdns
++ adduser --system --home /var/spool/powerdns --shell /bin/false --ingroup pdns --disabled-password --disabled-login --gecos "PowerDNS" pdns
++ ;;
++
++ *)
++ echo "postinst called with unknown argument \`$1'" >&2
++ exit 1
++ ;;
++esac
++
++# Startup errors should never cause dpkg to fail.
++initscript_error() {
++ return 0
++}
++
++#DEBHELPER#
++
++exit 0
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++# Startup errors should never cause dpkg to fail.
++initscript_error() {
++ return 0
++}
++
++#DEBHELPER#
++
++exit 0
--- /dev/null
--- /dev/null
++-- Debian default Lua configuration file for PowerDNS Recursor
++
++-- Load DNSSEC root keys from dns-root-data package.
++-- Note: If you provide your own Lua configuration file, consider
++-- running rootkeys.lua too.
++dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
++
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++include /usr/share/dpkg/architecture.mk
++include /usr/share/dpkg/pkg-info.mk
++include /usr/share/dpkg/vendor.mk
++
++# Vendor and version
++version := $(DEB_VERSION).$(DEB_VENDOR)
++CXXFLAGS += -DPACKAGEVERSION='"$(version)"'
++
++# (Re-)Enable warnings
++CXXFLAGS += -Wall
++
++# Turn on all hardening flags, as we're a networked daemon.
++# Note: blhc (build log hardening check) will find these false positivies: CPPFLAGS 2 missing, LDFLAGS 1 missing
++export DEB_BUILD_MAINT_OPTIONS = hardening=+all
++
++# Disable systemd integration on non-linux archs
++ifeq ($(DEB_HOST_ARCH_OS),linux)
++CONFIGURE_ARGS += --enable-systemd --with-systemd=/lib/systemd/system
++else
++CONFIGURE_ARGS += --disable-systemd
++endif
++
++SUBSTVARS = -Vbuild:PublicSuffixVersion=$(shell (dpkg-query -W publicsuffix | awk '{print $$2}'))
++
++
++%:
++ dh $@
++
++override_dh_auto_clean:
++ dh_auto_clean
++ rm -f effective_tld_names.dat
++ chmod +x mkpubsuffixcc || true
++
++override_dh_auto_configure:
++ cp -f /usr/share/publicsuffix/public_suffix_list.dat effective_tld_names.dat
++ dh_auto_configure -- \
++ --sysconfdir=/etc/powerdns \
++ --enable-reproducible \
++ --enable-unit-tests \
++ --with-lua \
++ --enable-libsodium \
++ --with-protobuf=yes \
++ $(CONFIGURE_ARGS)
++
++override_dh_auto_install:
++ dh_auto_install
++ install -d debian/pdns-recursor/usr/share/pdns-recursor/lua-config
++ install -m 644 -t debian/pdns-recursor/usr/share/pdns-recursor/lua-config debian/lua-config/rootkeys.lua
++ install -m 644 -t debian/pdns-recursor/etc/powerdns debian/recursor.lua
++ rm -f debian/pdns-recursor/etc/powerdns/recursor.conf-dist
++ ./pdns_recursor --no-config --config | sed \
++ -e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
++ -e 's!# include-dir=.*!&\ninclude-dir=/etc/powerdns/recursor.d!' \
++ -e 's!# local-address=.*!local-address=127.0.0.1!' \
++ -e 's!# lua-config-file=.*!lua-config-file=/etc/powerdns/recursor.lua!' \
++ -e 's!# quiet=.*!quiet=yes!' \
++ -e 's!# setgid=.*!setgid=pdns!' \
++ -e 's!# setuid=.*!setuid=pdns!' \
++ -e 's!# hint-file=.*!&\nhint-file=/usr/share/dns/root.hints!' \
++ -e 's!# security-poll-suffix=.*!&\nsecurity-poll-suffix=!' \
++ > debian/pdns-recursor/etc/powerdns/recursor.conf
++
++override_dh_auto_test:
++ dh_auto_test
++ -cat testrunner.log
++
++override_dh_installinit:
++ dh_installinit --error-handler=initscript_error
++
++override_dh_gencontrol:
++ dh_gencontrol -- $(SUBSTVARS)
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++# Source is in html/js/d3.js
++pdns-recursor source: source-is-missing html/js/d3.v3.js line length is 32005 characters (>512)
--- /dev/null
--- /dev/null
++Tests: smoke
++Depends: @, dnsutils
++Restrictions: needs-root
--- /dev/null
--- /dev/null
++#!/bin/bash
++exec 2>&1
++set -ex
++
++cat <<EOF >>/etc/powerdns/recursor.conf
++auth-zones=example.org=/etc/powerdns/example.org.zone
++EOF
++
++cat <<EOF >/etc/powerdns/example.org.zone
++example.org. 172800 IN SOA ns1.example.org. dns.example.org. 1 10800 3600 604800 3600
++example.org. 172800 IN NS ns1.example.org.
