This release contains some new features, bug fixes, and package updates. Because of the deployment issues with the previous release, all changed features from 1.11.2 have been included in this release.
New features include:

• When the forward plugin receives a malformed upstream response that overflows,
  it will now send an empty response to the client with the truncated (TC) bit set to prompt the client
  to retry over TCP.
• The rewrite plugin can now rewrite response codes.
• The dnstap plugin now supports adding metadata to the dnstap extra field.

Brought to You By

Amila Senadheera,
Ben Kochie,
Benjamin,
Chris O'Haver,
Grant Spence,
John Belamaric,
Keita Kitamura,
Marius Kimmina,
Michael Grosser,
Ondřej Benkovský,
P. Radha Krishna,
Rahil Bhimjiani,
Sri Harsha,
Tom Thorogood,
Willow (GHOST),
Yong Tang,
Yuheng,
Zhizhen He,
guangwu,
journey-c,
pschou
Ted Ford

Noteworthy Changes

• plugin/tls: respect the path specified by root plugin (#6138)
• plugin/auto: warn when auto is unable to read elements of the directory tree (#6333)
• plugin/etcd: the etcd client adds the DialKeepAliveTime parameter (#6351)
• plugin/cache: key cache on Checking Disabled (CD) bit (#6354)
• plugin/forward: Use the correct root domain name in the forward plugin's health checks (#6395)
• plugin/forward: Handle UDP responses that overflow with TC bit (#6277)
• plugin/rewrite: fix multi request concurrency issue in cname rewrite (#6407)
• plugin/rewrite: add rcode as a rewrite option (#6204)
• plugin/dnstap: add support for "extra" field in payload (#6226)
• plugin/cache: fix keepttl parsing (#6250)
• Return RcodeServerFailure when DNS64 has no next plugin (#6590)
• Change the log flags to be a variable that can be set (#6546)
• Bump go version to 1.21 (#6533)
• replace the mutex locks in logging with atomic bool for the "on" flag (#6525)
• Enable Prometheus native histograms (#6524)

This release fixes a major performance regression introduced in 1.11.0 that affected DoT (TLS) forwarded connections.
It also adds a new option to dnstap to add metadata to the dnstap extra field, and fixes a config parsing bug in cache.

Brought to You By

Chris O'Haver,
P. Radha Krishna,
Yong Tang,
Yuheng,
Zhizhen He

Noteworthy Changes

• Revert "plugin/forward: Continue waiting after receiving malformed responses (#6014)" (#6270)
• plugin/dnstap: add support for "extra" field in payload (#6226)
• plugin/cache: fix keepttl parsing (#6250)

Release Highlights

• Adds support for accepting DNS connections over QUIC (doq).
• Adds CNAME target rewrites to the rewrite plugin.
• Plus many bug fixes, and some security improvements.

This release introduces the following backward incompatible changes:

• In the kubernetes plugin, we have dropped support for watching Endpoint and Endpointslice v1beta, since all supported K8s versions now use Endpointslice.
• The bufsize plugin changed its default size limit value to 1232
• Some changes to forward plugin metrics.

Brought to You By

Amila Senadheera,
Antony Chazapis,
Ayato Tokubi,
Ben Kochie,
Catena cyber,
Chris O'Haver,
Dan Salmon,
Dan Wilson,
Denis MACHARD,
Diogenes Pelisson,
Eng Zer Jun,
Fish-pro,
Gabor Dozsa,
Gary McDonald,
João Henri,
Justin,
Lio李歐,
Marcos Mendez,
Marius Kimmina,
Ondřej Benkovský,
Pat Downey,
Petr Menšík,
Rotem Kfir,
Sebastian Dahlgren,
Vancl,
Vinayak Goyal,
W. Trevor King,
Yash Singh,
Yashpal,
Yong Tang,
Yuheng,
cui fliter,
jeremiejig,
junhwong,
rokkiter,
yyzxw

Other Noteworthy Changes

• add support for RISC-V (#6195)
• doh: allow http as the protocol (#5762)
• doq: add DNS-Over-QUIC server support (#6182)
• plugin/bufsize: change default value to 1232 (#6183)
• plugin/clouddns: fix answers limited to one response (#5986)
• plugin/dnssec: on delegation, sign DS or NSEC of no DS. (#5899)
• plugin/dnstap: add tls support (#5917)
• plugin/forward: continue waiting after receiving malformed responses (#6014)
• plugin/forward: fix forward metrics for backwards compatibility (#6178)
• plugin/health: poll localhost by default (#5934)
• plugin/k8s_external: add fallthrough option (#5959)
• plugin/kubernetes: expose client-go internal request metrics (#5991)
• plugin/kubernetes: filter ExternalName service queries for subdomains of subdomains (#6162)
• plugin/kubernetes: fix headless/endpoint query panics when endpoints are disabled (#6137)
• plugin/kubernetes: fix ports panic (#6179)
• plugin/kubernetes: remove Endpoint and EndpointSlice v1beta Support (#6147)
• plugin/loadbalance: improve weights update (#5906)
• plugin/rewrite: introduce cname target rewrite rule to rewrite plugin (#6004)
• plugin/transfer: send notifies after adding zones all zones (#5774)
• prevent fail counter of a proxy overflows (#5990)
• prevent panics when using DoHWriter (#6120)
• run coredns as non root. (#5969)
• support unix socket for GRPC (#5943)

