5 files changed, 287 insertions, 39 deletions
diff --git a/dns/dnsdist/Makefile b/dns/dnsdist/Makefile
index 19937d5c6420..1bc3f9e47495 100644
--- a/dns/dnsdist/Makefile
+++ b/dns/dnsdist/Makefile
@@ -1,7 +1,8 @@
 PORTNAME=	dnsdist
-DISTVERSION=	1.9.10
+DISTVERSION=	2.0.0
 CATEGORIES=	dns net
 MASTER_SITES=	https://downloads.powerdns.com/releases/
+DISTFILES=	${DISTNAME}${EXTRACT_SUFX}
 
 MAINTAINER=	tremere@cainites.net
 COMMENT=	Highly DNS-, DoS- and abuse-aware loadbalancer
@@ -17,38 +18,49 @@ NOT_FOR_ARCHS=	i386
 NOT_FOR_ARCHS_REASON=	archs with 32-bits time_t are no longer supported by upstream
 
 BUILD_DEPENDS=	${LOCALBASE}/lib/libatomic_ops.a:devel/libatomic_ops \
+		${PYTHON_PKGNAMEPREFIX}pyyaml>0:devel/py-pyyaml@${PY_FLAVOR} \
 		boost-libs>0:devel/boost-libs
 LIB_DEPENDS=	libnghttp2.so:www/libnghttp2 \
 		libquiche.so:net/quiche \
 		libre2.so:devel/re2 \
 		libsodium.so:security/libsodium
 
-USES=		bison:alias compiler:c++14-lang cpe gmake libedit libtool \
-		localbase pkgconfig tar:bz2
+USES=		cargo compiler:c++14-lang cpe libedit localbase meson pkgconfig \
+		python:build tar:xz
 CPE_VENDOR=	powerdns
 USE_RC_SUBR=	dnsdist
 
-GNU_CONFIGURE=	yes
-CONFIGURE_ARGS=	--bindir=${PREFIX}/sbin \
-		--enable-dns-over-http3 \
-		--enable-dns-over-https \
-		--enable-dns-over-quic \
-		--enable-dns-over-tls \
-		--enable-dnscrypt \
+MESON_ARGS=	--bindir=${PREFIX}/sbin \
 		--sysconfdir=${ETCDIR} \
-		--with-libsodium \
-		--with-re2
-
-INSTALL_TARGET=	install-strip
-LDFLAGS+=	-Wl,--as-needed
+		-Ddns-over-http3=enabled \
+		-Ddns-over-https=enabled \
+		-Ddns-over-quic=enabled \
+		-Ddns-over-tls=enabled \
+		-Ddnscrypt=enabled \
+		-Dlibcap=disabled \
+		-Dlibsodium=enabled \
+		-Dquiche=enabled \
+		-Dre2=enabled \
+		-Dsystemd-service=disabled \
+		-Dxsk=disabled \
+		-Dyaml=enabled
+
+CARGO_CARGOLOCK=	${WRKSRC}/dnsdist-rust-lib/rust/Cargo.lock
+CARGO_CARGOTOML=	${WRKSRC}/dnsdist-rust-lib/rust/Cargo.toml
+CARGO_BUILD=		no
+CARGO_INSTALL=		no
+CARGO_TEST=		no
+
+BINARY_ALIAS=	python3=${PYTHON_CMD}
+TARGET_ORDER_OVERRIDE=	750:cargo-configure
 
 USERS=		_dnsdist
 GROUPS=		_dnsdist
 
-OPTIONS_DEFINE=		DNSTAP SNMP
-OPTIONS_DEFAULT=	CDB GNUTLS LMDB LUA OPENSSL
-OPTIONS_GROUP=		KSVOPT
-OPTIONS_GROUP_KSVOPT=	CDB LMDB
+OPTIONS_DEFINE=		DNSTAP IPCIPHER SNMP
+OPTIONS_DEFAULT=	CDB GNUTLS IPCIPHER LMDB LUA OPENSSL
+OPTIONS_GROUP=		KVSOPT
+OPTIONS_GROUP_KVSOPT=	CDB LMDB
 OPTIONS_MULTI=		TLS
 OPTIONS_MULTI_TLS=	GNUTLS OPENSSL
 OPTIONS_SINGLE=		EXTLUA
@@ -57,41 +69,49 @@ OPTIONS_SINGLE_EXTLUA=	LUA LUAJIT
 CDB_DESC=	CDB backend
 DNSTAP_DESC=	dnstap support (see dnstap.info)
 EXTLUA_DESC=	Lua library
-KSVOPT_DESC=	Key Value Stores
+IPCIPHER_DESC=	ipcipher support (requires OpenSSL)
+KVSOPT_DESC=	Key Value Stores
 LMDB_DESC=	LMDB backend
 LUAJIT_DESC=	Use luajit
 LUA_DESC=	Use lang/lua
 