++smoke.example.org. 172800 IN A 127.0.0.123
++EOF
++
++service pdns-recursor restart
++
++TMPFILE=$(mktemp)
++cleanup() {
++ rm -f "$TMPFILE"
++}
++trap cleanup EXIT
++
++dig @127.0.0.1 smoke.example.org 2>&1 | tee "$TMPFILE"
++
++if grep -c '127\.0\.0\.123' "$TMPFILE"; then
++ echo success
++else
++ echo smoke could not be resolved
++ exit 1
++fi
++
--- /dev/null
--- /dev/null
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQINBFT0b7IBEADHlzJvds1NqKEDhOAG0IWGN4J/jBvO5dPPFqwDJaU32x+4wTw0
++OOxCcgFYdzWPl17nFwjC8yeXvbACCZNz62Kg5o1lWA6Mdx8eazCiGOuTdUbndZDB
++lrIEAs1OUZmqxTSydDnaRNCtLTE2o0t4MaidczjinUn2RkvrtvlCsi1HpQdO5mUT
++r/bmp7v4mvCP5vERuY2+qVc1KbqFltCeV0KAOpr1kRGyQ4D9LFloFkr7ftF0ba3B
++0fbInu2uMp46MC+jPok5uEoT66l+U7sZsCUkHH02Y6s/uXJ6ack84/phtv4xwRER
++lpC97Md+7N7qIYVrdhGVbsiHFEDIoBrLAqfdteivoocguLRI/EUn26J9+bezhmCZ
++UUu1f62iJuBnWCwjpELNMlCIpWugHAucaUZx1xyF71DR65NZwMs+TxBEf+gYlvrz
++Dm6J8fhkfKFH6PtrjIOC0mCsfqOY4FgRYknTZd4ECufkbMKXRX88qvYGX+Fr1Tgn
++QR9GChEPIiWF9e3a5J+DljBu7tEJ0LOhnWU3ApUCTE1lQSGgrUTDQsbil+lyPVjo
++MI+rxzP4o3roDyzrFEr/rlnCv3x+0kqprSXTJqcDShVJq+GU2lmeUCy7+pF2yKCq
++hChcF5CQD4Jt+plRBPq7stxaDZdLpvUtFvLRl4LO6TJjNAGf5x2+kfvupQARAQAB
++tChQaWV0ZXIgTGV4aXMgPHBpZXRlci5sZXhpc0Bwb3dlcmRucy5jb20+iQI+BBMB
++AgAoBQJU9G+yAhsDBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBe
++UHFb8v/hp0tWEADG6hcabGBjLFUacKxWdfzV8n3pC5O1wlg/vmIMGddHfI10AL9A
++R5ebm5KQhLmXW+0qhJC4Cm40X8OCg6q4u4gxo8KGHJJqodcZdtKsk2JH3kJyos7g
++VpjbFS9CU9MVMyoXBwYdW1seBTxfoqIzpWUCysFYj6RjmnLLZQXD30T0IWj+0Cyq
++zlb1UHdHm3227I0gT/qJYpOjlkYsl4iH7AJhqtDhQ7ZPn+4yNlCDAvvwA6bpczJi
++Xa/JdvMIKLnbVTPsOCweoWxTmEr1cvpHDKliPskOuA8ujpxVSOXGR948UF74qhLP
