This release improves transport security and operational flexibility, with
enhancements for DoH3 and DoQ, improved DNSSEC signing behavior, and support for
the loong64 architecture. It also adds configurable cache verification, hostname
resolution for forward targets, incoming connection support for dnstap, fallthrough
support in the secondary plugin, automatic zone reloads, and improved forwarding
behavior for NODATA responses.

Brought to You By

Cedric Wang
Charlie Tonneslan
Dmytro Alieksieiev
Endre Szabo
Immanuel Tikhonov
Isolus
James R T
JUN YANG
Jöran Malek
Nicholas Amorim
Syed Azeez
Umut Polat
Ville Vesilehto
weiguozhang
Yong Tang
徐晓伟

Noteworthy Changes

• core: Add loong64 arch support (#8137)
• core: Bound HTTP/3 request header size for DoH3 (#8135)
• core: Expose TLS ConnectionState (SNI) for DoQ (#8129)
• core: Remove duplicate cipher suites (#8118)
• core: Use http.LocalAddrContextKey for DoH local address (#8149)
• plgin/kubernetes: Remove debug fmt.Println from multicluster zone validation (#8131)
• plugin/any: Reject invalid any and local config (#8133)
• plugin/azure: Apply access mode to every zone in the same block (#8110)
• plugin/cache: Add optional verify timeout to serve_stale (#8070)
• plugin/cache: Allow cache TTLs above default 3600s (#8134)
• plugin/cache: Prefer positive cache over SERVFAIL in ncache (#8003)
• plugin/chaos: Reject unknown chaos block options (#8121)
• plugin/dnssec: Sign each RRset with the zone that owns its name, not the query zone (#8138)
• plugin/dnstap: Feature: Added incoming connection support (#8086)
• plugin/file: Canonicalize escape form in owner names (#8109)
• plugin/file: Trigger reload of zones based on mtime (#8085)
• plugin/forward: Add hostname resolution support for TO endpoints (#5646) (#7923)
• plugin/forward: Forward NODATA responses to Next handler (#8065)
• plugin/health: Use descriptive error for unknown block options in health and log plugins (#8128)
• plugin/ready: Reject unknown ready plugin properties (#8119)
• plugin/proxyproto: Prevent nil pointer dereference when dropping malformed PROXY packets (#8154)
• plugin/secondary: Add fallthrough support (#8041)
• plugin/trace: Reject unknown trace and dnstap block options (#8120)

This release introduces Windows service support, along with full TSIG verification
across DoH, DoH3, QUIC, and gRPC transports, and improved TSIG propagation and DoH
request validation. It also adds optional TLS for the metrics endpoint. Performance
and stability are improved through cache prefetching, QUIC optimizations, and a new
max_age option in the forward plugin. Additional updates include enhanced SVCB/HTTPS
support, improved zone transfer behavior, and various DNSSEC, PROXY protocol, and
concurrency fixes. The release is built with Go 1.26.2, which includes security
fixes addressing CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, CVE-2026-27144,
CVE-2026-27143, CVE-2026-32288, CVE-2026-32283, and CVE-2026-27140, and also includes
fixes for CVE-2026-32936, CVE-2026-33190, CVE-2026-33489, CVE-2026-32934, and CVE-2026-35579.

Brought to You By

andreyrusanov-ec
cangming
Cedric Wang
Ilya Kulakov
Ingmar Van Glabbeek
John-Michael Mulesa
JUN YANG
liucongran
Minghang Chen
Peppi-Lotta
rpb-ant
Seena Fallah
Syed Azeez
Umut Polat
Ville Vesilehto
Yong Tang

