RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: CoreDNSClear ×

CoreDNS

Kubernetes CoreJun 9, 2026

CoreDNS v1.14.4 delivers a broad set of targeted fixes and new capabilities: DNSSEC signing correctness fix, cache behavior improvements, forward plugin now resolves hostnames, and several transport security hardening items.

  • breakingDNSSEC signing behavior changed — review delegated zone setups

    The fix to sign each RRset with its owning zone rather than the query zone is technically correct, but if you have multi-zone DNSSEC setups with delegations, validate your signed responses after upgrading. Zones that were relying on the previous (incorrect) signing behavior may produce different signatures. Run dnssec-verify on a sample of records before cutting over in production.

  • enhancementUse hostname-based forward targets instead of hard-coded IPs

    The forward plugin now resolves hostnames for TO endpoints at runtime. If your CoreDNS configs currently pin upstream resolver IPs, you can switch to FQDNs and let CoreDNS handle resolution. This simplifies config management in environments where upstream IPs change (e.g., cloud-managed resolvers). Test in staging first — resolution failures at startup could affect forwarding.

  • enhancementRemove the 3600s cache TTL ceiling if longer TTLs are appropriate

    Cache TTLs were previously capped at 3600s regardless of the DNS record's actual TTL. That cap is gone. For stable records (root hints, internal authoritative zones) you can now set higher max_ttl values to reduce upstream query load. Audit your cache plugin config and raise max_ttl where it makes sense.

Key changes (5)
  • DNSSEC signing fix: RRsets are now signed with the zone that owns the name, not the query zone — this corrects a subtle but real signing correctness bug
  • Forward plugin now supports hostname resolution for TO endpoints, removing the need to pre-resolve IPs in configs
  • Cache TTL cap of 3600s removed; serve_stale gains an optional verify timeout; positive cache is preferred over SERVFAIL in negative cache
  • File plugin triggers zone reload on mtime change — no more manual reload signals for zone file updates
  • dnstap plugin now supports incoming connections; secondary plugin gains fallthrough support
Source

CoreDNS

Kubernetes CoreApr 22, 2026

CoreDNS v1.14.3 ships full TSIG verification across all transports, multiple Go security CVE fixes, cache prefetch improvements, and a new forward plugin max_age option — a solid operational hardening release.

  • securityUpgrade immediately for 13 Go CVE fixes and TSIG transport hardening

    Go 1.26.2 in this build addresses 13 CVEs. Beyond the runtime fixes, TSIG verification gaps in DoH, DoH3, QUIC, and gRPC transports are now closed — if you run any of those transports with TSIG, unauthenticated requests could previously slip through. Upgrade to v1.14.3 and verify your TSIG configurations are still valid after the stricter enforcement.

  • breakingDoH oversized GET requests are now rejected — validate your clients

    CoreDNS now rejects oversized dns query parameters in DoH GET requests. Any client sending unusually large DNS-over-HTTPS GET queries will start getting errors. Test your DoH clients against this build in staging before rolling out; most well-behaved clients are unaffected, but custom or non-standard DoH implementations should be checked.

  • enhancementUse max_age in the forward plugin to prevent stale upstream connections

    Long-lived upstream connections can silently degrade or get dropped by middleboxes. The new max_age option in the forward plugin lets you set an absolute connection lifetime. If you've seen sporadic upstream timeouts or resolution failures that resolve themselves, configure max_age to force periodic reconnection — start with something like 30s–5m depending on your upstream stability.

Key changes (5)
  • Full TSIG verification now enforced on DoH, DoH3, QUIC, and gRPC transports — previously these transports lacked complete verification
  • Built with Go 1.26.2, patching 13 CVEs including CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, and others
  • Cache prefetching reworked to release client connections before fetching upstream, preventing connection exhaustion under load
  • New max_age option in the forward plugin enforces absolute connection lifetime, helping with stale upstream connection issues
  • Metrics endpoint now supports optional TLS, and Go runtime metrics can be selectively exported
Source