++kDczOI1EN+yqd0zwRA7xzUJHWJZZOxNuHnBf24v95AyEgX1aG0nTBjBEcTyYZzVg
++ht7BD/lj0+W3gyssHFl+JDh6ZoS98EcSW2cxLrAOyF8nnm9gFn7CQXTLTOVK9ruM
++lvQ6vbjRQ7176OJkF6jNGj5qSjeSK0s0wU//Wyr7uojiPiQYhGPwOcAskq6iLI6n
++ieVmnOnTwnDbMS1danRFTFdnoPOgP5W8pj4kIOcScxekUhcJlaW8nuxxanCky8G2
++SR83+OgqYBcitFrmr6fdDca69KE2h8X5wB5Uw3VzMm5t2e8JRFxINoUoea60ymH4
++4LaCCUZAo2kYeNI0ZCDNGC8ebkeTwZOoQM44pP+7GL4BuV7j62ty+mPFxrkCDQRU
++9G+yARAAo3nHYN3tSBd8wTGnRWxWoe2UjxSuGPEPjjG3ortE81z+ua0Vw0IufeY3
++SHEGOv+4AdSILqgtB1lKPzbOxhZzZ1m6wGqFVqS4x14DCfYanciBIJbqCRAh+d3d
++GO96IvjwaGFFOc9rR4uwIoiXPajBuJvatj+8VK56gqphjuKVPZxSUxVAKHX/4qDZ
++PRHZnIi5hVJu15BzbVHClUBlhEe74nXnVi1tX4RwM4SNYWJDfOWXyFC361TWQZ9V
++Py+J68uz+xztCEMaCuzzrOmqcVOCcgExMr7J42FPlDggz10SChwGeI6BJxYchz8l
++EYHTC8UG9LNYZ20xAvrM76m/ZAtKwmp9RkW+v1XlvXkYtQqAaR7UBMGOpPmIFqb3
++H0dMPfugR+WqsqRlpzQwlnDkyDVK6LgC2+vKMYJxAKMIViGtLo1GMvjzGBdABQK4
++y1cbtSASmjA/1rJNMLN/PcQJ21VvNW4RzdmHtjc5w3t2HyuRZFMllzuhgNbRUMPo
++6Mbevkz3E8USS0vzBv4F3JbkBNyr/o7Xqov3W7eQPqaLV+qhjfhdRicA/5kCslC5
++Jc5XGQiGGTfTpylW0sX59sUPPW475Db0Y7jt98dCKMyK/0f7s+E9B/VXuFKDY9r0
+++KR/wWv3q4EEn66wCTA8iAfkkSIGOywkBQd6ziL4Px4qgGN1S9cAEQEAAYkCJQQY
++AQIADwUCVPRvsgIbDAUJCWYBgAAKCRBeUHFb8v/hp4PlD/9AoyzBd9MY0Ypv/v6s
++8ftjmdUukegdpqfe9ZUMQfIAgO3Z/NFIUmWTB3zHqNjd+IrSOBxIUG/to0zoELzY
++79+szKaWYx0FIOPsWm72VN9xawdoYQ/2XTU5u5Qg/O7ysc9O35QKZLHMNtFXp2PB
++PNc9eRrliyv1KhPcCubG1aBQd+psDRaoIfFt6AQSUyaMVgRZ6mbu2q7Gl4RFqVVt
++vt+iNklmlhZiD8K1G7sCF0rr/ofpLBDnVV6/OwIMV+KrD7OODes+e8oQiM+oN6MO
++0dOiKJbA0hPMMjli99d1+lBNUeUMqgF9ckNAbZnD0YdOUgv70Xu1nj9qvk8hzKzN
++f2Czf1vV+GO5aDy9/H6ZljBGjU/0YGTxY6g26sWKcjeispnbH692D2Da83GJXNFk
++aZb6WYdw+uz4SPV7kbG9nOxgFNY1c3vWWtWaz6XAgiYKeetiPRNQ/muMe8PX7Ihg
