Skip to content

Latest commit

 

History

History
383 lines (224 loc) · 36.9 KB

CHANGELOG.markdown

File metadata and controls

383 lines (224 loc) · 36.9 KB

1.15.0 (2024-10-01)

This is a major release with many improvements:

  1. New CLOUDFLARE_* variables: Cloudflare is transitioning its tools to use the new prefix CLOUDFLARE_*. Therefore, the updater now accepts CLOUDFLARE_API_TOKEN and CLOUDFLARE_API_TOKEN_FILE. The old CF_API_TOKEN and CF_API_TOKEN_FILE will still be fully supported until 2.0.0, then deprecated (but still supported) until 3.0.0.
  2. Improved custom IP providers: The updater now forces IPv4 or IPv6 when connecting to custom IP providers url:<URL>. This solves a long-standing issue where custom providers couldn't be used on dual-stack machines supporting both IPv4 and IPv6. This enforcement ensures predictable IPv4/IPv6 detection on such machines.
  3. Stricter IP validation: The updater now rejects unusual IP addresses for updating DNS records, such as link-local addresses or IPv4-mapped IPv6 addresses for AAAA records. These addresses are unsuitable and may cause trouble.
  4. Experimental support of using a network interface’s IP address (not finalized until 1.16.0): Experimental support lets you use the address assigned to a specific network interface, bypassing the routing table used by the local provider. The syntax for this feature is under development and will not be finalized until 1.16.0. Please refer to README and join the discussion on GitHub issue #713 if you are interested.

As a reminder, since 1.13.0, the updater no longer drops superuser privileges and PUID and PGID are ignored. Please use Docker’s built-in mechanism to drop privileges. The old Docker Compose template may grant unneeded privileges to the new updater, which is not recommended. Please review the new, simpler, and more secure template in README. In a nutshell, remove the cap_add attribute and replace the environment variables PUID and PGID with the user: "UID:GID" attribute. Similar options may exist for systems not using Docker Compose.

Bug Fixes

  • ipnet: reject IPv4-mapped IPv6 addresses for updating IPv6 records (#936) (be5b3a7)
  • ipnet: tighten the checking of IP addresses (#942) (640d30b)
  • pp: print blank lines to separate each round of updating (#958) (0a6c71b)
  • provider: fix the name and messages of custom URL providers (#940) (2d95d69)
  • provider: force IPv4/IPv6 for custom URL providers (#939) (3e80358)
  • updater: actively close idle connections for IP detection (#943) (05cbf7e)

Features

  • config: accept CLOUDFLARE_* and all compatible token settings (#948) (4fc883c)
  • provider: get IP from a specific network interface (#941) (69f8cf2) (#947) (4518fac)

1.14.2 (2024-09-13)

This is an urgent hotfix that resolves a nil pointer dereference issue introduced in version 1.14.1.

Bug Fixes

1.14.1 (2024-09-13)

This version is buggy; use version 1.14.2 instead.

This is a minor release that addresses minor issues and improves the usability of the new feature for managing WAF lists, which was initially introduced in version 1.14.0.

Bug Fixes

  • reduce unnecessary quotation marks in logging (#925) (dc3a26b)

Features

  • api: clear a WAF list when it cannot be deleted (#908) (1acf11d)
  • api: warn about mismatched attributes (#921) (80388a0)

1.14.0 (2024-08-25)

This is a major release with many improvements! The most significant new feature is the ability to maintain a WAF list of detected IP addresses; you can then refer to the list in your firewall rules. Please consult the README. The second most important update is to use a variant of the Happy Eyeballs (Fast Fallback) algorithm to detect the blockage of 1.1.1.1. As the name of the new algorithm suggests, you should not notice any delay due to the detection, being happy. 😄

As a reminder, since 1.13.0, the updater will no longer drop superuser privileges and PUID and PGID will be ignored. Please use Docker’s built-in mechanism to drop privileges. The old Docker Compose template may grant the new updater unneeded privileges, which is not recommended. Please review the new template in README that is simpler and more secure when combined with the new updater. In a nutshell, remove the cap_add attribute and replace the environment variables PUID and PGID with the user: "UID:GID" attribute. If you are not using Docker Compose, chances are your system supports similar options under different names.