Noteworthy Changes

• core: Add full TSIG verification in DoH transport (#8013)
• core: Add full TSIG verification in DoH3 transport (#8044)
• core: Add full TSIG verification in QUIC transport (ttps://github.com//pull/8007)
• core: Add full TSIG verification in gRPC transport (#8006)
• core: Add support for running CoreDNS as a Windows service (#7962)
• core: Avoid spawning waiter goroutines when QUIC worker pool is full (#7927)
• core: Preserve TSIG status in gRPC transport (#7943)
• core: Propagate TSIG secrets to DoT server (#7928)
• core: Propagate TSIG status in DoQ transport (#7947)
• core: Reject oversized GET dns query parameter of DoH (#7926)
• core: Use per-connection local address for PROXY protocol (#8005)
• plugin/auto: Resolve symlinked directory before walk (#8032)
• plugin/cache: Add an atomic.Bool to singleflight prefetching (#7963)
• plugin/cache: Prefetch without holding a client connection (#7944)
• plugin/dnssec: Add defensive nil checks (#7997)
• plugin/dnssec: Avoid caching empty signing results (#7996)
• plugin/dnssec: Return nil from ParseKeyFile on error (#8000)
• plugin/dnssec: Return nil sigs on sign error (#7999)
• plugin/dnsserver: Allow view server blocks in any declaration order (#8001)
• plugin/file: Expand SVCB/HTTPS record support (#7950)
• plugin/file: Fix data race in xfr.go (#8039)
• plugin/file: Introduce snapshot()/setData() accessors for zone data (#8040)
• plugin/file: Protect Zone.Expired with mutex (#7940)
• plugin/forward: Add max_age option to enforce an absolute connection lifetime (#7903)
• plugin/kubernetes: Record cluster_ip services in dns_programming_duration metric (#7951)
• plugin/kubernetes: Sanitize non-UTF-8 host in metrics (#7998)
• plugin/metrics: Add optional TLS support to /metrics endpoint (#7255)
• plugin/metrics: Allow selectively exporting all Go runtime metrics (#7990)
• plugin/ready: fix Reset list of readiness plugins (#8035)
• plugin/secondary: Send NOTIFY messages after zone transfer (#7901)
• plugin/tls: Add the keylog option to configure TLSConfig.KeyLogWriter (#7537)
• plugin/tls: Use temp dir for keylog test path (#8010)
• plugin/transfer: Batch AXFR records by message size instead of count (#8002)
• plugin/transfer: Fix case-sensitive zone handling for AXFR/IXFR (#7899)
• plugin/transfter: Fix longestMatch to select the most specific zone correctly (#7949)
• plugin/tsig: Add require_opcode directive for opcode-based TSIG (#7828)
• proxyproto: Add UDP session tracking for Cloudflare Spectrum PPv2 (#7967)

This release adds the new proxyproto plugin to support Proxy Protocol and preserve
client IPs behind load balancers. It also includes enhancements such as improved DNS
logging metadata and stronger randomness for loop detection (CVE-2026-26018), along
with several bug fixes including TLS+IPv6 forwarding, improved CNAME handling and
rewriting, allowing jitter disabling, prevention of an ACL bypass (CVE-2026-26017),
and a Kubernetes plugin crash fix. In addition, the release updates the build to
Go 1.26.1, which include security fixes addressing CVE-2026-27137, CVE-2026-27138, CVE-2026-27139,
CVE-2026-25679, and CVE-2026-27142.

Brought to You By

Adphi
Henrik Gerdes
hide
Kelly Kane
Shiv Tyagi
vflaux
Ville Vesilehto
yangsenzk
Yong Tang
YOUNEVSKY

Noteworthy Changes

• core: Reorder rewrite before acl to prevent bypass (#7882)
• plugin/file: Return SOA and NS records when queried for a record CNAMEd to origin (#7808)
• plugin/forward: Fix parsing error when handling TLS+IPv6 address (#7848)
• plugin/log: Add metadata for response Type and Class to Log (#7806)
• plugin/loop: Use crypto/rand for query name generation (#7881)
• plugin/kubernetes: Fix panic on empty ListenHosts (#7857)
• plugin/proxyproto: Add proxy protocol support (#7738)
• plugin/reload: Allow disabling jitter with 0s (#7896)
• plugin/rewrite: Fix cname target rewrite for CNAME chains (#7853)

This release primarily addresses security vulnerabilities affecting Go versions prior to
Go 1.25.6 and Go 1.24.12 (CVE-2025-61728, CVE-2025-61726, CVE-2025-68121, CVE-2025-61731,
CVE-2025-68119). It also includes performance improvements to the proxy plugin via
multiplexed connections, along with various documentation updates.

