What's Changed
New Features
- Add
Cache.ForEachEntry()andCache.ForEach()for iterating cache entries (#452)
Bug Fixes
- DNSSEC: return SERVFAIL when a signed zone omits RRSIG records (#447)
- DNSSEC: correctly determine zone security for missing-signature responses by extracting
isZoneSecure()and probing the actual delegation point instead of arbitrary internal names, per RFC 4034 §5 and RFC 4035 §5.3.3 (#450) - middleware: skip typed-nil handlers in
Setupso disabled middlewares (reflex, accesslist, kubernetes, hostsfile, blocklist, etc.) can no longer crashServeDNSwith a nil-pointer dereference on the first request (#455, fixes #453) - Fix gosec G118 warning in API server shutdown goroutine
- Fix gosec G118 and G122 linter warnings
CI / Infrastructure
- Consolidate GitHub Actions workflows from 8 to 5 (
ci.yml,docker.yml,codeql.yml,release.yml,claude.yml) - Migrate Docker publish from the retired
docker.pkg.github.comtoghcr.io; a single buildx invocation now pushes multi-arch images to both Docker Hub and GHCR - Pin GoReleaser CLI to
~> v2and bumpgoreleaser-actionto v7.1.0 for stable releases - All workflows now track
go-version: stable, declare least-privilegepermissions:, and useconcurrencygroups - Fix gosec linter failures for golangci-lint v2 compatibility
Testing
- Add fuzz tests for cache, config, blocklist, hostsfile, resolver, doh, and util packages
Dependencies
- Bump
github.com/miekg/dnsfrom 1.1.68 to 1.1.72 - Bump
github.com/quic-go/quic-gofrom 0.57.1 to 0.59.0 - Bump
k8s.io/{api,apimachinery,client-go}from 0.34.2 to 0.35.4 - Bump
github.com/BurntSushi/tomlfrom 1.5.0 to 1.6.0 - Bump
github.com/spf13/cobrafrom 1.10.1 to 1.10.2 - Bump
golang.org/x/netfrom 0.47.0 to 0.53.0 - Bump
golang.org/x/cryptofrom 0.45.0 to 0.50.0 - Other dependency updates
New Contributors
- @linkdata made their first contribution in #452
- @MaciejTe made their first contribution in #447
- @SAY-5 made their first contribution in #455
Full Changelog: v1.6.1...v1.6.2