++5DzpuSMtx04PRR/FVFjN7sK3re+GZUMkJBNV2IEY6h646iTmoyYPEMOJniLWNEAf
+++ZMZgFtYfejqCgVGauRmkPAIbT5x/uKXhkBxvX70i+fKbpKnixh5EsIHTDyBWGUx
++4iA7drVZG4u7xN7ryj5tW2abzNk+pvWVJFVld/T9VvZZKlr10lX4rdRkVKRXdqJz
++O0bNI8W2fVX4kYtjm5WfVpL7bJkCDQROXyaRARAA5exKafKcYORDQWOCjO1P5a8U
++YN9wTwyXGU8apwi2zQnRDkjtUxI941pdRxIdt+jZVi7x7F4K7CogdY19N+6utkCq
++6ddLa0DLDOkIhFI8JqxicYMb9g//lNjyT4evxJRYcdT6hhAtSId6U6T9WCDc31+n
++EPf3t53OuAXAU0KmANv2CL+KRzGF2az5t/fCWWz6U9KLfYIHS7pVGEkSUPXXzSWx
++qbLTDHzpANiBb35inOQU+WP2QGshe8TwRBmwTC2mbk/KvseUt/Wcs8cwjEiCQ+52
++AIe6iNMYqLH7vGMo1zzd8dTmF5HQSs2BJPI4vcYMjWf/R5bKtyYSc7hirlyrgtxi
++n/AXDcNCR/v1Vpqvt5Hd9GvHchoAlvmCaJPs8qOdVllS3if/+bWdvxr0YWyIrwOh
++qdnMUJcJfTro+0pATUVr4wSVKzdDRdRcSqNWKvThAqtioC595dr1EVvi1LXVw22X
++J/RnGGxhyBNMXQhkEh/x/g5IJU+t60CIATdjE0OJYbp/+QAS6u7PNgQLWpIUOUvt
++4A/i8pAnLwsYBwKVdvMiSU92WfkLerjbR39suk+HiaYhPm1iaRt7owsM0Mbt8eS+
+++ozoIkWo+h3MM0+/S6Y2TM4ZytbCoQwLiT9lTSGIQF5/FBfs+eHZgUSufLfM0FaK
++fgaSQBO0DPwxQ6d7i4cAEQEAAbQsUGV0ZXIgdmFuIERpamsgPHBldGVyLnZhbi5k
++aWprQHBvd2VyZG5zLmNvbT6JAjgEEwECACIFAlTKH88CGwMGCwkIBwMCBhUIAgkK
++CwQWAgMBAh4BAheAAAoJENz1E/p+7Rnzo4YP/jbQIh/QFRk5m6XTRzclq5j8YDuV
++yrXy2fuIM+g9UKRcBTv2Dy/YjfEYc7GSQnrLSOrT/b7gT75LuzXdSBX7mZVJoNuo
++H7VE0FJkTHf5TJtuuFjmD17tdoPPj75FMF38qAHHd9pzqUjJKYhcpkTfBrU8yJuK
++joFgNvpnRVjJdMU0rir+tDIjSLMxCg/NFMQ0tm0o9XL9lQcQxcJpa8zxGv6M8QCP
++bfQsWPC7+grBH6+ch0ljpFf5qkqPuDnoHTY4kUaHjKNP21ATrZGUspI9jjUlQZ9a
++CDmELRaK1IbUcmRSySIjtdbM54EQ6kWDrJZjDC7mdpPv2/yuBPY7yb8+8rfmNwTz
++rI0bVfbT+6EiiaUzeNz0502yjDNkaVUzd2z7X4WdfokLm5NMth9l2ijpyl+sBHY2
++ljqAUekkc1c0s/HYDqr5HwYQP2yXIcFh58nJJO22SVzLM2n55CWc1v3lXrqKVIJM
