PowerDNS · omoerbeek · Jan 22, 2026 · Jan 13, 2026 · Jan 13, 2026 · Jan 14, 2026
diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
@@ -979,6 +979,7 @@ oskar
 otherdomain
 otherpool
 othervariant
+ottracecondition
 ourname
 ourserial
 outpacket

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
@@ -725,6 +725,16 @@ struct SuffixMatchNode
       return ret;
     }
 
+  std::vector<DNSName> toVector() const
+    {
+      std::vector<DNSName> ret;
+      ret.reserve(d_nodes.size());
+      for (const auto& n : d_nodes) {
+        ret.emplace_back(n);
+      }
+      return ret;
+    }
+
   private:
     mutable std::set<DNSName> d_nodes; // Only used for string generation
 };

diff --git a/pdns/recursordist/docs/http-api/endpoint-ottraceconditions.rst b/pdns/recursordist/docs/http-api/endpoint-ottraceconditions.rst
@@ -0,0 +1,32 @@
+OpenTelemetryTraceConditions endpoint
+=====================================
+
+.. Note::
+   All modifications using this endpoint are not persistent.
+   Reloading the configuration using ``rec_control reload-yaml`` will revert the trace conditions back to the conditions read from the configuration file(s).
+
+.. http:get:: /api/v1/servers/:server_id/ottraceconditions
+
+  Get all :json:object:`OpenTelemetryTraceCondition` from the server. Note that while the settings file allows a list of subnets to be associated with a condition, this list will be flattened, with only one subnet per condition.
+
+  :query server_id: The name of the server
+
+.. http:post:: /api/v1/servers/:server_id/ottraceconditions
+
+  Creates a new trace condition. The client body must contain a :json:object:`OpenTelemetryTraceCondition`.
+
+  :query server_id: The name of the server
+
+.. http:get:: /api/v1/servers/:server_id/ottraceconditions/:ip/:prefixlen
+
+  Returns trace condition information.
+
+  :query server_id: The name of the server
+  :query ip/prefixlen: The subnet of the :json:object:`OpenTelemetryTraceCondition`.
+
+.. http:delete:: /api/v1/servers/:server_id/ottraceconditions/:ip/:prefixlen
+
+  Deletes this zone, all attached metadata and rrsets.
+
+  :query server_id: The name of the server
+  :query ip/prefixlen: The subnet of the :json:object:`OpenTelemetryTraceCondition`.
diff --git a/pdns/recursordist/docs/http-api/index.rst b/pdns/recursordist/docs/http-api/index.rst
@@ -14,7 +14,7 @@ The following documents contain the information for the PowerDNS API:
     zone
     ../common/api/configsetting
     ../common/api/statisticitem
-
+    ottracecondition
 
 Webserver
 ---------
@@ -104,3 +104,4 @@ All API endpoints for the PowerDNS Recursor are documented here:
   endpoint-failure
   endpoint-rpz-stats
   endpoint-jsonstat
+  endpoint-ottraceconditions
diff --git a/pdns/recursordist/docs/http-api/ottracecondition.rst b/pdns/recursordist/docs/http-api/ottracecondition.rst
@@ -0,0 +1,32 @@
+OpenTelemetryTraceCondition
+---------------------------
+
+An ``OpenTelemetryTraceCondition`` object represents a condition to trigger generating :ref:`opentelemetry_tracing`.
+These conditions con be configured in a settings file (see :ref:`setting-yaml-logging.opentelemetry_trace_conditions`) or manipulated at runtime using the REST API calls listed in :doc:`endpoint-ottraceconditions`.
+
+.. json:object:: OpenTelemetryTraceCondition
+
+  Represents an OpenTelemetryTrace condition.
+
+  :property string acl: The subnet of the entry. Note that the YAML settings file allows multiple subnets for convenience. This object does not allow multiple subnets to be specified.
+  :property string type: set to "OpenTelemetryTraceCondition"
+  :property bool edns_option_required: See :ref:`opentelemetry_tracing`
+  :property number qid: A specific query id
+  :property [DNSName] qnames: List of names
+  :property [QType] qtypes: List of qtypes, represented as string
+  :property bool traceid_only: See :ref:`opentelemetry_tracing`
+
+**Example**:
+
+.. code-block:: json
+
+   {
+     "acl": "192.0.2.1/32",
+     "edns_option_required": false,
+     "qid": 1,
+     "qnames": ["example.com.", "example.net."],
+     "qtypes": ["AAAA", "A"],
+     "traceid_only": false
+     "type": "OpenTelemetryTraceCondition"
+   }
+
diff --git a/pdns/recursordist/pdns_recursor.cc b/pdns/recursordist/pdns_recursor.cc
@@ -2156,8 +2156,9 @@ bool matchOTConditions(const std::unique_ptr<OpenTelemetryTraceConditions>& cond
     if (condition.d_traceid_only) {
       return false;
     }
+    return true;
   }
-  return true;
+  return false;
 }
 