Other notable changes:

  1. The global Cloudflare account ID will no longer be used when searching for DNS zones. CF_ACCOUNT_ID will be ignored.
  2. To reduce network traffic and delay, the Cloudflare API token will no longer be additionally verified via Cloudflare’s token verification API. Instead, the updater will locally check whether the token looks like a valid Bearer Token before using the API.
  3. Many parts of the README have been rewritten to improve clarity and to document the support of WAF lists.
  4. The DNS record updating algorithm was revised to be more deterministic, which means the updater will not give up updating stale DNS records (and create new ones) when there are errors; it will simply try again next time. As a result, in very rare cases, the updater may need more rounds to recover from errors.

Bug Fixes

  • api: decouple account IDs from operations on DNS records (#875) (0fa1085)
  • api: eliminate potential memory leak in caching (#854) (b9c7327)
  • api: make the updating algorithm more deterministic (#864) (b557c41)
  • api: remove global account ID and remote token verification (#877) (5a40ea7)
  • monitor: retry connections to Uptime Kuma (#890) (8236410)
  • setter: do not quote DNS record IDs (#851) (fc8accb)
  • updater: delete unmanaged IP addresses from WAF lists (#885) (bf0361c)
  • updater: show the hint to disable a network when IP detection timeouts (#859) (bdf154c) (#862) (397e722)

Features

  • api: ability to update WAF lists (#797) (180bcd7)
  • provider: Happy Eyeballs for 1.1.1.1 v.s. 1.0.0.1 (#883) (be0109b)

1.13.2 (2024-07-23)

This is a quick release to change the default user/group IDs of the shipped Docker images to 1000 (instead of 0, the root). The change will help many people use the Docker images more safely. You are still encouraged to review whether the default ID 1000 is what you want. If you have already adopted the new recommended Docker template (in README) with user: ... (not PUID or PGID) to explicitly set the user and group IDs, this release does not affect you.

1.13.1 (2024-07-19)

This is a very minor release that improves the error messages produced by the new API token verifier (introduced in 1.13.0). See #813.

Bug Fixes

  • domain: fix incorrect parsing of *.*.foo.bar (#809) (9ccf9df)

1.13.0 (2024-07-16)

This is a major release that no longer drops superuser privileges. Please review the instructions in README for the new recommended setup.

BREAKING CHANGES

  • The updater will no longer drop superuser privileges and PUID and PGID will be ignored. Please use Docker’s built-in mechanism to drop privileges. The old, hacky Docker Compose template will grant the new updater unneeded privileges, which is less secure and not recommended. Please review the new template in README that is simpler and more secure when combined with the new updater. In a nutshell, remove cap_add completely and add user: ... as

    user: "1000:1000"
    # Run the updater with a specific user ID and group ID (in that order).
    # You should change the two numbers based on your setup.

    If you have not, please add cap_drop: [all] to drop all Linux capabilities. You should probably remove PUID and PGID as well because they are now useless.

  • In case you are using the *-nocapdrop Docker tags, they will no longer be maintained. The updater will no longer drop superuser privileges, and thus the nocapdrop builds are identical to the regular ones. Just use the regular Docker tags such as latest.

  • The older versions used to add the comment “Created by cloudflare-ddns” to all newly created DNS records. Since this version, the comment has become configurable, but by default it is empty. To restore the old behavior, add the configuration RECORD_COMMENT=Created by cloudflare-ddns (or any comment you want to use).