This release fixes some bugs, and adds some new features including:

• Corrected architecture labels in multi-arch image manifest
• A new plugin timeouts that allows configuration of server listener timeout durations
• acl can drop queries as an action
• template supports creating responses with extended DNS errors
• New weighted policy in loadbalance
• Option to serve original record TTLs from cache

Brought to You By

Arthur Outhenin-Chalandre,
Ben Kaplan,
Chris O'Haver,
Gabor Dozsa,
Grant Spence,
Kumiko as a Service,
LAMRobinson,
Miciah Dashiel Butler Masters,
Ondřej Benkovský,
Rich,
Stephen Kitt,
Yash Singh,
Yong Tang,
rsclarke,
sanyo0714

Noteworthy Changes

• plugin/timeouts - Allow ability to configure listening server timeouts (#5784)
• plugin/acl: adding ability to drop queries (#5722)
• plugin/template : add support for extended DNS errors (#5659)
• plugin/kubernetes: error NXDOMAIN for TXT lookups (#5737)
• plugin/kubernetes: dont match external services when endpoint is specified (#5734)
• plugin/k8s_external: Fix rcode for headless services (#5657)
• plugin/edns: remove truncating of question section on bad EDNS version (#5787)
• plugin/dnstap: Fix behavior when multiple dnstap plugins specified (#5773)
• plugin/cache: cache now uses source query DNSSEC option for upstream refresh (#5671)
• Workaround for incorrect architecture (#5691)
• plugin/loadbalance: Add weighted policy (#5662)
• plugin/cache: Add keepttl option (#5879)
• plugin/forward: Fix dnstap for forwarded request/response (#5890)

Full Changelog: v1.10.0...v1.10.1

This release adds the new view plugin, enabling advanced server-block routing configurations such as split-DNS.

Brought to You By

Ben Kochie
Chris O'Haver
Erik Johansson
John Belamaric
Marius Kimmina
Ondřej Benkovský

Noteworthy Changes

• plugin/view: Advanced routing interface and new 'view' plugin (#5538)
• plugin/template: Add parseInt template function (#5609)

Full Changelog: v1.9.4...v1.10.0

This is a release with many new features. The most notable addition is a new plugin tsig for validating
TSIG requests and signing responses. In header plugin a selector of query or response (default) is added for
applying the actions. This release also adds lots of enhancements and bug fixes.

Brought to You By

Abirdcfly
Alex
AndreasHuber-CH
Andy Lindeman
Chris Narkiewicz
Chris O'Haver
Christoph Heer
Daniel Jolly
Konstantin Demin
Marius Kimmina
Md Sahil
Ondřej Benkovský
Shane Xie
TomasKohout
Vancl
Yong Tang

Noteworthy Changes

• core: add log listeners for k8s_event plugin (#5451)
• core: log DoH HTTP server error logs in CoreDNS format (#5457)
• core: warn when domain names are not in RFC1035 preferred syntax (#5414)
• plugin/acl: add support for extended DNS errors (#5532)
• plugin/bufsize: do not expand query UDP buffer size if already set to a smaller value (#5602)
• plugin/cache: add cache disable option (#5540)
• plugin/cache: add metadata for wildcard record responses (#5308)
• plugin/cache: add option to adjust SERVFAIL response cache TTL (#5320)
• plugin/cache: correct responses to Authenticated Data requests (#5191)
• plugin/dnstap: add identity and version support for the dnstap plugin (#5555)
• plugin/file: add metadata for wildcard record responses (#5308)
• plugin/forward: enable multiple forward declarations (#5127)
• plugin/forward: health_check needs to normalize a specified domain name (#5543)
• plugin/forward: remove unused coredns_forward_sockets_open metric (#5431)
• plugin/header: add support for query modification (#5556)
• plugin/health: bypass proxy in self health check (#5401)
• plugin/health: don't go lameduck when reloading (#5472)
• plugin/k8s_external: add support for PTR requests (#5435)
• plugin/k8s_external: resolve headless services (#5505)
• plugin/kubernetes: make kubernetes client log in CoreDNS format (#5461)
• plugin/ready: reset list of readiness plugins on startup (#5492)
• plugin/rewrite: add PTR records to supported types (#5565)
• plugin/rewrite: fix a crash in rewrite plugin when rule type is missing (#5459)
• plugin/rewrite: fix out-of-index issue in rewrite plugin (#5462)
• plugin/rewrite: support min and max TTL values (#5508)
• plugin/trace : make zipkin HTTP reporter more configurable using Corefile (#5460)
• plugin/trace: read trace context info from headers for DOH (#5439)
• plugin/tsig: add new plugin TSIG for validating TSIG requests and signing responses (#4957)

Full Changelog: v1.9.3...v1.9.4

This is a release with a focus on security (CVE-2022-27191 and CVE-2022-28948) fixes. Additionally,
several feature enhancements and bug fixes have been added.

