Yong Tang
c0e6e7cef3
core: Add full TSIG verification in DoH transport ( #8013 )
...
* core: Add full TSIG verification in DoH transport
This PR add full TSIG verification in DoH using dns.TsigVerify()
7943
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-04-09 15:24:00 +03:00
Ville Vesilehto
18d692a986
ci: limit push trigger to master branch ( #8033 )
2026-04-09 02:53:57 -07:00
Ville Vesilehto
f7e90e7ae2
fix(test): fix flaky view server block ordering test ( #8031 )
2026-04-08 14:44:48 -07:00
Ville Vesilehto
32986a7783
chore: bump Go version to 1.26.2 ( #8014 )
2026-04-08 14:38:29 -07:00
Ville Vesilehto
4c71636a71
fix(auto): resolve symlinked directory before walk ( #8032 )
2026-04-08 14:38:01 -07:00
dependabot[bot]
489a4f8703
build(deps): bump github.com/aws/aws-sdk-go-v2/service/route53 ( #8029 )
...
Bumps [github.com/aws/aws-sdk-go-v2/service/route53](https://github.com/aws/aws-sdk-go-v2 ) from 1.62.4 to 1.62.5.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/fsx/v1.62.4...service/iot/v1.62.5 )
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/route53
dependency-version: 1.62.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 22:14:23 +03:00
dependabot[bot]
4bc65d7376
build(deps): bump github.com/DataDog/dd-trace-go/v2 from 2.7.0 to 2.7.1 ( #8030 )
...
Bumps [github.com/DataDog/dd-trace-go/v2](https://github.com/DataDog/dd-trace-go ) from 2.7.0 to 2.7.1.
- [Release notes](https://github.com/DataDog/dd-trace-go/releases )
- [Commits](https://github.com/DataDog/dd-trace-go/compare/v2.7.0...v2.7.1 )
---
updated-dependencies:
- dependency-name: github.com/DataDog/dd-trace-go/v2
dependency-version: 2.7.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 21:52:20 +03:00
rpb-ant
010dc1e2b7
Allow selectively exporting all Go runtime metrics ( #7990 )
...
Signed-off-by: Ryan Brewster <rpb@anthropic.com >
2026-04-08 21:38:19 +03:00
dependabot[bot]
a33c8058be
build(deps): bump github.com/prometheus/exporter-toolkit ( #8024 )
...
Bumps [github.com/prometheus/exporter-toolkit](https://github.com/prometheus/exporter-toolkit ) from 0.15.1 to 0.16.0.
- [Release notes](https://github.com/prometheus/exporter-toolkit/releases )
- [Commits](https://github.com/prometheus/exporter-toolkit/compare/v0.15.1...v0.16.0 )
---
updated-dependencies:
- dependency-name: github.com/prometheus/exporter-toolkit
dependency-version: 0.16.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 21:31:53 +03:00
dependabot[bot]
b802653414
build(deps): bump google.golang.org/api from 0.272.0 to 0.273.1 ( #8027 )
...
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client ) from 0.272.0 to 0.273.1.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases )
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md )
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.272.0...v0.273.1 )
---
updated-dependencies:
- dependency-name: google.golang.org/api
dependency-version: 0.273.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 21:31:05 +03:00
dependabot[bot]
fc6b3cebb4
build(deps): bump github.com/aws/aws-sdk-go-v2/service/secretsmanager ( #8020 )
...
Bumps [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2 ) from 1.41.4 to 1.41.5.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.41.4...v1.41.5 )
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager
dependency-version: 1.41.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 21:14:27 +03:00
dependabot[bot]
dd25122f07
build(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 ( #8025 )
...
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go ) from 1.79.3 to 1.80.0.
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.79.3...v1.80.0 )
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-version: 1.80.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 21:07:22 +03:00
dependabot[bot]
c35b6466ae
build(deps): bump github.com/aws/aws-sdk-go-v2/config ( #8023 )
...
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2 ) from 1.32.12 to 1.32.13.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.32.12...config/v1.32.13 )
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
dependency-version: 1.32.13
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 20:19:52 +03:00
dependabot[bot]
d3fb3e58fe
build(deps): bump github/codeql-action from 4.34.1 to 4.35.1 ( #8021 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.34.1 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3869755554...c10b8064desupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 20:14:10 +03:00
dependabot[bot]
330e7e8c82
build(deps): bump golang.org/x/sys from 0.42.0 to 0.43.0 ( #8019 )
...
Bumps [golang.org/x/sys](https://github.com/golang/sys ) from 0.42.0 to 0.43.0.