 bool matchOTConditions(RecEventTrace& eventTrace, const std::unique_ptr<OpenTelemetryTraceConditions>& conditions, const ComboAddress& source, const DNSName& qname, QType qtype, uint16_t qid, bool edns_option_present)
@@ -2182,10 +2183,11 @@ bool matchOTConditions(RecEventTrace& eventTrace, const std::unique_ptr<OpenTele
     if (condition.d_qnames && !condition.d_qnames->check(qname)) {
       return false;
     }
+    eventTrace.setThisOTTraceEnabled();
+    return true;
   }
 
-  eventTrace.setThisOTTraceEnabled();
-  return true;
+  return false;
 }
 
 // fromaddr: the address from which the query is coming

diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc
@@ -98,14 +98,14 @@ uint32_t g_disthashseed;
 bool g_useIncomingECS;
 static shared_ptr<NetmaskGroup> g_initialProxyProtocolACL;
 static shared_ptr<std::set<ComboAddress>> g_initialProxyProtocolExceptions;
-static shared_ptr<OpenTelemetryTraceConditions> g_initialOpenTelemetryConditions; // XXX shared ptr needed?
 std::optional<ComboAddress> g_dns64Prefix{std::nullopt};
 DNSName g_dns64PrefixReverse;
 unsigned int g_maxChainLength;
 LockGuarded<std::shared_ptr<SyncRes::domainmap_t>> g_initialDomainMap; // new threads needs this to be setup
 LockGuarded<std::shared_ptr<NetmaskGroup>> g_initialAllowFrom; // new thread needs to be setup with this
 LockGuarded<std::shared_ptr<NetmaskGroup>> g_initialAllowNotifyFrom; // new threads need this to be setup
 LockGuarded<std::shared_ptr<notifyset_t>> g_initialAllowNotifyFor; // new threads need this to be setup
+LockGuarded<std::shared_ptr<OpenTelemetryTraceConditions>> g_initialOpenTelemetryConditions; // new threads need this to be setup
 static time_t s_statisticsInterval;
 static std::atomic<uint32_t> s_counter;
 int g_argc;
@@ -129,7 +129,6 @@ std::vector<RecThreadInfo> RecThreadInfo::s_threadInfos;
 std::unique_ptr<ProxyMapping> g_proxyMapping; // new threads needs this to be setup
 thread_local std::unique_ptr<ProxyMapping> t_proxyMapping;
 
-std::unique_ptr<OpenTelemetryTraceConditions> g_OTConditions; // new threads needs this to be setup
 thread_local std::unique_ptr<OpenTelemetryTraceConditions> t_OTConditions;
 
 bool RecThreadInfo::s_weDistributeQueries; // if true, 1 or more threads listen on the incoming query sockets and distribute them to workers
@@ -2790,8 +2789,9 @@ static void recursorThread()
       else {
         t_proxyMapping = nullptr;
       }
-      if (g_OTConditions) {
-        t_OTConditions = make_unique<OpenTelemetryTraceConditions>(*g_OTConditions);
+      auto lock = g_initialOpenTelemetryConditions.lock();
+      if (*lock) {
+        t_OTConditions = make_unique<OpenTelemetryTraceConditions>(**lock);
       }
       else {
         t_OTConditions = nullptr;

