From 0e2d29cb35333859be1feb622416b84d07079504 Mon Sep 17 00:00:00 2001
From: Simon Sigre <simon.sigre@gmail.com>
Date: Thu, 10 Oct 2024 08:31:56 +0000
Subject: [PATCH] Resolves https://github.com/coredns/coredns.io/issues/313

---
 content/blog/coredns-1.11.2.md | 53 ++++++++++++++++++++++
 content/blog/coredns-1.11.3.md | 59 ++++++++++++++++++++++++
 content/plugins/autopath.md    |  4 +-
 content/plugins/bind.md        |  4 +-
 content/plugins/dnstap.md      | 12 +++--
 content/plugins/forward.md     | 19 +++++++-
 content/plugins/kubernetes.md  |  8 ++--
 content/plugins/rewrite.md     | 83 +++++++++++++++++++++++++++++++++-
 content/plugins/root.md        | 34 ++++++++++++--
 content/plugins/tls.md         |  6 +--
 content/plugins/view.md        | 10 ++--
 11 files changed, 266 insertions(+), 26 deletions(-)
 create mode 100644 content/blog/coredns-1.11.2.md
 create mode 100644 content/blog/coredns-1.11.3.md

diff --git a/content/blog/coredns-1.11.2.md b/content/blog/coredns-1.11.2.md
new file mode 100644
index 00000000..66ebff63
--- /dev/null
+++ b/content/blog/coredns-1.11.2.md
@@ -0,0 +1,53 @@
++++
+title = "CoreDNS-1.11.2 Release"
+description = "CoreDNS-1.11.2 Release Notes."
+tags = ["Release", "1.11.2", "Notes"]
+release = "1.11.2"
+date = "2024-01-26T00:00:00+00:00"
+author = "coredns"
++++
+
+This release contains some new features, bug fixes, and package updates.
+New features include:
+* When the _forward_ plugin receives a malformed upstream response that overflows,
+  it will now send an empty response to the client with the truncated (TC) bit set to prompt the client
+  to retry over TCP.
+* The _rewrite_ plugin can now rewrite response codes.
+* The _dnstap_ plugin now supports adding metadata to the dnstap `extra` field.
+
+## Brought to You By
+
+Amila Senadheera,
+Ben Kochie,
+Benjamin,
+Chris O'Haver,
+Grant Spence,
+John Belamaric,
+Keita Kitamura,
+Marius Kimmina,
+Michael Grosser,
+Ondřej Benkovský,
+P. Radha Krishna,
+Rahil Bhimjiani,
+Sri Harsha,
+Tom Thorogood,
+Willow (GHOST),
+Yong Tang,
+Yuheng,
+Zhizhen He,
+guangwu,
+journey-c,
+pschou
+
+## Noteworthy Changes
+
+* plugin/tls: respect the path specified by root plugin (https://github.com/coredns/coredns/pull/6138)
+* plugin/auto: warn when auto is unable to read elements of the directory tree (https://github.com/coredns/coredns/pull/6333)
+* plugin/etcd: the etcd client adds the DialKeepAliveTime parameter (https://github.com/coredns/coredns/pull/6351)
+* plugin/cache: key cache on Checking Disabled (CD) bit (https://github.com/coredns/coredns/pull/6354)
+* plugin/forward: Use the correct root domain name in the forward plugin's health checks (https://github.com/coredns/coredns/pull/6395)
+* plugin/forward: Handle UDP responses that overflow with TC bit (https://github.com/coredns/coredns/pull/6277)
+* plugin/rewrite: fix multi request concurrency issue in cname rewrite (https://github.com/coredns/coredns/pull/6407)
+* plugin/rewrite: add rcode as a rewrite option (https://github.com/coredns/coredns/pull/6204)
+* plugin/dnstap: add support for "extra" field in payload (https://github.com/coredns/coredns/pull/6226)
+* plugin/cache: fix keepttl parsing (https://github.com/coredns/coredns/pull/6250)
diff --git a/content/blog/coredns-1.11.3.md b/content/blog/coredns-1.11.3.md
new file mode 100644
index 00000000..3ccf6c3e
--- /dev/null
+++ b/content/blog/coredns-1.11.3.md
@@ -0,0 +1,59 @@
++++
+title = "CoreDNS-1.11.3 Release"
+description = "CoreDNS-1.11.3 Release Notes."
+tags = ["Release", "1.11.3", "Notes"]
+release = "1.11.3"
+date = "2024-04-24T16:57:00-04:00
+author = "coredns"
++++
+
+This release contains some new features, bug fixes, and package updates. Because of the deployment issues with the previous release, all changed features from 1.11.2 have been included in this release.
+New features include:
+* When the _forward_ plugin receives a malformed upstream response that overflows,