++lnjB6epZ4KcKUqgj159dM5t2wWDUjhXQgl9kLN4QfHy4vDkBr/abopGZr3SMC9Y1
++j9RhJJD/eMRU7b+MKoAcpMko0zAbPcxAzjhqtsdp3VCWblKaGOwBwbc5jK38Lrh8
++MhR301aWpRN+kun+w/FAOt9bzvwRnA4/ucZwIYUwYohW8KKzYwH2bOP23ympuL+a
++2G/q4s/jiWFWtJvStC1QZXRlciB2YW4gRGlqayA8cGV0ZXIudmFuLmRpamtAbmV0
++aGVybGFicy5ubD6JAjgEEwECACIFAk5fJpECGwMGCwkIBwMCBhUIAgkKCwQWAgMB
++Ah4BAheAAAoJENz1E/p+7RnzoQQQAJjEVUbLcBd4blXL6EW3VMqIMFbxBt4CiHRj
++sSo02+rUMWLOqZBERfynv0oufhrW3AqTO0OMoqPLWjWFNeOHOdKieBJdcXHDJPO8
++qRUpbcYh5CXr54X09d5WZU8sGipnd8wxO68J8g+5vux3xscEaZTwWZTwyelWA77O
++xJm6WlPPxJ+lTyIuhVC3KoBUWRwfNrxE/ij/0tkVFoIXvczbAQqB6+nApHZvtoR4
++Wys4bzmCWuo9PUj0r3+eyjsWEB0A4Ya1bwaJOchubi/Gq99wfp71zJC8FcSMWmoG
++PRnpg6oLpkxC8YreV/16DUgiMnxUPyJAEpb+AH0MMudmp6tnUaWBs/hWnpyWPXqj
++t6wzs7X31X2oj93ANKjnSpglOgUEBKk4GTyOuBo3S+kyXD9WW977kyKVtUQf3U5E
++HUR08UA/DuEJPGDnMa9lujXM17h//iyixa0RhJXX+ZRKRwEAZqj6H8wNayF045Jd
++wMJ6TIePuymV2ltyG5E0M5l5SOc4fELNHJyHvjhi1Fb23lqBxNhvdm8+RtwtFz+Q
++tFwihP/cEBMue5lcj5Bkvwx3NERJxoPi/Qe82mLZLaMCdlP++jzvSrsVrRWkyw+i
++08T0+Dp9/V5YoEUkhSfNp1w26FtrFVqC4XpVxtjda32Ipw3aygpOqEkCxNsy3+C1
++buzr/QK9uQINBE5fJpEBEADOFiLByCv9fv9/UGW4d++olV33ODVXRNyA/y6M8/SQ
++2p45KUnKYpMLoA8ILlcfvCXTtrU8qOiU86YmfgqGsZo7nSaVE0+3w+TjXAHdbLaR
++ylEBcCXM1Oi0l6U0AqZoVebNd6cLpsY8pikZaLcS3a/fs8RZdHuFUxW+aI+CJNsL
++urHoXCLe9wMTN/AvLJhUa0XoD0C9l56vQRPllBdssmN0zlQCuUz9jG8EE5K0zok2
++CWXTRzZb4yKWWsRyji6srTV0pl59ZNtJ4rZsrLCM79GhAtVHZLViC/4A9Wfko6yU
++Ae/8ueg8e6OoK+idjGWXqO2ttdUy3W5Xow+mzIxmh+Ak5485pDLQwv9m/hVHN8d/
++xpUBeIVgeImk+Ggo4ijlTUIGkMgHkU7L9QVKKn/Cw8rVtfzHWpS2BJSku+7evRxE
++PR0sre0B1N7IwBuqoLKPMlp/Hm2Ann5tZcmUj9wW72f1KaCrgfmhpV47Xml0ISES
++0QNU4Io4hgN2MNXU3M9gm+NsOFDWcOK+ecjetEA0QR+Jdcq0T5bXcgGl96hIOOFP