diff --git a/pdns/recursordist/rec-main.hh b/pdns/recursordist/rec-main.hh
@@ -238,6 +238,7 @@ extern LockGuarded<std::shared_ptr<SyncRes::domainmap_t>> g_initialDomainMap; //
 extern LockGuarded<std::shared_ptr<NetmaskGroup>> g_initialAllowFrom; // new thread needs to be setup with this
 extern LockGuarded<std::shared_ptr<NetmaskGroup>> g_initialAllowNotifyFrom; // new threads need this to be setup
 extern LockGuarded<std::shared_ptr<notifyset_t>> g_initialAllowNotifyFor; // new threads need this to be setup
+extern LockGuarded<std::shared_ptr<OpenTelemetryTraceConditions>> g_initialOpenTelemetryConditions; // new threads need this to be set
 extern thread_local std::shared_ptr<Regex> t_traceRegex;
 extern thread_local FDWrapper t_tracefd;
 extern string g_programname;

diff --git a/pdns/recursordist/rec-rust-lib/rust/src/bridge.hh b/pdns/recursordist/rec-rust-lib/rust/src/bridge.hh
@@ -98,4 +98,8 @@ void apiServerSearchData(const Request& rustRequest, Response& rustResponse);
 void apiServerZoneDetailGET(const Request& rustRequest, Response& rustResponse);
 void apiServerZoneDetailPUT(const Request& rustRequest, Response& rustResponse);
 void apiServerZoneDetailDELETE(const Request& rustRequest, Response& rustResponse);
+void apiServerOTConditionsGET(const Request& rustRequest, Response& rustResponse);
+void apiServerOTConditionDetailGET(const Request& rustRequest, Response& rustResponse);
+void apiServerOTConditionDetailDELETE(const Request& rustRequest, Response& rustResponse);
+void apiServerOTConditionDetailPOST(const Request& rustRequest, Response& rustResponse);
 }
diff --git a/pdns/recursordist/rec-rust-lib/rust/src/web.rs b/pdns/recursordist/rec-rust-lib/rust/src/web.rs
@@ -399,6 +399,26 @@ fn matcher(
         (&Method::GET, ["api", "v1"]) => *apifunc = Some(rustweb::apiDiscoveryV1),
         (&Method::GET, ["api"]) => *apifunc = Some(rustweb::apiDiscovery),
         (&Method::GET, ["metrics"]) => *rawfunc = Some(rustweb::prometheusMetrics),
+        (&Method::GET, ["api", "v1", "servers", "localhost", "ottraceconditions"]) => {
+            *apifunc = Some(rustweb::apiServerOTConditionsGET);
+        }
+        (&Method::GET, ["api", "v1", "servers", "localhost", "ottraceconditions", ip, pflen]) => {
+            request.parameters.push(rustweb::KeyValue {
+                key: String::from("acl"),
+                value: String::from(*ip) + "/" + *pflen,
+            });
+            *apifunc = Some(rustweb::apiServerOTConditionDetailGET)
+        }
+        (&Method::DELETE, ["api", "v1", "servers", "localhost", "ottraceconditions", ip, pflen]) => {
+            request.parameters.push(rustweb::KeyValue {
+                key: String::from("acl"),
+                value: String::from(*ip) + "/" + *pflen,
+            });
+            *apifunc = Some(rustweb::apiServerOTConditionDetailDELETE)
+        }
+        (&Method::POST, ["api", "v1", "servers", "localhost", "ottraceconditions"]) => {
+            *apifunc = Some(rustweb::apiServerOTConditionDetailPOST)
+        }
         _ => *filefunc = Some(file),
     }
 }
@@ -1146,6 +1166,10 @@ mod rustweb {
         fn apiServerZoneDetailPUT(request: &Request, response: &mut Response) -> Result<()>;
         fn apiServerZonesGET(request: &Request, response: &mut Response) -> Result<()>;
         fn apiServerZonesPOST(requst: &Request, response: &mut Response) -> Result<()>;
+        fn apiServerOTConditionsGET(request: &Request, response: &mut Response) -> Result<()>;
+        fn apiServerOTConditionDetailGET(request: &Request, response: &mut Response) -> Result<()>;
+        fn apiServerOTConditionDetailDELETE(request: &Request, response: &mut Response) -> Result<()>;
+        fn apiServerOTConditionDetailPOST(request: &Request, response: &mut Response) -> Result<()>;
         fn jsonstat(request: &Request, response: &mut Response) -> Result<()>;
         fn prometheusMetrics(request: &Request, response: &mut Response) -> Result<()>;
         fn serveStuff(request: &Request, response: &mut Response) -> Result<()>;