+  it will now send an empty response to the client with the truncated (TC) bit set to prompt the client
+  to retry over TCP.
+* The _rewrite_ plugin can now rewrite response codes.
+* The _dnstap_ plugin now supports adding metadata to the dnstap `extra` field.
+
+## Brought to You By
+
+Amila Senadheera,
+Ben Kochie,
+Benjamin,
+Chris O'Haver,
+Grant Spence,
+John Belamaric,
+Keita Kitamura,
+Marius Kimmina,
+Michael Grosser,
+Ondřej Benkovský,
+P. Radha Krishna,
+Rahil Bhimjiani,
+Sri Harsha,
+Tom Thorogood,
+Willow (GHOST),
+Yong Tang,
+Yuheng,
+Zhizhen He,
+guangwu,
+journey-c,
+pschou
+Ted Ford
+
+## Noteworthy Changes
+
+* plugin/tls: respect the path specified by root plugin (https://github.com/coredns/coredns/pull/6138)
+* plugin/auto: warn when auto is unable to read elements of the directory tree (https://github.com/coredns/coredns/pull/6333)
+* plugin/etcd: the etcd client adds the DialKeepAliveTime parameter (https://github.com/coredns/coredns/pull/6351)
+* plugin/cache: key cache on Checking Disabled (CD) bit (https://github.com/coredns/coredns/pull/6354)
+* plugin/forward: Use the correct root domain name in the forward plugin's health checks (https://github.com/coredns/coredns/pull/6395)
+* plugin/forward: Handle UDP responses that overflow with TC bit (https://github.com/coredns/coredns/pull/6277)
+* plugin/rewrite: fix multi request concurrency issue in cname rewrite (https://github.com/coredns/coredns/pull/6407)
+* plugin/rewrite: add rcode as a rewrite option (https://github.com/coredns/coredns/pull/6204)
+* plugin/dnstap: add support for "extra" field in payload (https://github.com/coredns/coredns/pull/6226)
+* plugin/cache: fix keepttl parsing (https://github.com/coredns/coredns/pull/6250)
+* Return RcodeServerFailure when DNS64 has no next plugin (https://github.com/coredns/coredns/pull/6590)
+* Change the log flags to be a variable that can be set (https://github.com/coredns/coredns/pull/6546)
+* Bump go version to 1.21 (https://github.com/coredns/coredns/pull/6533)
+* replace the mutex locks in logging with atomic bool for the "on" flag (https://github.com/coredns/coredns/pull/6525)
+* Enable Prometheus native histograms (https://github.com/coredns/coredns/pull/6524)
diff --git a/content/plugins/autopath.md b/content/plugins/autopath.md
index b1bd20c5..9e8f8e07 100644
--- a/content/plugins/autopath.md
+++ b/content/plugins/autopath.md
@@ -4,7 +4,7 @@ description = "*autopath* allows for server-side search path completion."
 weight = 4
 tags = ["plugin", "autopath"]
 categories = ["plugin"]
-date = "2020-10-16T12:42:25.87725810"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
@@ -60,7 +60,7 @@ path) in the following case. To properly build the search path of a client *auto
 the namespace of the a Pod making a DNS request. To do this, it relies on the *kubernetes* plugin's
 Pod cache to resolve the client's IP address to a Pod. The Pod cache is maintained by an API watch
 on Pods. When Pod IP assignments change, the Kubernetes API notifies CoreDNS via the API watch.
-However, that notification is not instantaneous. In the case that a Pod is deleted, and it's IP is
+However, that notification is not instantaneous. In the case that a Pod is deleted, and its IP is
 immediately provisioned to a Pod in another namespace, and that new Pod make a DNS lookup *before*
 the API watch can notify CoreDNS of the change, *autopath* will resolve the IP to the previous Pod's
 namespace.
diff --git a/content/plugins/bind.md b/content/plugins/bind.md
index d6000f32..c69a7ce5 100644
--- a/content/plugins/bind.md
+++ b/content/plugins/bind.md
@@ -4,7 +4,7 @@ description = "*bind* overrides the host to which the server should bind."
 weight = 6
 tags = ["plugin", "bind"]
 categories = ["plugin"]
-date = "2023-08-15T20:06:20.8772088"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
@@ -16,7 +16,7 @@ If several addresses are provided, a listener will be open on each of the IP pro
 