 CDB_LIB_DEPENDS=	libcdb.so:databases/tinycdb
-CDB_CONFIGURE_ON=	CDB_CFLAGS="-I${LOCALBASE}/include" \
-			CDB_LIBS="-L${LOCALBASE}/lib -lcdb"
+CDB_MESON_ENABLED=	cdb
 
-DNSTAP_LIB_DEPENDS=		libfstrm.so:devel/fstrm
-DNSTAP_CONFIGURE_ENABLE=	dnstap
+DNSTAP_LIB_DEPENDS=	libfstrm.so:devel/fstrm
+DNSTAP_MESON_ENABLED=	dnstap
 
 GNUTLS_LIB_DEPENDS=	libgnutls.so:security/gnutls
-GNUTLS_CONFIGURE_WITH=	gnutls
+GNUTLS_MESON_ENABLED=	tls-gnutls
+
+IPCIPHER_IMPLIES=	OPENSSL
+IPCIPHER_MESON_ENABLED=	ipcipher
 
 LMDB_LIB_DEPENDS=	liblmdb.so:databases/lmdb
-LMDB_CONFIGURE_ON=	--with-lmdb=${LOCALBASE}
-LMDB_CONFIGURE_OFF=	--without-lmdb
+LMDB_MESON_ENABLED=	lmdb
 
 LUAJIT_USES=		luajit
-LUAJIT_CONFIGURE_ON=	--with-lua=luajit
+LUAJIT_MESON_ON=	-Dlua=luajit
 
-LUA_USES=		lua
-LUA_CONFIGURE_ON=	--with-lua=lua-${LUA_VER}
+LUA_USES=	lua
+LUA_MESON_ON=	-Dlua=lua
 
 OPENSSL_USES=		ssl
-OPENSSL_CONFIGURE_ON=	LIBSSL_CFLAGS=-I${OPENSSLINC} \
-			LIBSSL_LIBS="-L${OPENSSLLIB} -lssl"
-OPENSSL_CONFIGURE_WITH=	libssl
+OPENSSL_MESON_ENABLED=	libcrypto tls-libssl
+OPENSSL_MESON_ON=	-Dlibcrypto-path=${OPENSSLBASE}
 
 SNMP_LIB_DEPENDS=	libnetsnmp.so:net-mgmt/net-snmp
-SNMP_CONFIGURE_WITH=	net-snmp
+SNMP_MESON_ENABLED=	snmp
+
+.include <bsd.port.pre.mk>
+
+.if !(${OSVERSION} < 1400000 && ${SSL_DEFAULT} == "base")
+OPENSSL_MESON_ON+=	-Dtls-libssl-providers=true
+.else
+OPENSSL_MESON_ON+=	-Dtls-libssl-engines=true
+.endif
 
 post-install:
-#	@${MKDIR} ${STAGEDIR}${ETCDIR}
 	${MV} ${STAGEDIR}${ETCDIR}/dnsdist.conf-dist ${STAGEDIR}${ETCDIR}/dnsdist.conf.sample
 
