github maxfield-allison/dnsweaver v1.4.5
on GitHub

5 hours ago

Security

  • Bumped Go toolchain to 1.25.10 (CI image, Dockerfile, go directive) to
    pick up stdlib fixes for GO-2026-4971
    and the net/http portion of
    GO-2026-4918.
  • Bumped golang.org/x/net to v0.53.0 for the module portion of
    GO-2026-4918.
  • Bumped go.opentelemetry.io/otel to v1.41.0 to address
    CVE-2026-29181 (HIGH):
    multi-value baggage header extraction caused excessive allocations,
    enabling a remote DoS amplification. Pulled in transitively via the Docker
    client SDK; no dnsweaver code changes required.

Fixed

  • Multiple instances fighting over the same record (race condition). When
    more than one provider instance matched the same hostname — typically because
    DNSWEAVER_{NAME}_ENTRYPOINTS filters did not disambiguate them (a hostname
    missing the filtered metadata key is treated as a wildcard) — every matching
    instance wrote the record on every reconciliation. Each provider's cached
    view of the zone was stale relative to the others' writes, so the apparent
    owner alternated each cycle and the record's target flapped between targets.
    ensureRecord now respects first-match-wins per the documented contract:
    only the first instance in DNSWEAVER_INSTANCES declaration order writes,
    and a WARN is logged when overlap is detected so users can narrow scopes
    with DNSWEAVER_{NAME}_ENTRYPOINTS (or other metadata filters). Closes
    upstream #86.
    Thanks to @Dampfwalze for the reproducer
    and detailed log analysis.
  • Reconciler: stopped re-issuing ownership TXT creates every cycle. Once a
    hostname's _dnsweaver.<host> TXT record existed, dnsweaver still POSTed a
    duplicate-create on every reconciliation. dnsweaver swallowed the resulting
    conflict, but upstream DNS servers logged each one as an error — Technitium
    in particular wrote a full DnsWebServiceException: Cannot add record: record already exists stack trace per managed hostname per cycle. ensureOwnership Record now consults the per-cycle record cache and short-circuits when it
    already shows our ownership TXT, eliminating the redundant API call across
    all providers. Closes upstream
    #87. Thanks to
    @Dampfwalze for the report and Technitium
    log evidence.

Docker Images

docker pull ghcr.io/maxfield-allison/dnsweaver:v1.4.5
docker pull docker.io/maxamill/dnsweaver:v1.4.5
Check out latest releases or
releases around maxfield-allison/dnsweaver v1.4.5

Don't miss a new dnsweaver release

NewReleases is sending notifications on new releases.

Get notifications