Brought to You By

Chris O'Haver,
lobshunter,
Naveen,
Radim Hatlapatka,
RetoHaslerMGB,
Tintin,
Yong Tang

Noteworthy Changes

• core: update gopkg.in/yaml.v3 to fix CVE-2022-28948 (#5408)
• core: update golang.org/x/crypto to fix CVE-2022-27191 (#5407)
• plugin/acl: adding a check to parse out zone info (#5387)
• plugin/dnstap: support FQDN TCP endpoint (#5377)
• plugin/errors: add stacktrace option to log a stacktrace during panic recovery (#5392)
• plugin/template: return SERVFAIL for zone-match regex-no-match case (#5180)

Full Changelog: v1.9.2...v1.9.3

This is a release with many added features and security and bug fixes. The most notable one is the
release of 3rd party security audit from Trail of Bits. Security issues discovered by this audit
have all been fixed or covered.

Brought to You By

Antoine Tollenaere,
Balazs Nagy,
Chris O'Haver,
dilyevsky,
hansedong,
Lorenz Brun,
Marius Kimmina,
nathannaveen,
Ondřej Benkovský,
Patrick W. Healy,
Qasim Sarfraz,
xuweiwei,
Yong Tang

Noteworthy Changes

• core: add Trail of Bits to list of 3rd party security auditors (#5356)
• core: avoid usage of pseudo-random number (#5228)
• plugin/bufsize: don't add OPT RR to non-EDNS0 queries (#5368)
• plugin/cache: add refresh mode setting to serve_stale (#5131)
• plugin/cache: fix cache poisoning exploit (#5174)
• plugin/etcd: fix multi record TXT lookups (#5293)
• plugin/forward: configurable domain support for healthcheck (#5281)
• plugin/geoip: read source IP from EDNS0 subnet if provided (#5183)
• plugin/health: rework overloaded goroutine to support graceful shutdown (#5244)
• plugin/k8s_external: persist tc bit from lookup to client response (#4716)
• plugin/k8s_external: set authoritative bit in responses (#5284)
• plugin/kubernetes: fix k8s start up timeout ticker (#5361)
• plugin/route53: deprecate plaintext secret in Corefile for route53 plugin (#5228)
• plugin/route53: expand AWS config/credentials setup. (#5370)
• plugin/template: fix rcode option documentation (#5328)

Full Changelog: v1.9.1...v1.9.2

This is a release with security and bug fixes and some new features added. 1.9.1 is also built
with golang 1.17.8 that addressed several golang 1.17.6 vulnerabilities (CVE-2022-23772,
CVE-2022-23773, CVE-2022-23806).
Note golang 1.17.6 was used to built coredns 1.9.0.

Brought to You By

Chris O'Haver,
Elijah Andrews,
Rudolf Schönecker,
Yong Tang,
nathannaveen,
xuweiwei

Noteworthy Changes

• plugin/autopath: Don't panic on empty token (#5169)
• plugin/cache: Add zones label to cache metrics (#5124)
• plugin/file: Add TXT test case (#5079)
• plugin/forward: Don't panic when from-zone cannot be normalized (#5170)
• plugin/grpc: Fix healthy proxy error case (#5168)
• plugin/grpc: Don't panic when from-zone cannot be normalized (#5171)
• plugin/k8s_external: Implement zone transfers (#4977)
• plugin/k8s_external: Fix external nsAddrs when CoreDNS Service has no External IPs (#4891)
• plugin/kubernetes: Log api connection failures and server start delay (#5044)
• plugin/log: Expand {combined} and {common} in log format (#5230)
• plugin/metrics: Add metric counting DNS-over-HTTPS responses (#5130)
• plugin/reload: Change hash from md5 to sha512 (#5226)
• plugin/secondary: Fix startup transfer failure wrong zone logged (#5085)

Full Changelog: v1.9.0...v1.9.1

This is a release with bug fixes and some new features added. Starting with 1.9.0
the minimal required go version will be 1.17.
Wildcard queries are no longer supported by the kubernetes plugin.

Brought to You By

Chris O'Haver,
Ondřej Benkovský,
Tomas Hulata,
Yong Tang,
xuweiwei

Noteworthy Changes

• plugin/kubernetes: remove wildcard query functionality (#5019)
• Health-checks should respect force_tcp (#5109)
• plugin/prometheus: Write rcode properly to the metrics (#5126)
• plugin/template: Persist truncated state to client if CNAME lookup response is truncated (#4713)

Full Changelog: v1.8.7...v1.9.0