net/dnsdist: Update to version 2.0.4

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: net/dnsdist: Update to version 2.0.4
From: Marcin Gondek (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Wed, 22 Apr 2026 10:35:07 +0000
Module Name:	pkgsrc-wip
Committed By:	Marcin Gondek <drixter%e-utp.net@localhost>
Pushed By:	drixter
Date:		Wed Apr 22 12:34:49 2026 +0200
Changeset:	5b17fb4d0104d9c5ec5628aa748ed703aa2c56f0

Added Files:
	dnsdist/COMMIT_MSG
	dnsdist/DESCR
	dnsdist/Makefile
	dnsdist/PLIST
	dnsdist/distinfo
	dnsdist/files/dnsdist.sh
	dnsdist/files/smf/manifest.xml
	dnsdist/patches/patch-configure

Log Message:
net/dnsdist: Update to version 2.0.4

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=5b17fb4d0104d9c5ec5628aa748ed703aa2c56f0

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 dnsdist/COMMIT_MSG              | 29 ++++++++++++++++
 dnsdist/DESCR                   |  4 +++
 dnsdist/Makefile                | 75 +++++++++++++++++++++++++++++++++++++++++
 dnsdist/PLIST                   |  4 +++
 dnsdist/distinfo                |  6 ++++
 dnsdist/files/dnsdist.sh        | 24 +++++++++++++
 dnsdist/files/smf/manifest.xml  | 28 +++++++++++++++
 dnsdist/patches/patch-configure | 15 +++++++++
 8 files changed, 185 insertions(+)