-.include <bsd.port.mk>
+.include <bsd.port.post.mk>
diff --git a/dns/dnsdist/Makefile.crates b/dns/dnsdist/Makefile.crates
new file mode 100644
index 000000000000..b8d012ce6e54
--- /dev/null
+++ b/dns/dnsdist/Makefile.crates
@@ -0,0 +1,43 @@
+CARGO_CRATES=	anstyle-1.0.10 \
+		cc-1.2.25 \
+		clap-4.5.39 \
+		clap_builder-4.5.39 \
+		clap_lex-0.7.4 \
+		codespan-reporting-0.12.0 \
+		cxx-1.0.158 \
+		cxx-build-1.0.158 \
+		cxxbridge-cmd-1.0.158 \
+		cxxbridge-flags-1.0.158 \
+		cxxbridge-macro-1.0.158 \
+		equivalent-1.0.2 \
+		foldhash-0.1.5 \
+		hashbrown-0.15.3 \
+		indexmap-2.9.0 \
+		itoa-1.0.15 \
+		link-cplusplus-1.0.10 \
+		proc-macro2-1.0.95 \
+		quote-1.0.40 \
+		rustversion-1.0.21 \
+		ryu-1.0.20 \
+		scratch-1.0.8 \
+		serde-1.0.219 \
+		serde_derive-1.0.219 \
+		serde_yaml-0.9.34+deprecated \
+		shlex-1.3.0 \
+		strsim-0.11.1 \
+		syn-2.0.101 \
+		termcolor-1.4.1 \
+		unicode-ident-1.0.18 \
+		unicode-width-0.2.0 \
+		unsafe-libyaml-0.2.11 \
+		winapi-util-0.1.9 \
+		windows-sys-0.59.0 \
+		windows-targets-0.52.6 \
+		windows_aarch64_gnullvm-0.52.6 \
+		windows_aarch64_msvc-0.52.6 \
+		windows_i686_gnu-0.52.6 \
+		windows_i686_gnullvm-0.52.6 \
+		windows_i686_msvc-0.52.6 \
+		windows_x86_64_gnu-0.52.6 \
+		windows_x86_64_gnullvm-0.52.6 \
+		windows_x86_64_msvc-0.52.6
diff --git a/dns/dnsdist/distinfo b/dns/dnsdist/distinfo
index 123fa5a930af..733c232e6f24 100644
--- a/dns/dnsdist/distinfo
+++ b/dns/dnsdist/distinfo
@@ -1,3 +1,89 @@
-TIMESTAMP = 1747751211
-SHA256 (dnsdist-1.9.10.tar.bz2) = 027ddbdee695c5a59728057bfc41c5b1a691fa1c7a5e89278b09f355325fbed6
-SIZE (dnsdist-1.9.10.tar.bz2) = 1598472
+TIMESTAMP = 1753107989
+SHA256 (dnsdist-2.0.0.tar.xz) = da30742f51aac8be7e116677cb07bc49fbea979fc5443e7e1fa8fa7bd0a63fe5
+SIZE (dnsdist-2.0.0.tar.xz) = 2275260
+SHA256 (rust/crates/anstyle-1.0.10.crate) = 55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9
+SIZE (rust/crates/anstyle-1.0.10.crate) = 15725
+SHA256 (rust/crates/cc-1.2.25.crate) = d0fc897dc1e865cc67c0e05a836d9d3f1df3cbe442aa4a9473b18e12624a4951
+SIZE (rust/crates/cc-1.2.25.crate) = 106594
+SHA256 (rust/crates/clap-4.5.39.crate) = fd60e63e9be68e5fb56422e397cf9baddded06dae1d2e523401542383bc72a9f
+SIZE (rust/crates/clap-4.5.39.crate) = 57328
+SHA256 (rust/crates/clap_builder-4.5.39.crate) = 89cc6392a1f72bbeb820d71f32108f61fdaf18bc526e1d23954168a67759ef51
+SIZE (rust/crates/clap_builder-4.5.39.crate) = 169142
+SHA256 (rust/crates/clap_lex-0.7.4.crate) = f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6
+SIZE (rust/crates/clap_lex-0.7.4.crate) = 12858
+SHA256 (rust/crates/codespan-reporting-0.12.0.crate) = fe6d2e5af09e8c8ad56c969f2157a3d4238cebc7c55f0a517728c38f7b200f81
+SIZE (rust/crates/codespan-reporting-0.12.0.crate) = 55796
+SHA256 (rust/crates/cxx-1.0.158.crate) = a71ea7f29c73f7ffa64c50b83c9fe4d3a6d4be89a86b009eb80d5a6d3429d741
+SIZE (rust/crates/cxx-1.0.158.crate) = 220190
+SHA256 (rust/crates/cxx-build-1.0.158.crate) = 36a8232661d66dcf713394726157d3cfe0a89bfc85f52d6e9f9bbc2306797fe7
+SIZE (rust/crates/cxx-build-1.0.158.crate) = 90653
+SHA256 (rust/crates/cxxbridge-cmd-1.0.158.crate) = 4f44296c8693e9ea226a48f6a122727f77aa9e9e338380cb021accaeeb7ee279
+SIZE (rust/crates/cxxbridge-cmd-1.0.158.crate) = 77898
+SHA256 (rust/crates/cxxbridge-flags-1.0.158.crate) = c42f69c181c176981ae44ba9876e2ea41ce8e574c296b38d06925ce9214fb8e4
+SIZE (rust/crates/cxxbridge-flags-1.0.158.crate) = 5424
+SHA256 (rust/crates/cxxbridge-macro-1.0.158.crate) = 8faff5d4467e0709448187df29ccbf3b0982cc426ee444a193f87b11afb565a8
