2 files changed, 99 insertions, 0 deletions

diff --git a/dns/dnsdist/files/patch-dnsdist-lua.cc b/dns/dnsdist/files/patch-dnsdist-lua.cc
new file mode 100644
index 000000000000..4b002e027cbe
--- /dev/null
+++ b/dns/dnsdist/files/patch-dnsdist-lua.cc
@@ -0,0 +1,50 @@
+--- dnsdist-lua.cc.orig	2025-07-21 09:54:44 UTC
++++ dnsdist-lua.cc
+@@ -2260,6 +2260,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+ 
+       bool ignoreTLSConfigurationErrors = false;
+       if (getOptionalValue<bool>(vars, "ignoreTLSConfigurationErrors", ignoreTLSConfigurationErrors) > 0 && ignoreTLSConfigurationErrors) {
++#if defined(HAVE_LIBSSL)
+         // we are asked to try to load the certificates so we can return a potential error
+         // and properly ignore the frontend before actually launching it
+         try {
+@@ -2269,6 +2270,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+           errlog("Ignoring DoH frontend: '%s'", e.what());
+           return;
+         }
++#endif /* HAVE_LIBSSL */
+       }
+ 
+       checkAllParametersConsumed("addDOHLocal", vars);
+@@ -2357,6 +2359,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+ 
+       bool ignoreTLSConfigurationErrors = false;
+       if (getOptionalValue<bool>(vars, "ignoreTLSConfigurationErrors", ignoreTLSConfigurationErrors) > 0 && ignoreTLSConfigurationErrors) {
++#if defined(HAVE_LIBSSL)
+         // we are asked to try to load the certificates so we can return a potential error
+         // and properly ignore the frontend before actually launching it
+         try {
+@@ -2366,6 +2369,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+           errlog("Ignoring DoH3 frontend: '%s'", e.what());
+           return;
+         }
++#endif /* HAVE_LIBSSL */
+       }
+ 
+       checkAllParametersConsumed("addDOH3Local", vars);
+@@ -2433,6 +2437,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+ 
+       bool ignoreTLSConfigurationErrors = false;
+       if (getOptionalValue<bool>(vars, "ignoreTLSConfigurationErrors", ignoreTLSConfigurationErrors) > 0 && ignoreTLSConfigurationErrors) {
++#if defined(HAVE_LIBSSL)
+         // we are asked to try to load the certificates so we can return a potential error
+         // and properly ignore the frontend before actually launching it
+         try {
+@@ -2442,6 +2447,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+           errlog("Ignoring DoQ frontend: '%s'", e.what());
+           return;
+         }
++#endif /* HAVE_LIBSSL */
+       }
+ 
+       checkAllParametersConsumed("addDOQLocal", vars);
diff --git a/dns/dnsdist/files/patch-dnsdist_configuration_yaml_cc b/dns/dnsdist/files/patch-dnsdist_configuration_yaml_cc
new file mode 100644
index 000000000000..910d1807cd26
--- /dev/null
+++ b/dns/dnsdist/files/patch-dnsdist_configuration_yaml_cc
@@ -0,0 +1,49 @@
+From eb01c11a5418da08d5e11acdd519e2816e937835 Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <remi.gacogne@powerdns.com>
+Date: Thu, 24 Jul 2025 10:57:28 +0200
+Subject: [PATCH] dnsdist: Fix QType rate dynamic block with YAML
+
+The YAML configuration for the the "QType rate" dynamic block was
+totally broken, trying to configure a rcode rate rule instead of a
+qtype rate one.
+Thanks to HellSpawn for reporting this the issue!
+
+Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
+---
+ .../dnsdistdist/dnsdist-configuration-yaml.cc | 14 +++++-
+ .../dnsdistDynBlockTests.py                   | 42 ++++++++++++++++
+ .../test_DynBlocksGroup.py                    | 49 +++++++++++++++++++
+ 3 files changed, 104 insertions(+), 1 deletion(-)
+
+diff --git a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
+index 1d0f534b4326..70731bc42537 100644
+--- dnsdist-configuration-yaml.cc
++++ dnsdist-configuration-yaml.cc
+@@ -143,6 +143,18 @@ static uint8_t strToRCode(const std::string& context, const std::string& paramet
+   return *rcode;
+ }
+ 
++static uint16_t strToQType(const std::string& context, const std::string& parameterName, const ::rust::String& qtype_rust_string)
++{
++  auto qtype_str = std::string(qtype_rust_string);
++  boost::to_lower(qtype_str);
++  QType qtype;
++  qtype = std::string(qtype_str);
++  if (qtype.getCode() == 0) {
++    return checkedConversionFromStr<uint8_t>(context, parameterName, qtype_rust_string);
++  }
++  return qtype;
++}
++
+ static std::optional<std::string> loadContentFromConfigurationFile(const std::string& fileName)
+ {
+   /* no check on the file size, don't do this with just any file! */
+@@ -647,7 +659,7 @@ static void loadDynamicBlockConfiguration(const dnsdist::rust::settings::Dynamic
+           ruleParams.d_tagSettings->d_name = std::string(rule.tag_name);
+           ruleParams.d_tagSettings->d_value = std::string(rule.tag_value);
+         }
+-        dbrgObj->setRCodeRate(checkedConversionFromStr<int>("dynamic-rules.rules.qtype_rate", "qtype", rule.qtype), std::move(ruleParams));
++        dbrgObj->setQTypeRate(strToQType("dynamic-rules.rules.qtype_rate", "qtype", rule.qtype), std::move(ruleParams));
+       }
+       else if (rule.rule_type == "cache-miss-ratio") {
+         DynBlockRulesGroup::DynBlockCacheMissRatioRule ruleParams(std::string(rule.comment), rule.action_duration, rule.ratio, rule.warning_ratio, rule.seconds, rule.action.empty() ? DNSAction::Action::None : DNSAction::typeFromString(std::string(rule.action)), rule.minimum_number_of_responses, rule.minimum_global_cache_hit_ratio);