Brought to You By

Alex Massy
Shiv Tyagi
Ville Vesilehto
Yong Tang

Noteworthy Changes

• plugin/proxy: Use mutex-based connection pool (#7790)

This release focuses on security hardening and operational reliability. Core updates
introduce a regex length limit to reduce resource-exhaustion risk. Plugin updates
improve error consolidation (show_first), reduce misleading SOA warnings, add
Kubernetes API rate limiting, enhance metrics with plugin chain tracking, and fix
issues in azure and sign. This release also includes additional security fixes;
see the security advisory for details.

Brought to You By

cangming
pasteley
Raisa Kabir
Ross Golder
rusttech
Syed Azeez
Ville Vesilehto
Yong Tang

Noteworthy Changes

• core: Fix gosec G115 integer overflow warnings (#7799)
• core: Add regex length limit (#7802)
• plugin/azure: Fix slice init length (#6901)
• plugin/errors: Add optional show_first flag to consolidate directive (#7703)
• plugin/file: Fix for misleading SOA parser warnings (#7774)
• plugin/kubernetes: Rate limits to api server (#7771)
• plugin/metrics: Implement plugin chain tracking (#7791)
• plugin/sign: Report parser err before missing SOA (#7775)

This release adds initial support for DoH3 and includes several core performance and stability
fixes, including reduced allocations, a resolved data race in uniq, and safer QUIC listener
initialization. Plugin updates improve forwarder reliability, extend GeoIP schema support,
and fix issues in secondary, nomad, and kubernetes. Cache and file plugins also receive
targeted performance tuning.

Deprecations: The GeoIP plugin currently returns 0 for missing latitude/longitude, even though
0,0 is a real location. In the next release, this behavior will change: missing coordinates
will return an empty string instead. This avoids conflating “missing” with a real coordinate.
Users relying on 0 as a sentinel value should update their logic before this change takes effect.
See PR #7732 for reference.

Brought to You By

Alicia Y
Andrey Smirnov
Brennan Kinney
Charlie Vieth
Endre Szabo
Eric Case
Filippo125
Nico Berlee
Olli Janatuinen
Rick Fletcher
Timur Solodovnikov
Tomas Boros
Ville Vesilehto
cangming
rpb-ant
wencyu
wenxuan70
Yong Tang
zhetaicheleba

Noteworthy Changes

• core: Add basic support for DoH3 (#7677)
• core: Avoid proxy unnecessary alloc in Yield (#7708)
• core: Fix usage of sync.Pool to save an alloc (#7701)
• core: Fix data race with sync.RWMutex for uniq (#7707)
• core: Prevent QUIC reload panic by lazily initializing the listener (#7680)
• core: Refactor/use reflect.TypeFor (#7696)
• plugin/auto: Limit regex length (#7737)
• plugin/cache: Remove superfluous allocations in item.toMsg (#7700)
• plugin/cache: Isolate metadata in prefetch goroutine (#7631)
• plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil packages (#7678)
• plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy (#7619)
• plugin/file: Performance finetuning (#7658)
• plugin/forward: Disallow NOERROR in failover (#7622)
• plugin/forward: Added support for per-nameserver TLS SNI (#7633)
• plugin/forward: Prevent busy loop on connection err (#7704)
• plugin/forward: Add max connect attempts knob (#7722)
• plugin/geoip: Add ASN schema support (#7730)
• plugin/geoip: Add support for subdivisions (#7728)
• plugin/kubernetes: Fix kubernetes plugin logging (#7727)
• plugin/multisocket: Cap num sockets to prevent OOM (#7615)
• plugin/nomad: Support service filtering (#7724)
• plugin/rewrite: Pre-compile CNAME rewrite regexp (#7697)
• plugin/secondary: Fix reload causing secondary plugin goroutine to leak (#7694)

This release updates CoreDNS to Go 1.25.2 and golang.org/x/net v0.45.0 to address multiple
high-severity CVEs. It also improves core performance by avoiding string concatenation in
loops, and hardens the sign plugin by rejecting invalid UTF-8 tokens in dbfile.

Brought to You By

Catena cyber
Ville Vesilehto
Yong Tang

Noteworthy Changes

• core: Avoid string concatenation in loops (#7572)
• core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes (#7598)
• plugin/sign: Reject invalid UTF‑8 dbfile token (#7589)

This release introduces a new Nomad plugin for integrating CoreDNS with HashiCorp Nomad.
It also fixes major Corefile issues on infinite loops and import cycles, improves shutdown
handling, normalizes core panics, addresses data races in the file plugin, enforces gRPC size
limits, adjusts forward failover behavior, as well as prevents reload deadlocks.