+SIZE (rust/crates/cxxbridge-macro-1.0.158.crate) = 64448
+SHA256 (rust/crates/equivalent-1.0.2.crate) = 877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f
+SIZE (rust/crates/equivalent-1.0.2.crate) = 7419
+SHA256 (rust/crates/foldhash-0.1.5.crate) = d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2
+SIZE (rust/crates/foldhash-0.1.5.crate) = 21901
+SHA256 (rust/crates/hashbrown-0.15.3.crate) = 84b26c544d002229e640969970a2e74021aadf6e2f96372b9c58eff97de08eb3
+SIZE (rust/crates/hashbrown-0.15.3.crate) = 140413
+SHA256 (rust/crates/indexmap-2.9.0.crate) = cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e
+SIZE (rust/crates/indexmap-2.9.0.crate) = 91214
+SHA256 (rust/crates/itoa-1.0.15.crate) = 4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c
+SIZE (rust/crates/itoa-1.0.15.crate) = 11231
+SHA256 (rust/crates/link-cplusplus-1.0.10.crate) = 4a6f6da007f968f9def0d65a05b187e2960183de70c160204ecfccf0ee330212
+SIZE (rust/crates/link-cplusplus-1.0.10.crate) = 8054
+SHA256 (rust/crates/proc-macro2-1.0.95.crate) = 02b3e5e68a3a1a02aad3ec490a98007cbc13c37cbe84a3cd7b8e406d76e7f778
+SIZE (rust/crates/proc-macro2-1.0.95.crate) = 51820
+SHA256 (rust/crates/quote-1.0.40.crate) = 1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d
+SIZE (rust/crates/quote-1.0.40.crate) = 31063
+SHA256 (rust/crates/rustversion-1.0.21.crate) = 8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d
+SIZE (rust/crates/rustversion-1.0.21.crate) = 21001
+SHA256 (rust/crates/ryu-1.0.20.crate) = 28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f
+SIZE (rust/crates/ryu-1.0.20.crate) = 48738
+SHA256 (rust/crates/scratch-1.0.8.crate) = 9f6280af86e5f559536da57a45ebc84948833b3bee313a7dd25232e09c878a52
+SIZE (rust/crates/scratch-1.0.8.crate) = 8581
+SHA256 (rust/crates/serde-1.0.219.crate) = 5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6
+SIZE (rust/crates/serde-1.0.219.crate) = 78983
+SHA256 (rust/crates/serde_derive-1.0.219.crate) = 5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00
+SIZE (rust/crates/serde_derive-1.0.219.crate) = 57798
+SHA256 (rust/crates/serde_yaml-0.9.34+deprecated.crate) = 6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47
+SIZE (rust/crates/serde_yaml-0.9.34+deprecated.crate) = 65290
+SHA256 (rust/crates/shlex-1.3.0.crate) = 0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64
+SIZE (rust/crates/shlex-1.3.0.crate) = 18713
+SHA256 (rust/crates/strsim-0.11.1.crate) = 7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f
+SIZE (rust/crates/strsim-0.11.1.crate) = 14266
+SHA256 (rust/crates/syn-2.0.101.crate) = 8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf
+SIZE (rust/crates/syn-2.0.101.crate) = 299250
+SHA256 (rust/crates/termcolor-1.4.1.crate) = 06794f8f6c5c898b3275aebefa6b8a1cb24cd2c6c79397ab15774837a0bc5755
+SIZE (rust/crates/termcolor-1.4.1.crate) = 18773
+SHA256 (rust/crates/unicode-ident-1.0.18.crate) = 5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512
+SIZE (rust/crates/unicode-ident-1.0.18.crate) = 47743
+SHA256 (rust/crates/unicode-width-0.2.0.crate) = 1fc81956842c57dac11422a97c3b8195a1ff727f06e85c84ed2e8aa277c9a0fd
+SIZE (rust/crates/unicode-width-0.2.0.crate) = 271509
+SHA256 (rust/crates/unsafe-libyaml-0.2.11.crate) = 673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861
+SIZE (rust/crates/unsafe-libyaml-0.2.11.crate) = 62101
+SHA256 (rust/crates/winapi-util-0.1.9.crate) = cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb
+SIZE (rust/crates/winapi-util-0.1.9.crate) = 12464
