net/dnsdist: Update to version 2.0.3

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: net/dnsdist: Update to version 2.0.3
From: Marcin Gondek (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Tue, 31 Mar 2026 11:56:41 +0000
Module Name:	pkgsrc-wip
Committed By:	Marcin Gondek <drixter%e-utp.net@localhost>
Pushed By:	drixter
Date:		Tue Mar 31 13:56:30 2026 +0200
Changeset:	1abcbb217a5fd85c3858fe92f40fc31151c925a0

Added Files:
	dnsdist/COMMIT_MSG
	dnsdist/DESCR
	dnsdist/Makefile
	dnsdist/PLIST
	dnsdist/distinfo
	dnsdist/files/dnsdist.sh
	dnsdist/files/smf/manifest.xml
	dnsdist/patches/patch-configure

Log Message:
net/dnsdist: Update to version 2.0.3

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=1abcbb217a5fd85c3858fe92f40fc31151c925a0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 dnsdist/COMMIT_MSG              | 42 +++++++++++++++++++++++
 dnsdist/DESCR                   |  4 +++
 dnsdist/Makefile                | 75 +++++++++++++++++++++++++++++++++++++++++
 dnsdist/PLIST                   |  4 +++
 dnsdist/distinfo                |  6 ++++
 dnsdist/files/dnsdist.sh        | 24 +++++++++++++
 dnsdist/files/smf/manifest.xml  | 28 +++++++++++++++
 dnsdist/patches/patch-configure | 15 +++++++++
 8 files changed, 198 insertions(+)