diff --git a/pdns/recursordist/rec-web-stubs.hh b/pdns/recursordist/rec-web-stubs.hh
@@ -26,6 +26,10 @@ WRAPPER(apiServerZoneDetailGET)
 WRAPPER(apiServerZoneDetailPUT)
 WRAPPER(apiServerZonesGET)
 WRAPPER(apiServerZonesPOST)
+WRAPPER(apiServerOTConditionsGET)
+WRAPPER(apiServerOTConditionDetailGET)
+WRAPPER(apiServerOTConditionDetailDELETE)
+WRAPPER(apiServerOTConditionDetailPOST)
 WRAPPER(jsonstat)
 WRAPPER(prometheusMetrics)
 WRAPPER(serveStuff)

diff --git a/pdns/recursordist/rec_channel.hh b/pdns/recursordist/rec_channel.hh
@@ -152,3 +152,5 @@ void registerAllStats();
 void doExitNicely();
 RecursorControlChannel::Answer doQueueReloadLuaScript(vector<string>::const_iterator begin, vector<string>::const_iterator end);
 RecursorControlChannel::Answer luaconfig(bool broadcast);
+struct OpenTelemetryTraceCondition;
+void updateOTConditions(const NetmaskTree<OpenTelemetryTraceCondition>& conditions);
diff --git a/pdns/recursordist/rec_channel_rec.cc b/pdns/recursordist/rec_channel_rec.cc
@@ -1988,6 +1988,12 @@ static void* pleaseSupplantOTConditions(const OpenTelemetryTraceConditions& cond
   return nullptr;
 }
 
+void updateOTConditions(const OpenTelemetryTraceConditions& conditions)
+{
+  // XXX YAML settings are not updated, so rec_control get-parameter won't show runtime updated conditions
+  broadcastFunction([conditions] { return pleaseSupplantOTConditions(conditions); });
+}
+
 static RecursorControlChannel::Answer help(ArgIterator /* begin */, ArgIterator /* end */)
 {
   static const std::map<std::string, std::string> commands = {
@@ -2123,14 +2129,15 @@ RecursorControlChannel::Answer luaconfig(bool broadcast)
     lci = g_luaconfs.getCopy();
     if (broadcast) {
       startLuaConfigDelayedThreads(lci, lci.generation);
+
+      *g_initialOpenTelemetryConditions.lock() = conditions.empty() ? nullptr : std::make_unique<OpenTelemetryTraceConditions>(conditions);
       broadcastFunction([pmap = std::move(proxyMapping)] { return pleaseSupplantProxyMapping(pmap); });
       broadcastFunction([conds = std::move(conditions)] { return pleaseSupplantOTConditions(conds); });
     }
     else {
-      extern std::unique_ptr<OpenTelemetryTraceConditions> g_OTConditions;
       // Initial proxy mapping
       g_proxyMapping = proxyMapping.empty() ? nullptr : std::make_unique<ProxyMapping>(proxyMapping);
-      g_OTConditions = conditions.empty() ? nullptr : std::make_unique<OpenTelemetryTraceConditions>(conditions);
+      *g_initialOpenTelemetryConditions.lock() = conditions.empty() ? nullptr : std::make_unique<OpenTelemetryTraceConditions>(conditions);
     }
     TCPOutConnectionManager::setupOutgoingTLSConfigTables(settings);