Features

  • api: make record comment of new DNS records configurable using RECORD_COMMENT (#783) (b10c9a3)
  • api: recheck tokens if the network is temporarily down (#790) (15d1a5a)
  • api: smarter sanity checking (#796) (80dc7f4)
  • cron: show dates when needed (#795) (d1850b1)
  • config: recheck 1.1.1.1 and 1.0.0.1 some time later when probing fails (possibly because the network is temporarily down) (#788) (0983b06)
  • updater: bail out faster when it times out (#784) (3b42131)

1.12.0 (2024-06-28)

This is a major release with two significant improvements:

  1. The updater can send general updates via shoutrrr now.
  2. The updater supports non-Linux platforms now. Linux capabilities are not supported on other platforms, but all other features should run as expected at least on Unix-like platforms.

There are also two notable improvements to the stock Docker images. Starting from this version:

  1. Annotations are properly added to the Docker images, thanks to the updates to the upstream Docker toolchain.
  2. A new Docker tag, 1, is introduced to track the latest version with the major version 1. I plan to develop 2.0.0 that may contain larger breaking changes. Sticking to 1 instead of latest now can avoid unexpected breakage in the future.

Note that the notification system was revamped to integrate shoutrrr. As a result, messages may have been reworded.

Bug Fixes

Features

1.11.0 (2023-10-23)

This release adds the experimental support of Uptime Kuma.

BREAKING CHANGES

  • UPDATE_CRON=@disabled is deprecated; use UPDATE_CRON=@once instead

Features

1.10.1 (2023-09-17)

Bug Fixes

1.10.0 (2023-09-10)

Features

KNOWN BUGS

  • The current updater will erase existing record comments when updating the IP address due to an unfortunate design in an upstream library. This bug seems to affect all updaters of version 1.8.3 or later (I didn’t really check them). I am attempting to address the bug by fixing the upstream library, but if that does not work, a hack to keep existing record comments will be added to the updater. The bug is tracked by GitHub issue #559.

1.9.4 (2023-06-07)

This is a minor update that comes with a nice bugfix from go-retryablehttp 0.7.4.

1.9.3 (2023-06-06)

This version will automatically switch to 1.0.0.1 when 1.1.1.1 appears to be blocked or intercepted by your ISP or your router. The blockage and interception should not happen, but many ISPs and routers were misconfigured to use 1.1.1.1 as a private IP. The new updater tries to work around it by switching to 1.0.0.1. The long-term solution is to notify your ISP or upgrade your router.

Bug Fixes

  • setter: quote DNS record IDs to prevent injection attacks (#502) (d978c68)

Features

  • config: display a message when 1.0.0.1 also doesn't work (#495) (5f5602d)
  • config: check 1.1.1.1 only when IPv4 is used (#494) (d0db1be)
  • config: use 1.0.0.1 when 1.1.1.1 is blocked (#491) (8b9d160)

1.9.2 (2023-04-11)

Bug Fixes

1.9.1 (2023-03-15)

This version is a hotfix for running the updater in quiet mode in a system (e.g., Portainer) that expects some output from the updater. Unfortunately, the new quiet mode introduced in 1.9.0 was too quiet for those systems. This version will print out something to make them happy.

Bug Fixes

  • print out something in the quiet mode (#427) (a1f7d07)

1.9.0 (2023-03-15)

Features

  • cron: add the option UPDATE_CRON=@disabled to disable cron (#411) (a381c5a)

BREAKING CHANGES

  • the quiet mode will no longer print the version and the information about superuser privileges (unless there are errors) (#415) (92a4462)

Other Notes

The feature to disable cron is experimental. The intention is to use another mechanism to manage the update schedule and run the updater. The quiet mode was made quieter so that repeated execution of the updater will not lead to excessive logging with non-errors.