 Each address has to be an IP or name of one of the interfaces of the host. Bind by interface name, binds to the IPs on that interface at the time of startup or reload (reload will happen with a SIGHUP or if the config file changes).
 
-If the given argument is an interface name, and that interface has several IP addresses, CoreDNS will listen on all of the interface IP addresses (including IPv4 and IPv6), except for IPv6 link-local addresses on that interface.
+If the given argument is an interface name, and that interface has several IP addresses, CoreDNS will listen on all of the interface IP addresses (including IPv4 and IPv6).
 
 ## Syntax
 
diff --git a/content/plugins/dnstap.md b/content/plugins/dnstap.md
index d529f41a..2b8aaf1a 100644
--- a/content/plugins/dnstap.md
+++ b/content/plugins/dnstap.md
@@ -4,7 +4,7 @@ description = "*dnstap* enables logging to dnstap."
 weight = 15
 tags = ["plugin", "dnstap"]
 categories = ["plugin"]
-date = "2023-08-15T20:06:20.8772088"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
@@ -18,7 +18,7 @@ Every message is sent to the socket as soon as it comes in, the *dnstap* plugin
 ## Syntax
 
 ~~~ txt
-dnstap SOCKET [full] {
+dnstap SOCKET [full] [writebuffer] [queue] {
   [identity IDENTITY]
   [version VERSION]
   [extra EXTRA]
@@ -41,6 +41,12 @@ Log information about client requests and responses to */tmp/dnstap.sock*.
 dnstap /tmp/dnstap.sock
 ~~~
 
+Log information about client requests and responses and tcp write buffer is 1024*Mb and queue is 2048*10000. 
+
+~~~ txt
+dnstap /tmp/dnstap.sock full 1024 2048
+~~~
+
 Log information including the wire-format DNS message about client requests and responses to */tmp/dnstap.sock*.
 
 ~~~ txt
@@ -98,7 +104,7 @@ dnstap tcp://example.com:6000
 ## Command Line Tool
 
 Dnstap has a command line tool that can be used to inspect the logging. The tool can be found
-at Github: <https://github.com/dnstap/golang-dnstap>. It's written in Go.
+at GitHub: <https://github.com/dnstap/golang-dnstap>. It's written in Go.
 
 The following command listens on the given socket and decodes messages to stdout.
 
diff --git a/content/plugins/forward.md b/content/plugins/forward.md
index 77ca0b54..9c29c634 100644
--- a/content/plugins/forward.md
+++ b/content/plugins/forward.md
@@ -4,7 +4,7 @@ description = "*forward* facilitates proxying DNS messages to upstream resolvers
 weight = 20
 tags = ["plugin", "forward"]
 categories = ["plugin"]
-date = "2023-08-15T20:06:20.8772088"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
@@ -53,6 +53,7 @@ forward FROM TO... {
     policy random|round_robin|sequential
     health_check DURATION [no_rec] [domain FQDN]
     max_concurrent MAX
+    next RCODE_1 [RCODE_2] [RCODE_3...]
 }
 ~~~
 