- [Commits](https://github.com/golang/sys/compare/v0.42.0...v0.43.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/sys
dependency-version: 0.43.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 20:13:52 +03:00
dependabot[bot]
ae338f57c0
build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 ( #8018 )
...
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv ) from 7.6.0 to 8.0.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases )
- [Commits](37802adc94...cec208311dsupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-08 20:13:22 +03:00
Ville Vesilehto
5643d41ba7
fix(tls): use temp dir for keylog test path ( #8010 )
2026-04-04 11:37:51 -07:00
Umut Polat
61f4145506
fix(transfer): batch AXFR records by message size instead of count ( #8002 )
2026-04-04 11:35:27 -07:00
Cedric Wang
03d0863a45
fix(doh): use per-connection local address for PROXY protocol ( #8005 )
2026-04-04 11:32:10 -07:00
Umut Polat
2263340fab
fix(dnsserver): allow view server blocks in any declaration order ( #8001 )
...
When using the view plugin, filtered and unfiltered server blocks can
share the same zone and port. The zone overlap validation rejected this
configuration when the unfiltered block was not declared last, because
filtered configs treated an already-registered zone as an error.
Skip the 'already defined' check for configs that have filter functions,
since they are expected to coexist with an unfiltered catch-all block on
the same zone/port.
Fixes #7733
Signed-off-by: umut-polat <52835619+umut-polat@users.noreply.github.com >
2026-04-04 20:45:55 +03:00
Ville Vesilehto
4eb6eca9f0
fix(dnssec): return nil from ParseKeyFile on error ( #8000 )
2026-04-04 10:40:47 -07:00
Ville Vesilehto
cb40d84c85
fix(dnssec): return nil sigs on sign error ( #7999 )
2026-04-04 10:40:29 -07:00
Ville Vesilehto
ce9da6fa41
fix(test): deduplicate TSIG test helpers ( #8009 )
2026-04-04 10:37:59 -07:00
Yong Tang
0e1870d762
core: Add full TSIG verification in QUIC transport ( #8007 )
...
* core: Add full TSIG verification in QUIC transport
This PR add full TSIG verification in QUIC using dns.TsigVerify()
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-04-04 12:00:23 +03:00
Yong Tang
4c9a80c296
core: Add full TSIG verification in gRPC transport ( #8006 )
...
* core: Add full TSIG verification in gRPC transport
This PR add full TSIG verification in gRPC using dns.TsigVerify() so invalid signatures and timestamps are correctly detected instead of only checking key presence.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-04-04 11:58:36 +03:00
Ville Vesilehto
510977c476
fix(dnssec): avoid caching empty signing results ( #7996 )
2026-04-01 14:20:15 -07:00
Ville Vesilehto
6d6c50db3a
fix(dnssec): add defensive nil checks ( #7997 )
2026-04-01 14:19:54 -07:00
Ville Vesilehto
503c2d7ea3
fix(kubernetes): sanitize non-UTF-8 host in metrics ( #7998 )
2026-04-01 14:19:29 -07:00
Yong Tang
529320db4b
Bump version to 1.14.3 ( #7993 )
...
This PR bumps version to 1.14.2, as part of the release.
Related to 7985
Signed-off-by: Yong Tang <yong.tang.github@outlook.com >
2026-04-01 21:06:09 +03:00
dependabot[bot]
1e1a903d93
build(deps): bump sigs.k8s.io/mcs-api from 0.4.0 to 0.4.1 ( #7994 )
...
Bumps [sigs.k8s.io/mcs-api](https://github.com/kubernetes-sigs/mcs-api ) from 0.4.0 to 0.4.1.
- [Release notes](https://github.com/kubernetes-sigs/mcs-api/releases )
- [Changelog](https://github.com/kubernetes-sigs/mcs-api/blob/master/RELEASE.md )
- [Commits](https://github.com/kubernetes-sigs/mcs-api/compare/v0.4.0...v0.4.1 )
---
updated-dependencies:
- dependency-name: sigs.k8s.io/mcs-api
dependency-version: 0.4.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 20:59:21 +03:00
dependabot[bot]
3c100561f8
build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 ( #7995 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](4b73464bb3...4a3601121dsupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-01 20:58:47 +03:00
Ville Vesilehto
b9080d9a4d
ci: verify generated files are up to date ( #7987 )
2026-03-31 06:24:50 -07:00
Ville Vesilehto
674b43a353
fix: add proxyproto to plugin.cfg and regenerate ( #7986 )
2026-03-30 14:43:31 -07:00
Ville Vesilehto
1df23e0e86
ci: create PR instead of push autogenerated docs ( #7988 )
2026-03-30 14:40:01 -07:00
Ville Vesilehto
2ba4340362
chore: bump golangci-lint to v2.11.4 ( #7983 )
2026-03-30 14:39:09 -07:00
Ville Vesilehto
4091e650fe
chore: bump mmark to v2.2.47 and fix portability ( #7989 )
2026-03-30 14:38:38 -07:00
rpb-ant
20626a7464
Add an atomic.Bool to singleflight prefetching ( #7963 )
...