+SHA256 (rust/crates/windows-sys-0.59.0.crate) = 1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b
+SIZE (rust/crates/windows-sys-0.59.0.crate) = 2387323
+SHA256 (rust/crates/windows-targets-0.52.6.crate) = 9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973
+SIZE (rust/crates/windows-targets-0.52.6.crate) = 6403
+SHA256 (rust/crates/windows_aarch64_gnullvm-0.52.6.crate) = 32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3
+SIZE (rust/crates/windows_aarch64_gnullvm-0.52.6.crate) = 435718
+SHA256 (rust/crates/windows_aarch64_msvc-0.52.6.crate) = 09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469
+SIZE (rust/crates/windows_aarch64_msvc-0.52.6.crate) = 832615
+SHA256 (rust/crates/windows_i686_gnu-0.52.6.crate) = 8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b
+SIZE (rust/crates/windows_i686_gnu-0.52.6.crate) = 880402
+SHA256 (rust/crates/windows_i686_gnullvm-0.52.6.crate) = 0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66
+SIZE (rust/crates/windows_i686_gnullvm-0.52.6.crate) = 475940
+SHA256 (rust/crates/windows_i686_msvc-0.52.6.crate) = 240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66
+SIZE (rust/crates/windows_i686_msvc-0.52.6.crate) = 901163
+SHA256 (rust/crates/windows_x86_64_gnu-0.52.6.crate) = 147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78
+SIZE (rust/crates/windows_x86_64_gnu-0.52.6.crate) = 836363
+SHA256 (rust/crates/windows_x86_64_gnullvm-0.52.6.crate) = 24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d
+SIZE (rust/crates/windows_x86_64_gnullvm-0.52.6.crate) = 435707
+SHA256 (rust/crates/windows_x86_64_msvc-0.52.6.crate) = 589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec
+SIZE (rust/crates/windows_x86_64_msvc-0.52.6.crate) = 832564
diff --git a/dns/dnsdist/files/patch-dnsdist-lua.cc b/dns/dnsdist/files/patch-dnsdist-lua.cc
new file mode 100644
index 000000000000..4b002e027cbe
--- /dev/null
+++ b/dns/dnsdist/files/patch-dnsdist-lua.cc
@@ -0,0 +1,50 @@
+--- dnsdist-lua.cc.orig	2025-07-21 09:54:44 UTC
++++ dnsdist-lua.cc
+@@ -2260,6 +2260,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+ 
+       bool ignoreTLSConfigurationErrors = false;
+       if (getOptionalValue<bool>(vars, "ignoreTLSConfigurationErrors", ignoreTLSConfigurationErrors) > 0 && ignoreTLSConfigurationErrors) {
++#if defined(HAVE_LIBSSL)
+         // we are asked to try to load the certificates so we can return a potential error
+         // and properly ignore the frontend before actually launching it
+         try {
+@@ -2269,6 +2270,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+           errlog("Ignoring DoH frontend: '%s'", e.what());
+           return;
+         }
++#endif /* HAVE_LIBSSL */
+       }
+ 
+       checkAllParametersConsumed("addDOHLocal", vars);
+@@ -2357,6 +2359,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+ 
+       bool ignoreTLSConfigurationErrors = false;
+       if (getOptionalValue<bool>(vars, "ignoreTLSConfigurationErrors", ignoreTLSConfigurationErrors) > 0 && ignoreTLSConfigurationErrors) {
++#if defined(HAVE_LIBSSL)
+         // we are asked to try to load the certificates so we can return a potential error
+         // and properly ignore the frontend before actually launching it
+         try {
+@@ -2366,6 +2369,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+           errlog("Ignoring DoH3 frontend: '%s'", e.what());
+           return;
+         }
++#endif /* HAVE_LIBSSL */
+       }
+ 
+       checkAllParametersConsumed("addDOH3Local", vars);
+@@ -2433,6 +2437,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+ 