++2ey1NmEw1/uCS9TuGRPrJw1bEzzKbmS70RZMQixtRU12WnGUV385Rc8OmFoaZx1G
++DkTt3xoW/jyjCmBJaE8i8sI5FSxxW72j7bPenQsVsg63DDqoYIiziyaO6gvv0qvJ
++PQARAQABiQIfBBgBAgAJBQJOXyaRAhsMAAoJENz1E/p+7Rnzb9QP/3WFlfry9Y4i
++/l+L0UgqwzPGwZrf3GXzeTtItx2DzHUg/ZVa/TvlmCiaIMRF19aH4BDu+K8GcRsN
++HK6zDfFTPUoDGd44qBiNeTRdyDZwNa+dxjRoSeCVZ89CldjSrbIZOwrUsa46EfKq
++ZcGzDCAlYEyBEVT9Xp7jm9xRLW4SOK3MvtlE8N4cFEQYSH1KLVRTukirt2S7HCLW
++4jcaU6k6S+gCKfVDq2Y3KnwrhbPD/ue7rrAB3KehmIYSITSHV3+uEULO4LXS1Vu9
++c9HYksbtyhVpa1zsdK65u0UwEJ9VTi5eFuaAT73BdmVUL3fOCO+EzLaT9DEQxYC7
++itBxxVcg339L8e+q7m0IKJus/Go4iGujHxJne8/cYUE+T1NBQKWGOh/5Fu2qPn9o
++diCI8//kIx7mJ9AqqnI5JCwu+kQIEIx2DvTSKS/RovTviNgBc/GIzit4TqcTKxfy
++4zybcQVxhRMD+LnfocwzI8Gmuz5JXJgz1AbkgyIGzb7FTQOoJ+wJG0J+jR/gyJna
++6c4KUq9RRzG4yFqqV1mwGbZjrq8Z/X+WVzygIDL5VeE0uDWap1k+R2QirNm+T3nd
++i/swHSz+TZssya0iMlUyeyTCy3wi2lrv6rB0RrdcPOoHsIO7jD3QNSBL4412iFjY
++WClKuopPgza6tGN31LkYN+UB2j03Gm/nmQGiBDz2UqURBADq+b0jXuV5JOOq+WrJ
++JEOreZoptPiO+gtEQf1ITUTXEMDJWnnyGQ2LafrwbS7eD/Ih8yLvk32FL1CiITA8
++FkS59v8vRRRd8Ag046cEENAsFbESXAnpv4EVXKzK/K1IlJj4ZFAId6ARv4n96CmS
++xR6kc+SSywoNkeH310z3yDq/YwCg72sX/D6YNASqBTd2lVDxNcW2fgkD/jgyGV52
++61rU0EKqIcN+/W1CwCXIwm0MGRN4/fMQfzoC6sux519M6mB+4HLtW7lWLP5LVBlM
++iC8AJlHJf711NNPxV5Xol+rOlc78tpfxbr0N19/QDUPVhIgEL3rui0x2YWWME0uC
++PTZWKe9+RJEQOPA/RPoDb9v8XMzcDx3RVAVyBACDUeqNJ6Z8e+mcXjC6DRBvg4jt
++0bd1k0/FN/a6GxrpdpglU8XSBErJhB5rvxfVhVwYrO8M4uyTx/2a29ssRCFAOGtI
++jr3R6J4hoRusgDTr3NRjqjKbw/2EVpN+oePu9oGIQYy/5woZRN4ftabntQkqXtjo
++IjIl2JcA0Nr81sl1obQZYmVydCBodWJlcnQgPGFodUBkczlhLm5sPohfBBMRAgAX
++BQI89lKlBQsHCgMEAxUDAgMWAgECF4AAEgkQHF7pkNLnFXUHZUdQRwABASq1AKDk
