v1.7.1
A security and hardening patch.
Security
- DNSSEC: validate RSA keys whose public exponent exceeds Go's
crypto/rsaceiling (2³¹-1) — restores DNSSEC validation for zones anchored on such keys, including the entire.lv(Latvia) TLD andmailbox.org. (#495) - Dependencies: pinned the build toolchain to go1.26.4, clearing 5 reachable standard-library CVEs (
govulncheckclean); the snap build was on the long-stale Go 1.23.4. - Cache: full-question verification on every cache hit — defends against xxhash key collisions being used to poison the cache.
- DNS Cookies: generate a full-entropy (128-bit) server secret (the previous value was space-padded).
Fixes
- Resolver: the circuit-breaker failure map could grow unbounded; idle entries are now evicted regardless of failure count.
- Server: malformed queries (QDCOUNT ≠ 1) now return FORMERR instead of triggering a panic/recover cycle.
- Blocklist: the whitelist now matches across the domain hierarchy on both the lookup and add paths (a parent whitelist exempts subdomains).
- Config:
--configpath handling fixed for Windows.
Build / CI / Docs
- CI: coverage upload no longer fails the build on a Codecov outage or missing token.
- Rewrote the package documentation (
doc.go) to match the current architecture. - Routine dependency and CI-action bumps.
Security policy
SECURITY.md now supports the 1.7.x line and directs vulnerability reports to GitHub's private reporting.
Full changelog: v1.7.0...v1.7.1