This release contains no runtime behavior changes. It is a breaking release
solely because the Go module path changed, which requires a major version bump
under Semantic Versioning. It also re-architects the project's collaboration and
release workflow.
Changed
- BREAKING: module path is now
github.com/maxfield-allison/dnsweaver
(previously a private GitLab path). Public consumers can nowgo getthe
module by its declared path, andpkg.go.devcan resolve it. Anyone importing
the previous path must update their imports. No runtime behavior changed.
Infrastructure
- GitHub is now the source of truth and collaboration surface. Issues, pull
requests, code review, and releases live on GitHub; the project follows GitHub
Flow withmainas the always-releasable trunk. External contributions are
now possible — the previous GitLab→GitHub force-push mirror that clobbered
merges has been removed. - Free PR validation on GitHub Actions (
lint,test -race,build,
govulncheck) runs on every pull request. - GitLab remains the release engine, building multi-arch images
(GHCR + Docker Hub) and publishing GitHub Releases on version tags.mainand
tags are synced one-way GitHub→GitLab. - Removed the dead
advanced-git-syncintegration.
Added
- SSH remote management for the dnsmasq provider is now functional
(GitHub #91,
GitLab #186). SSH mode was documented and config-validated since v0.7.0 but
the transport was never wired into the provider, so every reload ran inside
the dnsweaver container instead of on the remote host (producing errors such
asexec: "supervisorctl": executable file not found in $PATH). The provider
now uses the sharedpkg/sshutilpackage: SFTP writes the managed config file
on the remote host and SSH exec runsRELOAD_COMMANDthere. No shared volumes
or local mounts are required. - SSH host key verification via
known_hosts(GitLab #153). Two new
per-instance variables for the dnsmasq provider:DNSWEAVER_{NAME}_SSH_KNOWN_HOSTS_FILE— path to an OpenSSHknown_hosts
file used to verify the remote host key. Supports the_FILEsuffix for
Docker secrets.DNSWEAVER_{NAME}_SSH_STRICT_HOST_KEY_CHECKING—true(default) or
false. When enabled, aknown_hostsfile is required and a changed or
unknown host key fails the connection fast with a clear error.
Host-key verification lives inpkg/sshutil, so it is reusable by any future
SSH-based provider.
Closerinterface inpkg/provider. Providers that hold long-lived
connections (such as the dnsmasq SSH transport) are now closed cleanly when
the registry shuts down.
Changed
- SSH host key verification is enabled by default for the dnsmasq provider
(SSH_STRICT_HOST_KEY_CHECKING=true). Because SSH mode never actually
connected before this release, there is no practical behavior change for
existing deployments. Operators who want the previous unverified behavior can
setSSH_STRICT_HOST_KEY_CHECKING=false(insecure; a warning is logged on
every connection). - SSH-configured dnsmasq instances now fail fast at startup if the remote
host is unreachable or the host key cannot be verified, instead of silently
falling back to local execution.
Fixed
- dnsmasq reload commands configured for SSH mode now execute on the remote host
via SSH exec rather than inside the dnsweaver container
(GitHub #91).
Security
- Go toolchain updated from 1.25.10 to 1.25.11, resolving three standard
library advisories surfaced bygovulncheck:GO-2026-5037(crypto/x509),
GO-2026-5038(mime), andGO-2026-5039(net/textproto). go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttpupdated
from v1.39.0 to v1.43.0 (transitive via the Docker SDK), resolving
CVE-2026-39882.
Docker Images
docker pull ghcr.io/maxfield-allison/dnsweaver:v2.0.0
docker pull docker.io/maxamill/dnsweaver:v2.0.0