++dusIoMiNKktSMWfCbg/oMJcmYwCg38laBCCqB2Oudv6+OebHWSMHrNi0JWJlcnQg
++aHViZXJ0IChmb3gpIDxodWJlcnRAZm94LWl0LmNvbT6ISQQwEQIACQUCVA/k0wId
++IAAKCRAcXumQ0ucVdWFPAKC9315eBt4gCqWUfUj6EfaexeTj/ACgnv7tMyoH4Nv7
++jK1BG4JQ0S7Fewe0JmJlcnQgaHViZXJ0IDxiZXJ0Lmh1YmVydEBuZXRzY291dC5j
++b20+iEkEMBECAAkFAlQP5PICHSAACgkQHF7pkNLnFXWhrgCg3bm+cERc+F75j2Da
++MhdStYhcCoMAoLzC6QFrVqICjXAWt7LUhRetEb+LtDNiZXJ0IGh1YmVydCAoY29y
++cG9yYXRlKSA8YmVydC5odWJlcnRAbmV0aGVybGFicy5ubD6IXwQTEQIAFwUCQoys
++wgULBwoDBAMVAwIDFgIBAheAABIJEBxe6ZDS5xV1B2VHUEcAAQFGrgCg4ZgRb7G4
++H15PKPfOJX6C9PD0wEIAn3HjAg1fNN9WP8vP9UnlbiH08FEZtDFiZXJ0IGh1YmVy
++dCAocG93ZXJkbnMpIDxiZXJ0Lmh1YmVydEBwb3dlcmRucy5jb20+iGIEExECACIF
++Ald/SwoCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBxe6ZDS5xV1BKEA
++nikLxRY1dyV+u+r9ImnaY7AmZ+x6AJ9GWMGzivQldWwZYPYYh7f3TTE0+bkBDQQ8
++9lKoEAQAvChVI1iQYngKQtFxxelx4Uv+10B/HaIn4Obk2LqJrbc6yS+zatqOBl0p
++M7jOTRRZp549P7U72jApCW2/bKzdcQNJlJRV7FIe5E1qZNf84AsKBHqphe/7FxHY
++ypekmcvAiZG1B5cmQDEW+ebIBqrPBolNFYUjgDaPMZz0Nr5xoyMAAwYD/jfkkn6j
++JwMSZPUHMuVGBTQlCQ3+b70XClBV5uN0UIKyWx7dRtZD7vuf+NqblygnRlsAsEuh
++99ggWKOL7zUjcXJKtHWrMhjhVtPg/4we19rOY7Z9/n8Jc427dTffAX84CHLuuSEZ
++omYQ1uds9DMMayRSiO5BOOXqeP9ItLElyHb4iE4EGBECAAYFAjz2UqgAEgkQHF7p
++kNLnFXUHZUdQRwABARDzAKDK/3G2YXuVXtDDiPe599ncuzJEPwCg471sTokR9Dn3
++3H9ZFpjspd5Z+dGZAQ0EWOzWBQEIALuqBv3556Glk00Hu866hDtDEOtLeyVXOJA8
++ySsKYIwacAHzaTa2whLLzfx3XdwBWKtly1o3hlduwfwL1l3aMh4zamHFgl58a+P6
++fGTlPEEehi+1silIT3QPbqxzOowiwe93UVkJiTqhapGbFDmnguiLZYTWhgAuGYRr
++EpvtNmnJU+6TrDTO8DH834uoYTESqs+fuOVw6Ab84th+Qucq1LB3yKsHhyq7m0en
++81a22xVXIl5+CKZts7pH8bRTTSMn6eo97k1KJ2E15hoRnnrshlduxhzbRjrx1wfq
++OZ0mVzuNHSJYlGvUKnbtNTatOZXRfUAlqMqcsYkXz8t3QLz/cuUAEQEAAbQtV2lu
