Extend the tsig plugin to require TSIG signatures based on DNS opcodes,
similar to the existing qtype-based requirement.
The new require_opcode directive accepts opcode names (QUERY, IQUERY,
STATUS, NOTIFY, UPDATE) or the special values "all" and "none".
This is useful for requiring TSIG on dynamic update (UPDATE) or zone
transfer notification (NOTIFY) requests while allowing unsigned queries.
Example:
```
tsig {
secret key. NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk=
require_opcode UPDATE NOTIFY
}
```
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
* feat: add support for running CoreDNS as a Windows service
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* Use non-deprecated service check function.
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* refactor: remove deprecated build tags and clean up imports in service files
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* ci: add Windows test workflow and fix log field access in service_windows.go
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* test: implement cross-platform file permission restriction for Windows compatibility in run_test.go
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* refactor: remove Windows-specific icacls test logic and restrict unreadable file test to non-Windows platforms
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* docs: add documentation for -windows-service flag in man page
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
---------
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* plugin/transfter: Fix longestMatch to select the most specific zone correctly.
This PR Fix longestMatch to select the most specific zone correctly.The previous implementation used lexicographic string comparison, which could choose the wrong zone; this change selects the longest matching zone instead.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Tie breaker
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* feat: Add GitHub Actions workflow for drafting releases and update Makefile to build Windows releases as zip archives.
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* Generate both tgz and zip for Windows to support any existing workflows.
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
---------
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com>
* core: Reject oversized GET dns query parameter of DoH
The DoH POST path limits request size using http.MaxBytesReader(..., 65536), but the GET path passes the dns query value directly to base64ToMsg() with no equivalent bound.
This PR adds length check.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR fixes Fix case-sensitive zone handling in the transfer plugin for AXFR/IXFR, raised in 7898
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Replace github.com/matttproud/golang_protobuf_extensions/pbutil
with google.golang.org/protobuf/encoding/protodelim for reading
varint size-delimited protobuf messages in the metrics scraper.
The new protodelim package is already available via the existing
google.golang.org/protobuf dependency, so this removes pbutil as
a direct dependency entirely.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* plugin/pkg/proxy: add max_age for per-connection lifetime cap
Introduce a max_age setting on Transport that closes connections based
on creation time, independent of idle-timeout (expire).
Background: PR #7790 changed the connection pool from LIFO to FIFO for
source-port diversity. Under FIFO, every connection is cycled through
the pool and its used timestamp is refreshed continuously. When request
rate is high enough that pool_size / request_rate < expire, no
connection ever becomes idle and expire never fires. This prevents
CoreDNS from opening new connections to upstreams that scale out (e.g.
new Kubernetes pods behind a ClusterIP service with conntrack pinning).
max_age addresses this by enforcing an absolute upper bound on
connection lifetime regardless of activity:
- persistConn gains a created field set at dial time.
- Transport gains maxAge (default 0 = unlimited, preserving existing
behaviour).
- Dial(): rejects cached connections whose creation age exceeds max_age.
- cleanup(): when maxAge > 0, uses a linear scan over both idle-timeout
and max-age predicates; when maxAge == 0, preserves the original
binary-search path on used time (sorted by FIFO insertion order).
- Both hot paths pre-compute the deadline outside any inner loop to
avoid repeated time.Now() calls.
Tests added:
- TestMaxAgeExpireByCreation: connection with old created but fresh used
must be rejected even though idle-timeout would pass.
- TestMaxAgeFIFORotation: three FIFO-rotated connections (old created,
fresh used) must all be rejected, confirming that continuous rotation
cannot prevent max-age expiry.
Signed-off-by: cangming <cangming@cangming.app>
* plugin/forward: add max_age option
Expose Transport.SetMaxAge through the forward plugin so operators can
set an absolute upper bound on connection lifetime via the Corefile.
Usage:
forward . 1.2.3.4 {
max_age 30s
}
Default is 0 (unlimited), which preserves existing behaviour.
A positive value causes connections older than max_age to be closed and
re-dialled on the next request, ensuring CoreDNS reconnects to newly
scaled-out upstream pods even under sustained load where the idle
timeout (expire) would never fire.
If max_age is set, it must not be less than expire; the parser rejects
this combination at startup with a clear error message.
Signed-off-by: cangming <cangming@cangming.app>
---------
Signed-off-by: cangming <cangming@cangming.app>