@@ -98,6 +99,7 @@ forward FROM TO... {
   response does not count as a health failure. When choosing a value for **MAX**, pick a number
   at least greater than the expected *upstream query rate* * *latency* of the upstream servers.
   As an upper bound for **MAX**, consider that each concurrent query will use about 2kb of memory.
+* `next` If the `RCODE` (i.e. `NXDOMAIN`) is returned by the remote then execute the next plugin. If no next plugin is defined, or the next plugin is not a `forward` plugin, this setting is ignored
 
 Also note the TLS config is "global" for the whole forwarding proxy if you need a different
 `tls_servername` for different upstreams you're out of luck.
@@ -271,6 +273,21 @@ Or when you have multiple DoT upstreams with different `tls_servername`s, you ca
 }
 ~~~
 
+The following would try 1.2.3.4 first. If the response is `NXDOMAIN`, try 5.6.7.8. If the response from 5.6.7.8 is `NXDOMAIN`, try 9.0.1.2.
+
+~~~ corefile
+. {
+  forward . 1.2.3.4 {
+    next NXDOMAIN
+  }
+  forward . 5.6.7.8 {
+    next NXDOMAIN
+  }
+  forward . 9.0.1.2 {
+  }
+}
+~~~
+
 ## See Also
 
 [RFC 7858](https://tools.ietf.org/html/rfc7858) for DNS over TLS.
diff --git a/content/plugins/kubernetes.md b/content/plugins/kubernetes.md
index b039009e..2f819f4a 100644
--- a/content/plugins/kubernetes.md
+++ b/content/plugins/kubernetes.md
@@ -4,7 +4,7 @@ description = "*kubernetes* enables reading zone data from a Kubernetes cluster.
 weight = 28
 tags = ["plugin", "kubernetes"]
 categories = ["plugin"]
-date = "2023-08-15T20:06:20.8772088"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
@@ -210,9 +210,11 @@ plugin is also enabled:
  * `kubernetes/service`: the service name in the query
  * `kubernetes/client-namespace`: the client pod's namespace (see requirements below)
  * `kubernetes/client-pod-name`: the client pod's name (see requirements below)
+ * `kubernetes/client-label/<label key>`: a label on the client pod (see requirements below)
 
-The `kubernetes/client-namespace` and `kubernetes/client-pod-name` metadata work by reconciling the
-client IP address in the DNS request packet to a known pod IP address. Therefore the following is required:
+The `kubernetes/client-namespace`, `kubernetes/client-pod-name`, and `kubernetes/client-label/<label key>`
+metadata work by reconciling the client IP address in the DNS request packet to a known pod IP address.
+Therefore the following is required:
  * `pods verified` mode must be enabled
  * the remote IP address in the DNS packet received by CoreDNS must be the IP address
    of the Pod that sent the request.
diff --git a/content/plugins/rewrite.md b/content/plugins/rewrite.md
index 3b926607..a1a3ac8a 100644
--- a/content/plugins/rewrite.md
+++ b/content/plugins/rewrite.md
@@ -4,7 +4,7 @@ description = "*rewrite* performs internal message rewriting."
 weight = 40
 tags = ["plugin", "rewrite"]
 categories = ["plugin"]
-date = "2023-08-15T20:06:20.8772088"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
@@ -29,6 +29,7 @@ e.g., to rewrite ANY queries to HINFO, use `rewrite type ANY HINFO`.
    * `edns0` - an EDNS0 option can be appended to the request as described below in the **EDNS0 Options** section.
    * `ttl` - the TTL value in the _response_ is rewritten.
    * `cname` - the CNAME target if the response has a CNAME record
+   * `rcode` - the response code (RCODE) value in the _response_ is rewritten.
 
 * **TYPE** this optional element can be specified for a `name` or `ttl` field.
   If not given type `exact` will be assumed. If options should be specified the
@@ -53,6 +54,7 @@ will behave as follows:
 
    * `continue` will continue applying the next rule in the rule list.
    * `stop` will consider the current rule the last rule and will not continue.  The default behaviour is `stop`
+   * When multiple rules are matched, the request rewrite follows the line order in the configuration, while the response rewrite(`answer` option) is executed in reverse order.
 
 ## Examples
 
@@ -338,6 +340,61 @@ rewrite ttl example.com. 30-
 rewrite ttl example.com. 30 # equivalent to rewrite ttl example.com. 30-30
 ```
 