diffs:
diff --git a/dnsdist/COMMIT_MSG b/dnsdist/COMMIT_MSG
new file mode 100644
index 0000000000..7fd230b311
--- /dev/null
+++ b/dnsdist/COMMIT_MSG
@@ -0,0 +1,29 @@
+net/dnsdist: Update to version 2.0.4
+
+2.0.4
+Released: 22nd of April 2026
+Bug Fixes
+CVE-2026-33257: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an ACL by default
+References: pull request TBD
+CVE-2026-33260: An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an ACL by default
+References: pull request TBD
+CVE-2026-33596: A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend
+References: pull request TBD
+CVE-2026-33597: A crafted query containing an invalid DNS label can prevent the PRSD detection algorithm executed via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI from being executed
+References: pull request TBD
+CVE-2026-33598: A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache
+References: pull request TBD
+CVE-2026-33599: A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default
+References: pull request TBD
+CVE-2026-33602: A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service
+References: pull request TBD
+CVE-2026-33254: An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default
+References: pull request TBD
+CVE-2026-33595: A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection. DOQ and DoH3 are disabled by default
+References: pull request TBD
+CVE-2026-33594: A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection. Outgoing DoH is disabled by default
+References: pull request TBD
+CVE-2026-33593: A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query
+References: pull request TBD
+Fix passing a numeric value to the YAML QType selector
+References: pull request 17089
diff --git a/dnsdist/DESCR b/dnsdist/DESCR
new file mode 100644
index 0000000000..8b6e998da8
--- /dev/null
+++ b/dnsdist/DESCR
@@ -0,0 +1,4 @@
+dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its
+goal in life is to route traffic to the best server, delivering top
+performance to legitimate users while shunting or blocking abusive
+traffic.
diff --git a/dnsdist/Makefile b/dnsdist/Makefile
new file mode 100644
index 0000000000..34843bb4db
--- /dev/null
+++ b/dnsdist/Makefile
@@ -0,0 +1,75 @@
+# $NetBSD: Makefile,v 1.47 2026/03/31 13:31:02 wiz Exp $
+
+DISTNAME=	dnsdist-2.0.4
+CATEGORIES=	net
+MASTER_SITES=	https://downloads.powerdns.com/releases/
+EXTRACT_SUFX=	.tar.xz
+
+MAINTAINER=	drixter%e-utp.net@localhost
+HOMEPAGE=	https://dnsdist.org/
+COMMENT=	Highly DNS-, DoS- and abuse-aware loadbalancer
+LICENSE=	gnu-gpl-v2
+
+TOOL_DEPENDS+=		${PYPKGPREFIX}-yaml-[0-9]*:../../textproc/py-yaml
+
+USE_LANGUAGES=		c c++
+USE_CXX_FEATURES=	c++11
+USE_TOOLS+=		gmake pkg-config
+GNU_CONFIGURE=		yes
+
+.include "../../mk/bsd.prefs.mk"
+
+BUILD_DEFS+=			DNSDIST_USER DNSDIST_GROUP
+DNSDIST_USER?=			dnsdist
+DNSDIST_GROUP?=			dnsdist
+PKG_GROUPS+=			${DNSDIST_GROUP}
+PKG_USERS+=			${DNSDIST_USER}:${DNSDIST_GROUP}
+PKG_GECOS.${DNSDIST_USER}=	dnsdist daemon user
+
+CHECK_WRKREF_SKIP+=		bin/dnsdist
+
+FILES_SUBST+=	DNSDIST_USER=${DNSDIST_USER}
+FILES_SUBST+=	DNSDIST_GROUP=${DNSDIST_GROUP}
+
+CONFIGURE_ARGS+=	--enable-dns-over-tls
+CONFIGURE_ARGS+=	--enable-dnscrypt
+CONFIGURE_ARGS+=	--enable-dnstap
+CONFIGURE_ARGS+=	--with-libsodium
+CONFIGURE_ARGS+=	--with-libssl
+CONFIGURE_ARGS+=	--with-lua
+CONFIGURE_ARGS+=	--with-nghttp2
+CONFIGURE_ARGS+=	--with-re2
+CONFIGURE_ARGS+=	--without-net-snmp
+CONFIGURE_ARGS+=	--enable-dns-over-https
+CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+=	--with-boost=${BUILDLINK_PREFIX.boost-headers}
+
+.include "../../mk/readline.buildlink3.mk"
+
+.if ${READLINE_TYPE} == "editline"
+CONFIGURE_ARGS+=	--with-libedit
+CONFIGURE_ENV+=		LIBEDIT_CFLAGS="-I${BUILDLINK_PREFIX.editlinereadline}/include"
+CONFIGURE_ENV+=		LIBEDIT_LIBS="-L${BUILDLINK_PREFIX.editlinereadline}/lib ${BUILDLINK_LDADD.editlinereadline}"
+.else
+CONFIGURE_ARGS+=	--without-libedit
+.endif
+
+EGDIR=			${PREFIX}/share/examples/dnsdist
+CONF_FILES=		${EGDIR}/dnsdist.conf-dist ${PKG_SYSCONFDIR}/dnsdist.conf
+INSTALLATION_DIRS+=	${EGDIR}
+INSTALL_MAKE_FLAGS=	${MAKE_FLAGS} sysconfdir=${EGDIR}
+
+RCD_SCRIPTS+=		dnsdist
+
+.include "../../databases/lmdb/buildlink3.mk"
+.include "../../security/gnutls/buildlink3.mk"
+.include "../../devel/boost-headers/buildlink3.mk"
+.include "../../devel/re2/buildlink3.mk"
