* plugin/pkg/proxy: add max_age for per-connection lifetime cap
Introduce a max_age setting on Transport that closes connections based
on creation time, independent of idle-timeout (expire).
Background: PR #7790 changed the connection pool from LIFO to FIFO for
source-port diversity. Under FIFO, every connection is cycled through
the pool and its used timestamp is refreshed continuously. When request
rate is high enough that pool_size / request_rate < expire, no
connection ever becomes idle and expire never fires. This prevents
CoreDNS from opening new connections to upstreams that scale out (e.g.
new Kubernetes pods behind a ClusterIP service with conntrack pinning).
max_age addresses this by enforcing an absolute upper bound on
connection lifetime regardless of activity:
- persistConn gains a created field set at dial time.
- Transport gains maxAge (default 0 = unlimited, preserving existing
behaviour).
- Dial(): rejects cached connections whose creation age exceeds max_age.
- cleanup(): when maxAge > 0, uses a linear scan over both idle-timeout
and max-age predicates; when maxAge == 0, preserves the original
binary-search path on used time (sorted by FIFO insertion order).
- Both hot paths pre-compute the deadline outside any inner loop to
avoid repeated time.Now() calls.
Tests added:
- TestMaxAgeExpireByCreation: connection with old created but fresh used
must be rejected even though idle-timeout would pass.
- TestMaxAgeFIFORotation: three FIFO-rotated connections (old created,
fresh used) must all be rejected, confirming that continuous rotation
cannot prevent max-age expiry.
Signed-off-by: cangming <cangming@cangming.app>
* plugin/forward: add max_age option
Expose Transport.SetMaxAge through the forward plugin so operators can
set an absolute upper bound on connection lifetime via the Corefile.
Usage:
forward . 1.2.3.4 {
max_age 30s
}
Default is 0 (unlimited), which preserves existing behaviour.
A positive value causes connections older than max_age to be closed and
re-dialled on the next request, ensuring CoreDNS reconnects to newly
scaled-out upstream pods even under sustained load where the idle
timeout (expire) would never fire.
If max_age is set, it must not be less than expire; the parser rejects
this combination at startup with a clear error message.
Signed-off-by: cangming <cangming@cangming.app>
---------
Signed-off-by: cangming <cangming@cangming.app>
* feat(secondary): Send NOTIFY messages after zone transfer
- Modified TransferIn() method to accept a transfer.Transfer parameter
- Added NOTIFY message sending after successful zone transfer in secondary plugin
- Updated Update() method to pass the transfer handler through the zone update cycle
- Added comprehensive tests for the secondary notify functionality
Closes#5669
Signed-off-by: liucongran <liucongran327@gmail.com>
* fix(secondary): Fix TransferIn method call in test
Update test to pass nil parameter to TransferIn method after signature change
Signed-off-by: liucongran <liucongran327@gmail.com>
* refactor(secondary): Clean up imports and add helper methods
- Reorder imports for consistency
- Add hasSOA() and getSOA() helper methods to Zone
- Remove unnecessary blank lines in tests
Signed-off-by: liucongran <liucongran327@gmail.com>
* fix(test): Fix variable declaration in secondary test
Change corefile variable assignment to use short declaration syntax (:=)
to fix compilation error.
Signed-off-by: liucongran <liucongran327@gmail.com>
* refactor(secondary): Use getSOA helper method in shouldTransfer
Replace direct SOA access with getSOA() helper method for consistency.
Signed-off-by: liucongran <liucongran327@gmail.com>
---------
Signed-off-by: liucongran <liucongran327@gmail.com>
Co-authored-by: liucongran <liucongran@cestc.cn>
- Added nolint to plugin/auto/walk.go to avoid a symlink/TOCTOU
warning, as it needs to follow symlink.
- Replaced a few flagged integer conversions with safe equivalents in
cache hashing, reuseport socket setup, and TLS arg handling
- Preallocated response rule slices in plugin/rewrite/name.go
- Replaced WriteString(fmt.Sprintf/Sprintln(...)) with direct
fmt.Fprint* calls
- Removed stale nolint directives from code and tests that are no
longer needed
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Updated release date for CoreDNS 1.14.2 to match the actual release
date. This causes issues when rendering the coredns.io website.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix(rewrite): fix cname target rewrite for CNAME chains
This fix corrects the cname target rewrite to handle CNAME chains:
- Preserves only the CNAME records before matching the rule
- Rewrites only the CNAME target that matches the rule
- Includes all records from the re-resolved upstream response
Signed-off-by: hide <hide@hide.net.eu.org>
* docs(rewrite): document how answer records are handled in CNAME target rewrite
Signed-off-by: hide <hide@hide.net.eu.org>
* fix(rewrite): simplify slice append per staticcheck S1011
Signed-off-by: hide <hide@hide.net.eu.org>
* docs(rewrite): add extra line between code and paragraph
Signed-off-by: hide <hide@hide.net.eu.org>
---------
Signed-off-by: hide <hide@hide.net.eu.org>
Co-authored-by: hide <hide@hide.net.eu.org>