+### RCODE Field Rewrites
+
+At times, the need to rewrite a RCODE value could arise. For example, a DNS server
+may respond with a SERVFAIL instead of NOERROR records when AAAA records are requested.
+
+In the below example, the rcode value the answer for `coredns.rocks` the replies with SERVFAIL
+is being switched to NOERROR.
+
+This example rewrites all the *.coredns.rocks domain SERVFAIL errors to NOERROR
+```
+    rewrite continue {
+        rcode regex (.*)\.coredns\.rocks SERVFAIL NOERROR
+    }
+```
+
+The same result numeric values:
+```
+    rewrite continue {
+        rcode regex (.*)\.coredns\.rocks 2 0
+    }
+```
+
+The syntax for the RCODE rewrite rule is as follows. The meaning of
+`exact|prefix|suffix|substring|regex` is the same as with the name rewrite rules.
+An omitted type is defaulted to `exact`.
+
+```
+rewrite [continue|stop] rcode [exact|prefix|suffix|substring|regex] STRING FROM TO
+```
+
+The values of FROM and TO can be any of the following, text value or numeric:
+
+```
+  0 NOERROR
+  1 FORMERR
+  2 SERVFAIL
+  3 NXDOMAIN
+  4 NOTIMP
+  5 REFUSED
+  6 YXDOMAIN
+  7 YXRRSET
+  8 NXRRSET
+  9 NOTAUTH
+  10 NOTZONE
+  16 BADSIG
+  17 BADKEY
+  18 BADTIME
+  19 BADMODE
+  20 BADNAME
+  21 BADALG
+  22 BADTRUNC
+  23 BADCOOKIE
+```
+
+
 ## EDNS0 Options
 
 Using the FIELD edns0, you can set, append, or replace specific EDNS0 options in the request.
@@ -409,8 +466,30 @@ rewrite edns0 subnet set 24 56
 * If the query's source IP address is an IPv4 address, the first 24 bits in the IP will be the network subnet.
 * If the query's source IP address is an IPv6 address, the first 56 bits in the IP will be the network subnet.
 
+### EDNS0 Revert
+
+Using the `revert` flag, you can revert the changes made by this rewrite call, so the response will not contain this option.
+
+This example sets option, but response will not contain it
+~~~ corefile
+. {
+    rewrite edns0 local set 0xffee abcd revert
+}
+~~~
+
+If only some calls contain the `revert` flag, then the value in the response will be changed to the previous one. So, in this example, the response will contain `abcd` data at `0xffee` 
+~~~ corefile
+. {
+    rewrite continue {
+        edns0 local set 0xffee abcd
+    }
+    
+    rewrite edns0 local replace 0xffee bcde revert
+}
+~~~
+
 
-### CNAME Field Rewrites
+## CNAME Field Rewrites
 
 There might be a scenario where you want the `CNAME` target of the response to be rewritten. You can do this by using the `CNAME` field rewrite. This will generate new answer records according to the new `CNAME` target.
 
diff --git a/content/plugins/root.md b/content/plugins/root.md
index 4bc86cbc..31c673ec 100644
--- a/content/plugins/root.md
+++ b/content/plugins/root.md
@@ -1,18 +1,23 @@
 +++
 title = "root"
-description = "*root* simply specifies the root of where to find (zone) files."
-weight = 36
+description = "*root* simply specifies the root of where to find files. "
+weight = 41
 tags = ["plugin", "root"]
 categories = ["plugin"]
-date = "2020-02-06T12:07:03.877382"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
 
 The default root is the current working directory of CoreDNS. The *root* plugin allows you to change
-this. A relative root path is relative to the current working directory.
+this. A relative root path is relative to the current working directory. 
+**NOTE: The *root* directory is NOT currently supported by all plugins.** 
+Currently the following plugins respect the *root* plugin configuration:
 
-This plugin can only be used once per Server Block.
+* file
+* tls
+
+This plugin can only be used once per Server Block. 
 