diffs:
diff --git a/dnsdist/COMMIT_MSG b/dnsdist/COMMIT_MSG
new file mode 100644
index 0000000000..ad77715739
--- /dev/null
+++ b/dnsdist/COMMIT_MSG
@@ -0,0 +1,42 @@
+net/dnsdist: Update to version 2.0.3
+
+Released: 31st of March 2026
+Improvements
+Add a metric for the latency of the latest health-check
+References: pull request 16863
+Export DNS flags via ProtoBuf
+References: pull request 16865
+Add a histogram of health-check latencies for backends
+References: pull request 16883
+
+Bug Fixes
+CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI"
+References: pull request 17065
+CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged into the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard
+References: pull request 17066
+CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets
+References: pull request 17067
+CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL
+References: pull request 17068
+CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service
+References: pull request 17069
+CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service
+References: pull request 17071
+CVE-2026-27854: Denial of service when using "DNSQuestion:getEDNSOptions" method in custom Lua code
+References: pull request 17070
+Fix wrong address being inserted in the rings for responses
+References: pull request 16851
+Work around Quiche not dealing well with removed congestion algorithms
+References: pull request 16867
+Fix build error when only protobuf is enabled
+References: pull request 16584
+Add missing #if statements to dnsdist-lua.cc
+References: pull request 16592
+Do not keep stale cache entries around for empty pools
+References: pull request 16850
+Fix handling of IP-only TLS certificates
+References: pull request 16860
+Handle escaped values in YAML SpoofRaw parameters
+References: pull request 16866
+Don't start the NetworkListener thread in config check mode
+References: pull request 16900
diff --git a/dnsdist/DESCR b/dnsdist/DESCR
new file mode 100644
index 0000000000..8b6e998da8
--- /dev/null
+++ b/dnsdist/DESCR
@@ -0,0 +1,4 @@
+dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its
+goal in life is to route traffic to the best server, delivering top
+performance to legitimate users while shunting or blocking abusive
+traffic.
diff --git a/dnsdist/Makefile b/dnsdist/Makefile
new file mode 100644
index 0000000000..fb81760bd9
--- /dev/null
+++ b/dnsdist/Makefile
@@ -0,0 +1,75 @@
+# $NetBSD: Makefile,v 1.46 2026/02/06 10:05:30 wiz Exp $
+
+DISTNAME=	dnsdist-2.0.3
+CATEGORIES=	net
+MASTER_SITES=	https://downloads.powerdns.com/releases/
+EXTRACT_SUFX=	.tar.xz
+
+MAINTAINER=	drixter%e-utp.net@localhost
+HOMEPAGE=	https://dnsdist.org/
+COMMENT=	Highly DNS-, DoS- and abuse-aware loadbalancer
+LICENSE=	gnu-gpl-v2
+
+TOOL_DEPENDS+=		${PYPKGPREFIX}-yaml-[0-9]*:../../textproc/py-yaml
+
+USE_LANGUAGES=		c c++
+USE_CXX_FEATURES=	c++11
+USE_TOOLS+=		gmake pkg-config
+GNU_CONFIGURE=		yes
+
+.include "../../mk/bsd.prefs.mk"
+
+BUILD_DEFS+=			DNSDIST_USER DNSDIST_GROUP
+DNSDIST_USER?=			dnsdist
+DNSDIST_GROUP?=			dnsdist
+PKG_GROUPS+=			${DNSDIST_GROUP}
+PKG_USERS+=			${DNSDIST_USER}:${DNSDIST_GROUP}
+PKG_GECOS.${DNSDIST_USER}=	dnsdist daemon user
+
+CHECK_WRKREF_SKIP+=		bin/dnsdist
+
+FILES_SUBST+=	DNSDIST_USER=${DNSDIST_USER}
+FILES_SUBST+=	DNSDIST_GROUP=${DNSDIST_GROUP}
+
+CONFIGURE_ARGS+=	--enable-dns-over-tls
+CONFIGURE_ARGS+=	--enable-dnscrypt
+CONFIGURE_ARGS+=	--enable-dnstap
+CONFIGURE_ARGS+=	--with-libsodium
+CONFIGURE_ARGS+=	--with-libssl
+CONFIGURE_ARGS+=	--with-lua
+CONFIGURE_ARGS+=	--with-nghttp2
+CONFIGURE_ARGS+=	--with-re2
+CONFIGURE_ARGS+=	--without-net-snmp
+CONFIGURE_ARGS+=	--enable-dns-over-https
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+=	--with-boost=${BUILDLINK_PREFIX.boost-headers}
+
+.include "../../mk/readline.buildlink3.mk"
+
+.if ${READLINE_TYPE} == "editline"
+CONFIGURE_ARGS+=	--with-libedit
+CONFIGURE_ENV+=		LIBEDIT_CFLAGS="-I${BUILDLINK_PREFIX.editlinereadline}/include"
+CONFIGURE_ENV+=		LIBEDIT_LIBS="-L${BUILDLINK_PREFIX.editlinereadline}/lib ${BUILDLINK_LDADD.editlinereadline}"
+.else
+CONFIGURE_ARGS+=	--without-libedit
+.endif
+
+EGDIR=			${PREFIX}/share/examples/dnsdist
+CONF_FILES=		${EGDIR}/dnsdist.conf-dist ${PKG_SYSCONFDIR}/dnsdist.conf
+INSTALLATION_DIRS+=	${EGDIR}
+INSTALL_MAKE_FLAGS=	${MAKE_FLAGS} sysconfdir=${EGDIR}
+
+RCD_SCRIPTS+=		dnsdist
+
+.include "../../databases/lmdb/buildlink3.mk"
+.include "../../security/gnutls/buildlink3.mk"
