Ville Vesilehto
cb40d84c85
fix(dnssec): return nil sigs on sign error ( #7999 )
2026-04-04 10:40:29 -07:00
Ville Vesilehto
ce9da6fa41
fix(test): deduplicate TSIG test helpers ( #8009 )
2026-04-04 10:37:59 -07:00
Yong Tang
0e1870d762
core: Add full TSIG verification in QUIC transport ( #8007 )
...
* core: Add full TSIG verification in QUIC transport
This PR add full TSIG verification in QUIC using dns.TsigVerify()
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-04-04 12:00:23 +03:00
Yong Tang
4c9a80c296
core: Add full TSIG verification in gRPC transport ( #8006 )
...
* core: Add full TSIG verification in gRPC transport
This PR add full TSIG verification in gRPC using dns.TsigVerify() so invalid signatures and timestamps are correctly detected instead of only checking key presence.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-04-04 11:58:36 +03:00
Ville Vesilehto
510977c476
fix(dnssec): avoid caching empty signing results ( #7996 )
2026-04-01 14:20:15 -07:00
Ville Vesilehto
6d6c50db3a
fix(dnssec): add defensive nil checks ( #7997 )
2026-04-01 14:19:54 -07:00
Ville Vesilehto
503c2d7ea3
fix(kubernetes): sanitize non-UTF-8 host in metrics ( #7998 )
2026-04-01 14:19:29 -07:00
Yong Tang
529320db4b
Bump version to 1.14.3 ( #7993 )
...
This PR bumps version to 1.14.2, as part of the release.
Related to 7985
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-04-01 21:06:09 +03:00
dependabot[bot]
1e1a903d93
build(deps): bump sigs.k8s.io/mcs-api from 0.4.0 to 0.4.1 ( #7994 )
...
Bumps [sigs.k8s.io/mcs-api](https://github.com/kubernetes-sigs/mcs-api ) from 0.4.0 to 0.4.1.
- [Release notes](https://github.com/kubernetes-sigs/mcs-api/releases )
- [Changelog](https://github.com/kubernetes-sigs/mcs-api/blob/master/RELEASE.md )
- [Commits](https://github.com/kubernetes-sigs/mcs-api/compare/v0.4.0...v0.4.1 )
---
updated-dependencies:
- dependency-name: sigs.k8s.io/mcs-api
dependency-version: 0.4.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 20:59:21 +03:00
dependabot[bot]
3c100561f8
build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 ( #7995 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](4b73464bb3...4a3601121dsupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 20:58:47 +03:00
Ville Vesilehto
b9080d9a4d
ci: verify generated files are up to date ( #7987 )
2026-03-31 06:24:50 -07:00
Ville Vesilehto
674b43a353
fix: add proxyproto to plugin.cfg and regenerate ( #7986 )
2026-03-30 14:43:31 -07:00
Ville Vesilehto
1df23e0e86
ci: create PR instead of push autogenerated docs ( #7988 )
2026-03-30 14:40:01 -07:00
Ville Vesilehto
2ba4340362
chore: bump golangci-lint to v2.11.4 ( #7983 )
2026-03-30 14:39:09 -07:00
Ville Vesilehto
4091e650fe
chore: bump mmark to v2.2.47 and fix portability ( #7989 )
2026-03-30 14:38:38 -07:00
rpb-ant
20626a7464
Add an atomic.Bool to singleflight prefetching ( #7963 )
...
