CoreDNS
v1.14.3Kubernetes CoreCoreDNS v1.14.3 ships full TSIG verification across all transports, multiple Go security CVE fixes, cache prefetch improvements, and a new forward plugin max_age option — a solid operational hardening release.
securityUpgrade immediately for 13 Go CVE fixes and TSIG transport hardening
Go 1.26.2 in this build addresses 13 CVEs. Beyond the runtime fixes, TSIG verification gaps in DoH, DoH3, QUIC, and gRPC transports are now closed — if you run any of those transports with TSIG, unauthenticated requests could previously slip through. Upgrade to v1.14.3 and verify your TSIG configurations are still valid after the stricter enforcement.
enhancementUse max_age in the forward plugin to prevent stale upstream connections
Long-lived upstream connections can silently degrade or get dropped by middleboxes. The new max_age option in the forward plugin lets you set an absolute connection lifetime. If you've seen sporadic upstream timeouts or resolution failures that resolve themselves, configure max_age to force periodic reconnection — start with something like 30s–5m depending on your upstream stability.
breakingDoH oversized GET requests are now rejected — validate your clients
CoreDNS now rejects oversized dns query parameters in DoH GET requests. Any client sending unusually large DNS-over-HTTPS GET queries will start getting errors. Test your DoH clients against this build in staging before rolling out; most well-behaved clients are unaffected, but custom or non-standard DoH implementations should be checked.
主な変更 (5)
- Full TSIG verification now enforced on DoH, DoH3, QUIC, and gRPC transports — previously these transports lacked complete verification
- Built with Go 1.26.2, patching 13 CVEs including CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, and others
- Cache prefetching reworked to release client connections before fetching upstream, preventing connection exhaustion under load
- New max_age option in the forward plugin enforces absolute connection lifetime, helping with stale upstream connection issues
- Metrics endpoint now supports optional TLS, and Go runtime metrics can be selectively exported