+.include "../../devel/boost-headers/buildlink3.mk"
+.include "../../devel/re2/buildlink3.mk"
+.include "../../lang/lua/buildlink3.mk"
+.include "../../net/fstrm/buildlink3.mk"
+.include "../../security/libsodium/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+.include "../../www/nghttp2/buildlink3.mk"
+.include "../../lang/python/pyversion.mk"
+.include "../../mk/atomic64.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/dnsdist/PLIST b/dnsdist/PLIST
new file mode 100644
index 0000000000..f84e457785
--- /dev/null
+++ b/dnsdist/PLIST
@@ -0,0 +1,4 @@
+@comment $NetBSD: PLIST,v 1.3 2025/08/12 07:22:24 wiz Exp $
+bin/dnsdist
+man/man1/dnsdist.1
+share/examples/dnsdist/dnsdist.conf-dist
diff --git a/dnsdist/distinfo b/dnsdist/distinfo
new file mode 100644
index 0000000000..f06171eb31
--- /dev/null
+++ b/dnsdist/distinfo
@@ -0,0 +1,6 @@
+$NetBSD: distinfo,v 1.23 2025/12/04 23:18:59 wiz Exp $
+
+BLAKE2s (dnsdist-2.0.3.tar.xz) = 8c052b5f0636aa6d1515c9431c033e53b4adc345e0999e1d32c079fb20a6548f
+SHA512 (dnsdist-2.0.3.tar.xz) = 10922b91c39433414fee61e09894fbe1bc4b860558f3f6b4e729db0c561d33a22a17beff4162432bbc0a479b9edbaece735ae1f566a58b7d2da60b7e97b376b9
+Size (dnsdist-2.0.3.tar.xz) = 2285640 bytes
+SHA1 (patch-configure) = d9ec9f3416862f471a3029168681b9512ced68b9
diff --git a/dnsdist/files/dnsdist.sh b/dnsdist/files/dnsdist.sh
new file mode 100644
index 0000000000..c4b5d56543
--- /dev/null
+++ b/dnsdist/files/dnsdist.sh
@@ -0,0 +1,24 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: dnsdist.sh,v 1.2 2022/10/24 11:08:15 jperkin Exp $
+#
+# PROVIDE: dnsdist 
+# REQUIRE: DAEMON network
+# KEYWORD: shutdown
+
+if [ -f /etc/rc.subr ]; then
+	. /etc/rc.subr
+fi
+
+name="dnsdist"
+rcvar=$name
+command="@PREFIX@/bin/dnsdist"
+dnsdist_flags="${dnsdist_flags:- -u @DNSDIST_USER@ -g @DNSDIST_GROUP@ -C @PKG_SYSCONFDIR@/dnsdist.conf}"
+
+if [ -f /etc/rc.subr ]; then
+        load_rc_config $name
+	run_rc_command "$1"
+else
+	echo -n "${name}"
+	${command} ${dnsdist_flags}
+fi
diff --git a/dnsdist/files/smf/manifest.xml b/dnsdist/files/smf/manifest.xml
new file mode 100644
index 0000000000..739af89727
--- /dev/null
+++ b/dnsdist/files/smf/manifest.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<service_bundle type="manifest" name="export">
+  <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1">
+    <create_default_instance enabled="false" />
+    <single_instance />
+    <dependency name="network" grouping="require_all" restart_on="error" type="service">
+      <service_fmri value="svc:/milestone/network:default" />
+    </dependency>
+    <dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
+      <service_fmri value="svc:/system/filesystem/local" />
+    </dependency>
+    <exec_method type="method" name="start" exec="@PREFIX@/bin/dnsdist --supervised -u @DNSDIST_USER@ -g @DNSDIST_GROUP@ -C %{config_file} &amp;" timeout_seconds="60" />
+    <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" />
+    <property_group name="startd" type="framework">
+      <propval name="duration" type="astring" value="contract" />
+      <propval name="ignore_error" type="astring" value="core,signal" />
+    </property_group>
+    <property_group name="application" type="application">
+      <propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/dnsdist.conf" />
+    </property_group>
+    <template>
+      <common_name>
+        <loctext xml:lang="C">dnsdist daemon</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>
diff --git a/dnsdist/patches/patch-configure b/dnsdist/patches/patch-configure
new file mode 100644
index 0000000000..7d38911532
--- /dev/null
+++ b/dnsdist/patches/patch-configure
@@ -0,0 +1,15 @@
+$NetBSD: patch-configure,v 1.5 2025/10/31 15:54:55 jperkin Exp $
+
+Fix --without-libedit, required when using readline.
+
+--- configure.orig	2025-10-31 15:48:25.770875216 +0000
++++ configure
+@@ -18916,7 +18916,7 @@ printf %s "checking whether to link in l
+ # Check whether --with-libedit was given.
+ if test ${with_libedit+y}
+ then :
+-  withval=$with_libedit; with_libedit=$enableval
++  withval=$with_libedit; with_libedit=$withval
+ else case e in #(
+   e) with_libedit=yes
+    ;;
Prev by Date: wip/tex-tabularray-doc: update to tex-tabularray-doc-2025C
Next by Date: dnsdist: remove, updated in pkgsrc
Previous by Thread: wip/tex-tabularray-doc: update to tex-tabularray-doc-2025C
Next by Thread: dnsdist: remove, updated in pkgsrc
Indexes:
Home | Main Index | Thread Index | Old Index