What's Changed
Critical Bug Fixes
- Fixed NSEC validation for non-existent TLDs (e.g., random TLD queries)
- Fixed NXDOMAIN responses being incorrectly returned as NOERROR from cache
- Fixed goroutine leak in DNS resolver's singleflight operations
- Fixed SERVFAIL cache TTL from 5 seconds to 30 seconds to prevent repeated queries to failed servers
DNSSEC Improvements
- Implemented RFC 8914 Extended DNS Errors (EDE) support for better diagnostics
- Fixed RRSIG expiration handling in cache TTL calculations
- Improved NSEC/NSEC3 validation for better RFC compliance
- Fixed AD flag handling for authenticated responses
Performance Improvements
- Zero-allocation cache key generation using sync.Pool (~25% faster)
- Zero-allocation logging with migration to zlog v1.2.3
- Optimized NSEC coverage checks for better performance
Other Changes
- Migrated from log to zlog v1.2.3 for better performance
- Improved error messages with typed errors
- Better handling of single-name zones and edge cases
- Updated various dependencies for security and performance
What's Fixed
This release primarily addresses critical bugs discovered after v1.5.0, with a focus on DNSSEC validation correctness and cache performance. The SERVFAIL caching fix significantly improves performance when dealing with unreachable or failing authoritative servers.
Docker
docker pull ghcr.io/semihalev/sdns:v1.5.1Checksums
Checksums will be automatically added by the release workflow.
Full Changelog: v1.5.0...v1.5.1