Also updated plugin to document single-flighting
Signed-off-by: Ryan Brewster <rpb@anthropic.com >
2026-03-30 23:18:24 +03:00
Ville Vesilehto
0ba8e3c850
test(dnstap): fix flaky TestReconnect ( #7982 )
2026-03-29 17:03:08 -07:00
Ville Vesilehto
0e9a51410a
lint(revive): fix unreachable-code violation ( #7979 )
2026-03-29 17:02:39 -07:00
Ville Vesilehto
6720959b8b
lint(revive): fix unused-parameter violations ( #7980 )
2026-03-29 17:02:20 -07:00
Ville Vesilehto
6af8fd46fe
lint(revive): fix unnecessary-stmt violations ( #7978 )
2026-03-29 17:02:03 -07:00
Ville Vesilehto
867cd8fd6b
lint(revive): fix indent-error-flow violations ( #7977 )
2026-03-29 17:01:22 -07:00
Ville Vesilehto
7fd983b02c
lint(revive): fix context-as-argument violations ( #7976 )
2026-03-29 17:01:03 -07:00
Ville Vesilehto
61330515de
test(forward): restore defaultTimeout ( #7981 )
2026-03-29 17:00:30 -07:00
Ville Vesilehto
54b06d9a3b
lint(revive): fix early-return violations ( #7974 )
2026-03-29 16:59:22 -07:00
Ville Vesilehto
ff954b12b2
lint: enable revive linter ( #7973 )
2026-03-29 00:04:28 -07:00
Minghang Chen
34acf8353f
proxyproto: add UDP session tracking for Spectrum PPv2 ( #7967 )
2026-03-28 15:06:36 -07:00
Ingmar Van Glabbeek
12d9457e71
plugin/file: expand SVCB/HTTPS record support ( #7950 )
...
* plugin/file: expand SVCB/HTTPS record support
Add proper SVCB (type 64) and HTTPS (type 65) handling:
- Additional section processing: include A/AAAA glue for in-bailiwick
SVCB/HTTPS targets, matching existing SRV/MX behavior
- Target name normalization: lowercase SVCB/HTTPS Target on zone insert,
consistent with CNAME/MX handling
- Metrics: add TypeSVCB to monitored query types (TypeHTTPS was already
present)
- Test helpers: add SVCB()/HTTPS() constructors and Section comparison
cases
- Tests: basic queries with glue, AliasMode, wildcards, NoData, NXDOMAIN,
target normalization, and DNS-AID private-use key (65400-65408)
round-trip
Signed-off-by: Ingmar <ivanglabbeek@infoblox.com >
* plugin/file: simplify HTTPS target access via field promotion
dns.HTTPS embeds dns.SVCB, so .Target is directly accessible
without the redundant .SVCB. qualifier. Fixes gosimple S1027.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
Signed-off-by: Ingmar <ivanglabbeek@infoblox.com >
---------
Signed-off-by: Ingmar <ivanglabbeek@infoblox.com >
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-28 11:46:41 +02:00
Ilya Kulakov
a8caf4c375
plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter ( #7537 )
...
* tls: Add the keylog option to configure TLSConfig.KeyLogWriter
Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com >
* tls: Close keylog file on instance shutdown.
Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com >
---------
Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com >
2026-03-27 21:10:13 +02:00
Seena Fallah
471d62926d
plugin/tsig: add require_opcode directive for opcode-based TSIG ( #7828 )
...
Extend the tsig plugin to require TSIG signatures based on DNS opcodes,
similar to the existing qtype-based requirement.
The new require_opcode directive accepts opcode names (QUERY, IQUERY,
STATUS, NOTIFY, UPDATE) or the special values "all" and "none".
This is useful for requiring TSIG on dynamic update (UPDATE) or zone
transfer notification (NOTIFY) requests while allowing unsigned queries.
Example:
```
tsig {
secret key. NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk=
require_opcode UPDATE NOTIFY
}
```
Signed-off-by: Seena Fallah <seenafallah@gmail.com >
2026-03-27 21:05:49 +02:00
Ville Vesilehto
0918e88368
chore(docs): update Docker build command in README ( #7972 )
2026-03-26 20:37:35 -07:00
Ville Vesilehto
0132ad86b5
chore(docs): regenerate man pages ( #7971 )
2026-03-26 20:35:09 -07:00
Ville Vesilehto
49b18b8af6
test(dnssec): fix err in TestZoneSigningDouble ( #7969 )
2026-03-26 20:33:55 -07:00
John-Michael Mulesa
1c15569168
feat: add support for running CoreDNS as a Windows service ( #7962 )
...
* feat: add support for running CoreDNS as a Windows service
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
* Use non-deprecated service check function.
