RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: CoreDNSClear ×

CoreDNS

Kubernetes CoreApr 22, 2026

CoreDNS v1.14.3 ships full TSIG verification across all transports, multiple Go security CVE fixes, cache prefetch improvements, and a new forward plugin max_age option — a solid operational hardening release.

  • securityUpgrade immediately for 13 Go CVE fixes and TSIG transport hardening

    Go 1.26.2 in this build addresses 13 CVEs. Beyond the runtime fixes, TSIG verification gaps in DoH, DoH3, QUIC, and gRPC transports are now closed — if you run any of those transports with TSIG, unauthenticated requests could previously slip through. Upgrade to v1.14.3 and verify your TSIG configurations are still valid after the stricter enforcement.

  • breakingDoH oversized GET requests are now rejected — validate your clients

    CoreDNS now rejects oversized dns query parameters in DoH GET requests. Any client sending unusually large DNS-over-HTTPS GET queries will start getting errors. Test your DoH clients against this build in staging before rolling out; most well-behaved clients are unaffected, but custom or non-standard DoH implementations should be checked.

  • enhancementUse max_age in the forward plugin to prevent stale upstream connections

    Long-lived upstream connections can silently degrade or get dropped by middleboxes. The new max_age option in the forward plugin lets you set an absolute connection lifetime. If you've seen sporadic upstream timeouts or resolution failures that resolve themselves, configure max_age to force periodic reconnection — start with something like 30s–5m depending on your upstream stability.

Key changes (5)
  • Full TSIG verification now enforced on DoH, DoH3, QUIC, and gRPC transports — previously these transports lacked complete verification
  • Built with Go 1.26.2, patching 13 CVEs including CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, and others
  • Cache prefetching reworked to release client connections before fetching upstream, preventing connection exhaustion under load
  • New max_age option in the forward plugin enforces absolute connection lifetime, helping with stale upstream connection issues
  • Metrics endpoint now supports optional TLS, and Go runtime metrics can be selectively exported
Source

CoreDNS

Kubernetes CoreMar 6, 2026

CoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.

  • securityUpgrade immediately to fix ACL bypass vulnerability

    This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.

  • securityUpdate Go runtime for multiple CVE fixes

    The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.

  • enhancementDeploy proxyproto plugin for load balancer environments

    If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.

Key changes (5)
  • New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
  • Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
  • Strengthened loop detection security by switching to cryptographically secure randomness
  • Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
  • Enhanced DNS logging with response Type and Class metadata for better observability
Source