Brought to You By

Fitz_dev
Ilya Kulakov
Olli Janatuinen
Ville Vesilehto
Yong Tang

Noteworthy Changes

• core: Export timeout values in dnsserver.Server (#7497)
• core: Fix Corefile infinite loop on unclosed braces (#7571)
• core: Fix Corefile related import cycle issue (#7567)
• core: Normalize panics on invalid origins (#7563)
• core: Rely on dns.Server.ShutdownContext to gracefully stop (#7517)
• plugin/dnstap: Add bounds for plugin args (#7557)
• plugin/file: Fix data race in tree Elem.Name (#7574)
• plugin/forward: No failover to next upstream when receiving SERVFAIL or REFUSED response codes (#7458)
• plugin/grpc: Enforce DNS message size limits (#7490)
• plugin/loop: Prevent panic when ListenHosts is empty (#7565)
• plugin/loop: Avoid panic on invalid server block (#7568)
• plugin/nomad: Add a Nomad plugin (#7467)
• plugin/reload: Prevent SIGTERM/reload deadlock (#7562)

This release improves stability and security, fixing context propagation in DoH, label offset handling
in the file plugin, and connection leaks in gRPC and transfer. It also adds support for the prefer option
in loadbalance, introduces timeouts to the metrics server, and fixes several security vulnerabilities
(see details in related security advisories).

Brought to You By

Archy
Ilya Kulakov
Olli Janatuinen
Qasim Sarfraz
Syed Azeez
Ville Vesilehto
wencyu
Yong Tang

Noteworthy Changes

• core: Improve caddy.GracefulServer conformance checks (#7416)
• core: Propagate HTTP request context in DoH (#7491)
• plugin/file: Fix label offset problem in ClosestEncloser (#7465)
• plugin/grpc: Check proxy list length in policies (#7512)
• plugin/grpc: Fix span leak and deadline on error attempt (#7487)
• plugin/header: Remove deprecated syntax (#7436)
• plugin/loadbalance: Support prefer option (#7433)
• plugin/metrics: Add timeouts to metrics HTTP server (#7469)
• plugin/trace: Migrate dd-trace-go v1 to v2 (#7466)
• plugin/transfer: Fix goroutine leak on axfr err (#7516)

This release improves plugin reliability and standards compliance, adding startup timeout to the Kubernetes
plugin, fallthrough to gRPC, and EDNS0 unset to rewrite. The file plugin now preserves SRV record case per
RFC 6763, route53 is updated to AWS SDK v2, and multiple race conditions in cache and connection handling in
forward are fixed.

Brought to You By

blakebarnett
Brennan Kinney
Cameron Steel
Dave Brown
Dennis Simmons
Guillaume Jacquet
harshith-2411-2002
houpo-bob
Oleg Guba
Sebastian Mayr
Stephen Kitt
Syed Azeez
Ville Vesilehto
Yong Tang
Yoofi Quansah

Noteworthy Changes

• plugin/auto: Return REFUSED when no next plugin is available (#7381)
• plugin/cache: Create a copy of a response to ensure original msg is never modified (#7357)
• plugin/cache: Fix data race when refreshing cached messages (#7398)
• plugin/cache: Fix data race when updating the TTL of cached messages (#7397)
• plugin/file: Return REFUSED when no next plugin is available (#7381)
• plugin/file: Preserve case in SRV record names and targets per RFC 6763 (#7402)
• plugin/forward: Handle cached connection closure in forward plugin (#7427)
• plugin/grpc: Add support for fallthrough to the grpc plugin (#7359)
• plugin/kubernetes: Add startup_timeout for kubernetes plugin (#7068)
• plugin/kubernetes: Properly create hostname from IPv6 (#7431)
• plugin/rewrite: Add EDNS0 unset action (#7380)
• plugin/route53: Port to AWS Go SDK v2 (#6588)
• plugin/test: Fix TXT record comparison logic for multi-string vs multi-record scenarios (#7413)