++a2VscywgRXJpayA8ZXJpay53aW5rZWxzQG9wZW4teGNoYW5nZS5jb20+iQExBBMB
++AgAbBQJY7NYFAhsDBAsJCAcGFQoJCAsCBQkSzAMAAAoJEG/8M0ObDQTfcIcH/32n
++9IqQwvOqh+rNjl3vHn3on4MdUebEIIg3QkhGtBb912Rdbvqp2lJxLDtgI1EolYbm
++ab1HRRBXh0x4ErGt2yJSruyQrTPp6RKX/dP7tAghTPHtiZ5JK/KjhvuBgjbZ4xiy
++3ge/ZVJoEOuxzPfZlK+MOz75RqT7eH4mBvfB4oBr67OTfAzbYQOGRXNSsRzhHr9x
++CGXk1zlNHheyXrwpPm9wD2RahRPRXscagv+HKI7W8taDLY500C3iX7ux3VfzJcy0
++ub4m0ru96VFJRrdwi8O7WT7oJEZvxV/QtG7sXfo7dt+ryRAKxu3er24Hmk1S9iVh
++owEGnq/JRMOIg1ioRj25AQ0EWOzWBQEIAJ+8XbWUGbMEpYf0gEfnxznD6WxBf3j4
++E2GWiqfGYHd5rQPMErrk0DXmxCwSWjJf0+96KNvJ4wrQ/G5gAUj7R7OChXWFt/KZ
++eaEBCJQd0de41pjBQ7+kVb8cRTBt3gCLWC0xEkbYn7jk9T/Rqm7fOkkmt8x2i5+j
++k83M+lteR1aFbwIIA9dMuG5lm5jz+a1Hu6fK65A2V8lsBacp3+D3NNXIwl19UEh7
++u1H6Pg1R67BuePT2iKo/TYyLrfD/G4pLr8HoU19wXEkJq4S/yzoYr9oABZ3spTSa
++fNoVYaxqmerpBHSC5EY/D1t2QfR0C6pUVOVjxaGjYNoaajd0kA4BXqcAEQEAAYkB
++MQQYAQIAGwUCWOzWBQIbDAQLCQgHBhUKCQgLAgUJEswDAAAKCRBv/DNDmw0E3+Da
++CACIyXcUOmgyGqFXmRXC8MVzc5NcKEE6amh13Cwb75xjmXI9p2nvcklCiIAF4MrJ
++JqR22Hkok0SqlcrUb5vjJw2/CZ4PNdbWM1PaB7AyKmiqvM4lpFfH2hR1U1miQZdM
++8V1CXmzOH6DGwuZNU3jUNyYvEbidIxBcJT282Zp/jC9hZFGLL7VL1he0hUvF3WyD
++mQo9RSe0xNrLCTNN+HE2VaTEk7L0dAcVS/NbOv0BJkdB0LqlHGOAE5ahv/iUxO/6
++FCpxjtb6qfCQwUQXjRrMSTSwdSTTlKA015yy44aEXfRnMH9zOPKYbZeJMFOCsfc8
++fU3LLuacV5Kv6l4aJyRYJaN/
++=z55N
++-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
--- /dev/null
++# Site Directory Pattern Version Script
++version=3
++opts="pgpsigurlmangle=s/$/.asc/,versionmangle=s/-(alpha|beta|rc)/~$1/" https://downloads.powerdns.com/releases/ pdns-recursor-(4\.1\..*)\.tar\.bz2 debian uupdate
projects / pdns-recursor.git / commitdiff