 ## Syntax
 
@@ -31,3 +36,22 @@ Serve zone data (when the *file* plugin is used) from `/etc/coredns/zones`:
     root /etc/coredns/zones
 }
 ~~~
+
+When you use the *root* and *tls* plugin together, your cert and key should also be placed in the *root* directory.
+The example below will look for `/config/cert.pem` and `/config/key.pem`
+
+~~~ txt
+tls://example.com:853 {
+    root /config
+    tls cert.pem key.pem
+    whoami
+}
+~~~
+
+## Bugs
+
+**NOTE: The *root* directory is NOT currently supported by all plugins.** 
+Currently the following plugins respect the *root* plugin configuration:
+
+* file
+* tls
diff --git a/content/plugins/tls.md b/content/plugins/tls.md
index 724ac634..e6d6871f 100644
--- a/content/plugins/tls.md
+++ b/content/plugins/tls.md
@@ -1,16 +1,16 @@
 +++
 title = "tls"
 description = "*tls* allows you to configure the server certificates for the TLS, gRPC, DoH servers."
-weight = 46
+weight = 47
 tags = ["plugin", "tls"]
 categories = ["plugin"]
-date = "2022-01-24T14:51:48.8774881"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
 
 CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
-or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at
+or are using gRPC (https://grpc.io/ , not an IETF standard). Normally DNS traffic isn't encrypted at
 all (DNSSEC only signs resource records).
 
 The *tls* "plugin" allows you to configure the cryptographic keys that are needed for both
diff --git a/content/plugins/view.md b/content/plugins/view.md
index 7d4750b6..af1f5fc9 100644
--- a/content/plugins/view.md
+++ b/content/plugins/view.md
@@ -4,7 +4,7 @@ description = "*view* defines conditions that must be met for a DNS request to b
 weight = 51
 tags = ["plugin", "view"]
 categories = ["plugin"]
-date = "2023-02-07T20:00:01.877182"
+date = "2024-10-10T08:30:45.87745810"
 +++
 
 ## Description
@@ -96,13 +96,13 @@ Note that the regex pattern is enclosed in single quotes, and backslashes are es
 
 ## Expressions
 
-To evaluate expressions, *view* uses the antonmedv/expr package (https://github.com/antonmedv/expr).
+To evaluate expressions, *view* uses the expr-lang/expr package ( https://github.com/expr-lang/expr ).
 For example, an expression could look like:
-`(type() == 'A' && name() == 'example.com') || client_ip() == '1.2.3.4'`.
+`(type() == 'A' && name() == 'example.com.') || client_ip() == '1.2.3.4'`.
 
 All expressions should be written to evaluate to a boolean value.
 
-See https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md as a detailed reference for valid syntax.
+See https://github.com/expr-lang/expr/blob/master/docs/Language-Definition.md as a detailed reference for valid syntax.
 
 ### Available Expression Functions
 
@@ -116,7 +116,7 @@ functions defined below.
 * `client_ip() string`: client's IP address, for IPv6 addresses these are enclosed in brackets: `[::1]`
 * `do() bool`: the EDNS0 DO (DNSSEC OK) bit set in the query
 * `id() int`: query ID
-* `name() string`: name of the request (the domain name requested)
+* `name() string`: name of the request (the domain name requested ending with a dot): `example.com.`
 * `opcode() int`: query OPCODE
 * `port() string`: client's port
 * `proto() string`: protocol used (tcp or udp)