Also updated plugin to document single-flighting
Signed-off-by: Ryan Brewster <rpb@anthropic.com >
2026-03-30 23:18:24 +03:00
Ville Vesilehto
0ba8e3c850
test(dnstap): fix flaky TestReconnect ( #7982 )
2026-03-29 17:03:08 -07:00
Ville Vesilehto
0e9a51410a
lint(revive): fix unreachable-code violation ( #7979 )
2026-03-29 17:02:39 -07:00
Ville Vesilehto
6720959b8b
lint(revive): fix unused-parameter violations ( #7980 )
2026-03-29 17:02:20 -07:00
Ville Vesilehto
6af8fd46fe
lint(revive): fix unnecessary-stmt violations ( #7978 )
2026-03-29 17:02:03 -07:00
Ville Vesilehto
867cd8fd6b
lint(revive): fix indent-error-flow violations ( #7977 )
2026-03-29 17:01:22 -07:00
Ville Vesilehto
7fd983b02c
lint(revive): fix context-as-argument violations ( #7976 )
2026-03-29 17:01:03 -07:00
Ville Vesilehto
61330515de
test(forward): restore defaultTimeout ( #7981 )
2026-03-29 17:00:30 -07:00
Ville Vesilehto
54b06d9a3b
lint(revive): fix early-return violations ( #7974 )
2026-03-29 16:59:22 -07:00
Ville Vesilehto
ff954b12b2
lint: enable revive linter ( #7973 )
2026-03-29 00:04:28 -07:00
Minghang Chen
34acf8353f
proxyproto: add UDP session tracking for Spectrum PPv2 ( #7967 )
2026-03-28 15:06:36 -07:00
Ingmar Van Glabbeek
12d9457e71
plugin/file: expand SVCB/HTTPS record support ( #7950 )
...
* plugin/file: expand SVCB/HTTPS record support
Add proper SVCB (type 64) and HTTPS (type 65) handling:
- Additional section processing: include A/AAAA glue for in-bailiwick
SVCB/HTTPS targets, matching existing SRV/MX behavior
- Target name normalization: lowercase SVCB/HTTPS Target on zone insert,
consistent with CNAME/MX handling
- Metrics: add TypeSVCB to monitored query types (TypeHTTPS was already
present)
- Test helpers: add SVCB()/HTTPS() constructors and Section comparison
cases
- Tests: basic queries with glue, AliasMode, wildcards, NoData, NXDOMAIN,
target normalization, and DNS-AID private-use key (65400-65408)
round-trip
Signed-off-by: Ingmar <ivanglabbeek@infoblox.com >
* plugin/file: simplify HTTPS target access via field promotion
dns.HTTPS embeds dns.SVCB, so .Target is directly accessible
without the redundant .SVCB. qualifier. Fixes gosimple S1027.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
Signed-off-by: Ingmar <ivanglabbeek@infoblox.com >
---------
Signed-off-by: Ingmar <ivanglabbeek@infoblox.com >
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-28 11:46:41 +02:00
Ilya Kulakov
a8caf4c375
plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter ( #7537 )
...
* tls: Add the keylog option to configure TLSConfig.KeyLogWriter
Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com >
* tls: Close keylog file on instance shutdown.
Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com >
---------
Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com >
2026-03-27 21:10:13 +02:00
Seena Fallah
471d62926d
plugin/tsig: add require_opcode directive for opcode-based TSIG ( #7828 )
...
Extend the tsig plugin to require TSIG signatures based on DNS opcodes,
similar to the existing qtype-based requirement.
The new require_opcode directive accepts opcode names (QUERY, IQUERY,
STATUS, NOTIFY, UPDATE) or the special values "all" and "none".
This is useful for requiring TSIG on dynamic update (UPDATE) or zone
transfer notification (NOTIFY) requests while allowing unsigned queries.
Example:
```
tsig {
secret key. NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk=
require_opcode UPDATE NOTIFY
}
```
Signed-off-by: Seena Fallah <seenafallah@gmail.com >
2026-03-27 21:05:49 +02:00