1.8.4 (2023-03-03)

This release comes with no user-visible changes. It was compiled by version 1.20.1 of Go (instead of 1.20) and was shipped with version 0.62.0 of the cloudflare-go library that fixed a bug about proxy settings. I believe the bug does not affect the updater, but there's no reason not to use the fixed version. 😄

1.8.3 (2023-02-11)

Bug Fixes

  • api: optimize network traffic for UpdateRecord (#358) (64bd670)

Features

Other Notes

Upgraded Go to version 1.20.

1.8.2 (2023-01-02)

This release is shipped with a newer golang.org/x/net/http2 that fixes CVE-2022-41717. The updater should not be affected by the CVE, but a vulnerability scanner might still mark the updater or the image as insecure. This release should shut those scanners. No new features are added.

1.8.1 (2022-12-05)

A minor update with internal refactoring and insignificant UI adjustments.

1.8.0 (2022-11-25)

Bug Fixes

  • provider: deprecate possibly unmaintained ipify (#270) (69b5d70)
  • monitor: correct printf format string (#265) (0740d61)
  • setter: improve monitor messages (#273) (c0599f6)

Features

  • monitor: improve Healthchecks integration (#272) (b24cce6)
  • pp: add an option to disable emojis (#280) (95d0c67)
  • provider: auto retry IP detection (#290) (de4d730)
  • provider: warn about the use of weak PRNGs (#254) (ae2c866)

BREAKING CHANGES

  • The ipify provider is deprecated.

1.7.2 (2022-11-07)

  • This version was published to retract all prior versions on https://pkg.go.dev. There are no observable changes.

1.7.1 (2022-10-23)

Features

BREAKING CHANGES

  • TTL no longer supports templates; only PROXIED supports them
  • existing templates that worked for 1.7.0 will stop working; see README.markdown for detailed documentation

1.7.0 (2022-09-06)

Features

  • config: accept templates for PROXIED and TTL (#214) (a78b96b)
  • warn about incorrect TTL values (#206) (c6a7ea8)

BREAKING CHANGES

  • experimental PROXIED_DOMAINS and NON_PROXIED_DOMAINS introduced in 1.6.0 are no longer supported; they are replaced by the new experimental template system

1.6.1 (2022-08-13)

Bug Fixes

1.6.0 (2022-08-12)

Bug Fixes

  • config: don't print "Monitors: (none)" (#201) (472aef4)
  • config: print wildcard domains with prefix *. (#198) (caf370c)
  • config: separate printed domains with comma (#200) (d658d58)
  • setter: print out better error messages (#195) (68007f8)

Features

Others

1.5.1 (2022-06-23)

Bug Fixes

  • file: fix arguments of pp.Errorf (55c5988)

1.5.0 (2022-06-18)

Bug Fixes

  • file: accept absolute paths (#173) (79bcd9b)
  • always ping "starting" before "exiting" (c05082a)

BREAKING CHANGES

  • rename IP4/6_POLICY to IP4/6_PROVIDER (#167) (1dcd4e4)

1.4.0 (2022-05-09)

Bug Fixes

  • api: revise the token verification message (#104) (209afdc)
  • updating was wrongly restricted by detection timeout (#159) (b3fc809)

Features

1.3.0 (2021-11-15)

Bug Fixes

  • api: keep leading dots after the beginning * is removed (#97) (bb2da38)

Features

  • detector: re-implement the cdn-cgi/trace parser and make it the new default policy; deprecate “cloudflare” in favor of “cloudflare.doh” or “cloudflare.trace” (#102) (ebf0639)

1.2.0 (2021-10-18)

Bug Fixes

Features

1.1.0 (2021-08-23)

Bug Fixes

  • api: always use ASCII forms of domains (#61) (befb0a9) (#58) (55da36f)
  • api: cache results of ListRecords (8680b4b)
  • api: more robust splitter for domains (#42) (12648db)
  • cmd: actually display version (d619c02)
  • config: fix indentation in ReadEnv (7c615a7)
  • config: redo parsing (#36) (0801a45)
  • pp: use less angry emojis for non-fatal errors (020d326)

Features