+.include "../../lang/lua/buildlink3.mk"
+.include "../../net/fstrm/buildlink3.mk"
+.include "../../security/libsodium/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+.include "../../www/nghttp2/buildlink3.mk"
+.include "../../lang/python/pyversion.mk"
+.include "../../mk/atomic64.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/dnsdist/PLIST b/dnsdist/PLIST
new file mode 100644
index 0000000000..f84e457785
--- /dev/null
+++ b/dnsdist/PLIST
@@ -0,0 +1,4 @@
+@comment $NetBSD: PLIST,v 1.3 2025/08/12 07:22:24 wiz Exp $
+bin/dnsdist
+man/man1/dnsdist.1
+share/examples/dnsdist/dnsdist.conf-dist
diff --git a/dnsdist/distinfo b/dnsdist/distinfo
new file mode 100644
index 0000000000..da17629e09
--- /dev/null
+++ b/dnsdist/distinfo
@@ -0,0 +1,6 @@
+$NetBSD: distinfo,v 1.24 2026/03/31 13:31:02 wiz Exp $
+
+BLAKE2s (dnsdist-2.0.4.tar.xz) = 181da87d4cc7efe00bb4471e811e86be6714c1aeeecfb6fc8aec1591fa3bd887
+SHA512 (dnsdist-2.0.4.tar.xz) = abad5eb6d95202700e419e090bde64b9f4117214c0b21df472262a29a066a179a8d93b8684d066f52a4a2a82cba184927be6f8501bffab2a0e89ebe66e881592
+Size (dnsdist-2.0.4.tar.xz) = 2287608 bytes
+SHA1 (patch-configure) = d9ec9f3416862f471a3029168681b9512ced68b9
diff --git a/dnsdist/files/dnsdist.sh b/dnsdist/files/dnsdist.sh
new file mode 100644
index 0000000000..c4b5d56543
--- /dev/null
+++ b/dnsdist/files/dnsdist.sh
@@ -0,0 +1,24 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: dnsdist.sh,v 1.2 2022/10/24 11:08:15 jperkin Exp $
+#
+# PROVIDE: dnsdist 
+# REQUIRE: DAEMON network
+# KEYWORD: shutdown
+
+if [ -f /etc/rc.subr ]; then
+	. /etc/rc.subr
+fi
+
+name="dnsdist"
+rcvar=$name
+command="@PREFIX@/bin/dnsdist"
+dnsdist_flags="${dnsdist_flags:- -u @DNSDIST_USER@ -g @DNSDIST_GROUP@ -C @PKG_SYSCONFDIR@/dnsdist.conf}"
+
+if [ -f /etc/rc.subr ]; then
+        load_rc_config $name
+	run_rc_command "$1"
+else
+	echo -n "${name}"
+	${command} ${dnsdist_flags}
+fi
diff --git a/dnsdist/files/smf/manifest.xml b/dnsdist/files/smf/manifest.xml
new file mode 100644
index 0000000000..739af89727
--- /dev/null
+++ b/dnsdist/files/smf/manifest.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<service_bundle type="manifest" name="export">
+  <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1">
+    <create_default_instance enabled="false" />
+    <single_instance />
+    <dependency name="network" grouping="require_all" restart_on="error" type="service">
+      <service_fmri value="svc:/milestone/network:default" />
+    </dependency>
+    <dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
+      <service_fmri value="svc:/system/filesystem/local" />
+    </dependency>
+    <exec_method type="method" name="start" exec="@PREFIX@/bin/dnsdist --supervised -u @DNSDIST_USER@ -g @DNSDIST_GROUP@ -C %{config_file} &amp;" timeout_seconds="60" />
+    <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" />
+    <property_group name="startd" type="framework">
+      <propval name="duration" type="astring" value="contract" />
+      <propval name="ignore_error" type="astring" value="core,signal" />
+    </property_group>
+    <property_group name="application" type="application">
+      <propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/dnsdist.conf" />
+    </property_group>
+    <template>
+      <common_name>
+        <loctext xml:lang="C">dnsdist daemon</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>
diff --git a/dnsdist/patches/patch-configure b/dnsdist/patches/patch-configure
new file mode 100644
index 0000000000..7d38911532
--- /dev/null
+++ b/dnsdist/patches/patch-configure
@@ -0,0 +1,15 @@
+$NetBSD: patch-configure,v 1.5 2025/10/31 15:54:55 jperkin Exp $
+
+Fix --without-libedit, required when using readline.
+
+--- configure.orig	2025-10-31 15:48:25.770875216 +0000
++++ configure
+@@ -18916,7 +18916,7 @@ printf %s "checking whether to link in l
+ # Check whether --with-libedit was given.
+ if test ${with_libedit+y}
+ then :
+-  withval=$with_libedit; with_libedit=$enableval
++  withval=$with_libedit; with_libedit=$withval
+ else case e in #(
+   e) with_libedit=yes
+    ;;
Prev by Date: Add a package for bulletty
Next by Date: net/powerdns-recursor: Update to version 5.4.1
Previous by Thread: Add a package for bulletty
Next by Thread: net/powerdns-recursor: Update to version 5.4.1
Indexes:
Home | Main Index | Thread Index | Old Index