CoreDNS
v1.14.5Kubernetes CoreCoreDNS v1.14.5 is a maintenance release addressing DoH/DoH3 transport safety, forwarding robustness, and plugin stability across dnstap, file, secondary, and transfer. It includes three behavior changes (TLS defaults, DoQ timeout, forward empty-config handling) that may require configuration review, plus two dozen plugin fixes and enhancements.
breakingTLS defaults switched to Go stdlib
TLS now uses Go defaults instead of custom configuration. Review your TLS setup if you have specific certificate requirements or cipher suite preferences; explicit configuration may be needed if the new defaults do not match your security policy.
breakingDoQ stream read now bounded by server timeout
DoQ (DNS over QUIC) stream reads are now bounded by the server read timeout instead of unbounded. If you use DoQ with long-lived streams or slow clients, adjust the read timeout configuration to prevent premature stream termination.
breakingForward plugin: empty config file no longer errors
The forward plugin now continues when the configuration file is empty instead of raising an error. If you rely on error signaling for empty config files, explicit validation upstream may be required.
Key changes (7)
- TLS defaults switched from custom to Go stdlib settings
- DoQ (DNS over QUIC) stream read timeout now bounded by server read timeout
- Forward plugin restored to continue on empty configuration file instead of erroring
- Per-upstream read timeout in forward plugin is now configurable
- NXDOMAIN responses without SOA now classified as denial
- DoH (DNS over HTTPS) support added to forward plugin
- Plugin fixes: dnstap connection handling and deadlock, file SOA/wildcard processing, hosts wildcard support and data race, rewrite nil-pointer panic and question restoration, secondary catalog parsing, transfer notify source address, TSIG error echo handling, cache AD bit partitioning, erratic truncate default, AXFR panic, localhost handling