Patch release rolling up TLS diagnostics, RFC 2136 TTL hardening, a Go toolchain
- dependency bump for CVE coverage, docs/SEO polish, and the sync-workflow tag
idempotency fix. No new features and no breaking changes.
Changed
- TLS file permission errors now name the runtime uid/gid. The container
drops privileges to the unprivilegeddnsweaveruser (uid/gid1000) via
su-exec, so a CA bundle, client certificate, or private key mounted
root:root 0600fails withpermission deniedeven when the container is
started as root. The error message now reports the uid/gid the process
actually runs as and points at the fix, so operators no longer burn time
thinking "but I AM root."
(#90,
#98) - Go toolchain pinned to 1.26.4 (from 1.25.11).
k8s.io/{apimachinery, client-go}0.36 requires Go 1.26; pinning the patch release pulls in the
standard-library fixes for 13 CVEs present in 1.26.0 (crypto/x509,
crypto/tls,net/http,net/url,os,mime,net/textproto), keeping
govulncheckgreen.
(#109)
Fixed
- RFC 2136 record TTL conversion is now clamped on both bounds.
record.TTLis a platformintthat can exceeduint32or be negative;
the existing conversion clamped the upper bound only, so a negative TTL
would wrap to a largeuint32. TTLs are now clamped through an explicit
clampTTLhelper (v<0 → 0,v>MaxUint32 → MaxUint32) that CodeQL
recognizes as a bounds check, closing the
go/incorrect-integer-conversionalert without relying on Go'smin/max
builtins.
(#108,
#110) - GitHub→GitLab tag sync no longer creates spurious "tag differs" pipelines.
The sync workflow now compares peeled commit SHAs when checking whether an
existing tag matches, so annotated tags (which point at a tag object, not a
commit) are treated as equivalent to their commit-pointing counterparts.
(#97)
Dependencies
- Bumped the
go-dependenciesgroup:
golang.org/x/crypto0.52.0 → 0.53.0,k8s.io/apimachineryand
k8s.io/client-go0.35.2 → 0.36.2.
(#109) - Bumped GitHub Actions to current majors:
actions/setup-go5→6 (#101),
actions/configure-pages4→6 (#102),
github/codeql-action3→4 (#103),
actions/setup-python5→6 (#104),
actions/checkout4→7 (#105),
actions/upload-pages-artifact3→5 (#111),
actions/deploy-pages4→5 (#112).
Documentation
- Added a TLS Certificate File Permissions section to the environment
reference (chown / group-readable / Docker secrets recipes), linked from the
README TLS section and every provider's mTLS example (Technitium, AdGuard,
Cloudflare, Pi-hole, Webhook) plus the Proxmox source.
(#90) - Discoverability & SEO pass: added a "Why dnsweaver?" positioning section
and a Star History chart to the README, published a Docker Hub overview
(docker/DOCKERHUB.md) with a CI job that pushes it to Docker Hub's
full_descriptionon release, and added SEO meta descriptions to provider,
source, deployment, and getting-started pages (coverage went from 10/46 to
every high-intent page).
(#107)
Repository
- Community-health scaffolding:
CODE_OF_CONDUCT.md, issue and PR templates,
Dependabot config for Go / GitHub Actions / Docker, CodeQL analysis workflow,
and a CI status badge in the README.
(#100)
CI
- GitLab CI runner image and Dockerfile builder image bumped to
golang:1.26.4-alpineto match thego.modtoolchain pin from #109. The
initialv2.2.1tag pipeline failed with
go.mod requires go >= 1.26.4 (running go 1.25.11); this bumps both build
surfaces in lock-step.
Docker Images
docker pull ghcr.io/maxfield-allison/dnsweaver:v2.2.1
docker pull docker.io/maxamill/dnsweaver:v2.2.1