Skip to content

v1.7.1

Choose a tag to compare

@semihalev semihalev released this 24 Jun 20:04
5f51345

A security and hardening patch.

Security

  • DNSSEC: validate RSA keys whose public exponent exceeds Go's crypto/rsa ceiling (2³¹-1) — restores DNSSEC validation for zones anchored on such keys, including the entire .lv (Latvia) TLD and mailbox.org. (#495)
  • Dependencies: pinned the build toolchain to go1.26.4, clearing 5 reachable standard-library CVEs (govulncheck clean); the snap build was on the long-stale Go 1.23.4.
  • Cache: full-question verification on every cache hit — defends against xxhash key collisions being used to poison the cache.
  • DNS Cookies: generate a full-entropy (128-bit) server secret (the previous value was space-padded).

Fixes

  • Resolver: the circuit-breaker failure map could grow unbounded; idle entries are now evicted regardless of failure count.
  • Server: malformed queries (QDCOUNT ≠ 1) now return FORMERR instead of triggering a panic/recover cycle.
  • Blocklist: the whitelist now matches across the domain hierarchy on both the lookup and add paths (a parent whitelist exempts subdomains).
  • Config: --config path handling fixed for Windows.

Build / CI / Docs

  • CI: coverage upload no longer fails the build on a Codecov outage or missing token.
  • Rewrote the package documentation (doc.go) to match the current architecture.
  • Routine dependency and CI-action bumps.

Security policy

SECURITY.md now supports the 1.7.x line and directs vulnerability reports to GitHub's private reporting.

Full changelog: v1.7.0...v1.7.1