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
* refactor: remove deprecated build tags and clean up imports in service files
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
* ci: add Windows test workflow and fix log field access in service_windows.go
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
* test: implement cross-platform file permission restriction for Windows compatibility in run_test.go
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
* refactor: remove Windows-specific icacls test logic and restrict unreadable file test to non-Windows platforms
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
* docs: add documentation for -windows-service flag in man page
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
---------
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
2026-03-26 21:10:53 +02:00
Ville Vesilehto
12131b7455
ci: remove trivy-action ( #7961 )
2026-03-24 13:46:32 -07:00
Yong Tang
384be4cd8e
core: Preserve TSIG status in gRPC transport ( #7943 )
2026-03-24 13:46:15 -07:00
Yong Tang
a025712827
plugin/transfter: Fix longestMatch to select the most specific zone correctly. ( #7949 )
...
* plugin/transfter: Fix longestMatch to select the most specific zone correctly.
This PR Fix longestMatch to select the most specific zone correctly.The previous implementation used lexicographic string comparison, which could choose the wrong zone; this change selects the longest matching zone instead.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Tie breaker
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-03-24 20:35:20 +02:00
Ville Vesilehto
980b0fe16b
ci(depsreview): add version comment to pin ( #7966 )
2026-03-24 10:31:25 -07:00
Ville Vesilehto
28617d8f30
ci(release): use env vars for expressions in shell ( #7965 )
2026-03-24 10:31:00 -07:00
Ville Vesilehto
b7948f1bac
ci: add persist-credentials: false to checkouts ( #7964 )
2026-03-24 10:29:48 -07:00
rpb-ant
31e16025ef
plugin/cache: prefetch without holding a client connection ( #7944 )
2026-03-24 08:47:11 -07:00
Syed Azeez
f582a01dc9
fix(kubernetes): record cluster_ip services in dns_programming_duration metric ( #7951 )
...
Signed-off-by: Azeez Syed <syedazeez337@gmail.com >
2026-03-24 05:29:28 -07:00
Ville Vesilehto
734426798f
ci(dependabot): add 7-day cooldown for updates ( #7960 )
2026-03-24 00:59:24 -07:00
dependabot[bot]
80f6df8f12
build(deps): bump the go-etcd-io group with 2 updates ( #7954 )
2026-03-24 00:58:55 -07:00
dependabot[bot]
ec5b5c6006
build(deps): bump the k8s-io group with 3 updates ( #7953 )
2026-03-24 00:58:32 -07:00
Ville Vesilehto
95d6e177ee
ci(yamllint): replace third-party action with uvx ( #7957 )
2026-03-24 00:58:19 -07:00
Ville Vesilehto
718bfe7e2d
ci(docker): scope secrets to publish step only ( #7959 )
2026-03-24 00:57:50 -07:00
Ville Vesilehto
406be98739
ci: use go-version-file instead of GITHUB_ENV ( #7958 )
2026-03-24 00:57:20 -07:00
dependabot[bot]
540a50d900
build(deps): bump github.com/DataDog/dd-trace-go/v2 from 2.6.0 to 2.7.0 ( #7955 )
...
Bumps [github.com/DataDog/dd-trace-go/v2](https://github.com/DataDog/dd-trace-go ) from 2.6.0 to 2.7.0.
- [Release notes](https://github.com/DataDog/dd-trace-go/releases )
- [Commits](https://github.com/DataDog/dd-trace-go/compare/v2.6.0...v2.7.0 )
---
updated-dependencies:
- dependency-name: github.com/DataDog/dd-trace-go/v2
dependency-version: 2.7.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-24 06:26:45 +02:00
dependabot[bot]
ca124299be
build(deps): bump github/codeql-action from 4.33.0 to 4.34.1 ( #7952 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.33.0 to 4.34.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b1bff81932...3869755554support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-23 16:01:53 +02:00
John-Michael Mulesa
92a6ae7079
Update github workflow to release windows builds in zip format. ( #7946 )
...
* feat: Add GitHub Actions workflow for drafting releases and update Makefile to build Windows releases as zip archives.
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
* Generate both tgz and zip for Windows to support any existing workflows.
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
---------
Signed-off-by: John-Michael Mulesa <jmulesa@gmail.com >
2026-03-21 20:21:12 -07:00