+       bool ignoreTLSConfigurationErrors = false;
+       if (getOptionalValue<bool>(vars, "ignoreTLSConfigurationErrors", ignoreTLSConfigurationErrors) > 0 && ignoreTLSConfigurationErrors) {
++#if defined(HAVE_LIBSSL)
+         // we are asked to try to load the certificates so we can return a potential error
+         // and properly ignore the frontend before actually launching it
+         try {
+@@ -2442,6 +2447,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool cl
+           errlog("Ignoring DoQ frontend: '%s'", e.what());
+           return;
+         }
++#endif /* HAVE_LIBSSL */
+       }
+ 
+       checkAllParametersConsumed("addDOQLocal", vars);
diff --git a/dns/dnsdist/files/patch-dnsdist_configuration_yaml_cc b/dns/dnsdist/files/patch-dnsdist_configuration_yaml_cc
new file mode 100644
index 000000000000..910d1807cd26
--- /dev/null
+++ b/dns/dnsdist/files/patch-dnsdist_configuration_yaml_cc
@@ -0,0 +1,49 @@
+From eb01c11a5418da08d5e11acdd519e2816e937835 Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <remi.gacogne@powerdns.com>
+Date: Thu, 24 Jul 2025 10:57:28 +0200
+Subject: [PATCH] dnsdist: Fix QType rate dynamic block with YAML
+
+The YAML configuration for the the "QType rate" dynamic block was
+totally broken, trying to configure a rcode rate rule instead of a
+qtype rate one.
+Thanks to HellSpawn for reporting this the issue!
+
+Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
+---
+ .../dnsdistdist/dnsdist-configuration-yaml.cc | 14 +++++-
+ .../dnsdistDynBlockTests.py                   | 42 ++++++++++++++++
+ .../test_DynBlocksGroup.py                    | 49 +++++++++++++++++++
+ 3 files changed, 104 insertions(+), 1 deletion(-)
+
+diff --git a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
+index 1d0f534b4326..70731bc42537 100644
+--- dnsdist-configuration-yaml.cc
++++ dnsdist-configuration-yaml.cc
+@@ -143,6 +143,18 @@ static uint8_t strToRCode(const std::string& context, const std::string& paramet
+   return *rcode;
+ }
+ 
++static uint16_t strToQType(const std::string& context, const std::string& parameterName, const ::rust::String& qtype_rust_string)
++{
++  auto qtype_str = std::string(qtype_rust_string);
++  boost::to_lower(qtype_str);
++  QType qtype;
++  qtype = std::string(qtype_str);
++  if (qtype.getCode() == 0) {
++    return checkedConversionFromStr<uint8_t>(context, parameterName, qtype_rust_string);
++  }
++  return qtype;
++}
++
+ static std::optional<std::string> loadContentFromConfigurationFile(const std::string& fileName)
+ {
+   /* no check on the file size, don't do this with just any file! */
+@@ -647,7 +659,7 @@ static void loadDynamicBlockConfiguration(const dnsdist::rust::settings::Dynamic
+           ruleParams.d_tagSettings->d_name = std::string(rule.tag_name);
+           ruleParams.d_tagSettings->d_value = std::string(rule.tag_value);
+         }
+-        dbrgObj->setRCodeRate(checkedConversionFromStr<int>("dynamic-rules.rules.qtype_rate", "qtype", rule.qtype), std::move(ruleParams));
++        dbrgObj->setQTypeRate(strToQType("dynamic-rules.rules.qtype_rate", "qtype", rule.qtype), std::move(ruleParams));
+       }
+       else if (rule.rule_type == "cache-miss-ratio") {
+         DynBlockRulesGroup::DynBlockCacheMissRatioRule ruleParams(std::string(rule.comment), rule.action_duration, rule.ratio, rule.warning_ratio, rule.seconds, rule.action.empty() ? DNSAction::Action::None : DNSAction::typeFromString(std::string(rule.action)), rule.minimum_number_of_responses, rule.minimum_global_cache_hit_ratio);