diff --git a/Makefile.release b/Makefile.release
index d75a78f66..d69eca218 100644
--- a/Makefile.release
+++ b/Makefile.release
@@ -26,7 +26,7 @@
 # 1. Up the version in coremain/version.go
 # 2. Do a make -f Makefile.doc
 # 3. go generate
-# 4.* Send PR to get this merged.
+# 4. Send PR to get this merged.
 #
 # Then:
 #
diff --git a/coremain/version.go b/coremain/version.go
index cc086df27..9c622c58b 100644
--- a/coremain/version.go
+++ b/coremain/version.go
@@ -2,7 +2,7 @@ package coremain
 
 // Various CoreDNS constants.
 const (
-	CoreVersion = "1.5.1"
+	CoreVersion = "1.5.2"
 	coreName    = "CoreDNS"
 	serverType  = "dns"
 )
diff --git a/man/coredns-auto.7 b/man/coredns-auto.7
index 67d246cf7..4dfd7758e 100644
--- a/man/coredns-auto.7
+++ b/man/coredns-auto.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-AUTO" 7 "June 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-AUTO" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -21,7 +21,6 @@ auto [ZONES...] {
     directory DIR [REGEXP ORIGIN\_TEMPLATE]
     transfer to ADDRESS...
     reload DURATION
-    upstream
 }
 
 .fi
@@ -46,9 +45,6 @@ When an address is specified a notify message will be send whenever the zone is
 \fB\fCreload\fR interval to perform reloads of zones if SOA version changes and zonefiles. It specifies how often CoreDNS should scan the directory to watch for file removal and addition. Default is one minute.
 Value of \fB\fC0\fR means to not scan for changes and reload. eg. \fB\fC30s\fR checks zonefile every 30 seconds
 and reloads zone when serial changes.
-.IP \(bu 4
-\fB\fCupstream\fR defines upstream resolvers to be used resolve external names found (think CNAMEs)
-pointing to external names. CoreDNS will resolve CNAMEs against itself.
 
 
 .PP
diff --git a/man/coredns-etcd.7 b/man/coredns-etcd.7
index 4c2078984..11ffb385b 100644
--- a/man/coredns-etcd.7
+++ b/man/coredns-etcd.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-ETCD" 7 "April 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-ETCD" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -48,7 +48,6 @@ etcd [ZONES...] {
     path PATH
     endpoint ENDPOINT...
     credentials USERNAME PASSWORD
-    upstream
     tls CERT KEY CACERT
 }
 
@@ -68,10 +67,6 @@ queries for those zones will be subject to fallthrough.
 .IP \(bu 4
 \fB\fCcredentials\fR is used to set the \fBUSERNAME\fP and \fBPASSWORD\fP for accessing the etcd cluster.
 .IP \(bu 4
-\fB\fCupstream\fR upstream resolvers to be used resolve external names found in etcd (think CNAMEs)
-pointing to external names. If you want CoreDNS to act as a proxy for clients, you'll need to add
-the \fIforward\fP plugin.
-.IP \(bu 4
 \fB\fCtls\fR followed by:
 
 .RS
@@ -120,7 +115,6 @@ This is the default SkyDNS setup, with everything specified in full:
     etcd skydns.local {
         path /skydns
         endpoint http://localhost:2379
-        upstream
     }
     prometheus
     cache 160 skydns.local
@@ -142,7 +136,6 @@ when resolving external pointing CNAMEs.
 \&. {
     etcd skydns.local {
         path /skydns
-        upstream
     }
     cache 160 skydns.local
     forward . /etc/resolv.conf
diff --git a/man/coredns-federation.7 b/man/coredns-federation.7
index c6dabd8e3..a7c408720 100644
--- a/man/coredns-federation.7
+++ b/man/coredns-federation.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-FEDERATION" 7 "April 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-FEDERATION" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -22,7 +22,6 @@ Enabling \fIfederation\fP without also having \fIkubernetes\fP is a noop.
 .nf
 federation [ZONES...] {
     NAME DOMAIN
-    upstream
 }
 
 .fi
@@ -31,10 +30,6 @@ federation [ZONES...] {
 .IP \(bu 4
 Each \fBNAME\fP and \fBDOMAIN\fP defines federation membership. One entry for each. A duplicate
 \fBNAME\fP will silently overwrite any previous value.
-.IP \(bu 4
-\fB\fCupstream\fR resolve the \fB\fCCNAME\fR target produced by this plugin.  CoreDNS
-will resolve External Services against itself and needs the \fIforward\fP plugin to be active to do
-so.
 
 
 .SH "EXAMPLES"
@@ -50,7 +45,6 @@ Here we handle all service requests in the \fB\fCprod\fR and \fB\fCstage\fR fede
     federation cluster.local {
         prod prod.feddomain.com
         staging staging.feddomain.com
-        upstream
     }
     forward . 192.168.1.12
 }
diff --git a/man/coredns-file.7 b/man/coredns-file.7
index 5359a649d..8c39d79c0 100644
--- a/man/coredns-file.7
+++ b/man/coredns-file.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-FILE" 7 "June 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-FILE" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -40,7 +40,6 @@ If you want to round-robin A and AAAA responses look at the \fIloadbalance\fP pl
 file DBFILE [ZONES... ] {
     transfer to ADDRESS...
     reload DURATION
-    upstream
 }
 
 .fi
@@ -55,10 +54,6 @@ When an address is specified a notify message will be sent whenever the zone is
 \fB\fCreload\fR interval to perform a reload of the zone if the SOA version changes. Default is one minute.
 Value of \fB\fC0\fR means to not scan for changes and reload. For example, \fB\fC30s\fR checks the zonefile every 30 seconds
 and reloads the zone when serial changes.
-.IP \(bu 4
-\fB\fCupstream\fR resolve external names found (think CNAMEs) pointing to external names. This is only
-really useful when CoreDNS is configured as a proxy; for normal authoritative serving you don't
-need \fIor\fP want to use this. CoreDNS will resolve CNAMEs against itself.
 
 
 .SH "EXAMPLES"
diff --git a/man/coredns-k8s_external.7 b/man/coredns-k8s_external.7
index 220b9b908..8c7a74e91 100644
--- a/man/coredns-k8s_external.7
+++ b/man/coredns-k8s_external.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-K8S_EXTERNAL" 7 "June 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-K8S_EXTERNAL" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -97,6 +97,27 @@ Enable names under \fB\fCexample.org\fR to be resolved to in cluster DNS address
 .fi
 .RE
 
+.PP
+With the Corefile above, the following Service will get an \fB\fCA\fR record for \fB\fCtest.default.example.org\fR with IP address \fB\fC192.168.200.123\fR.
+
+.PP
+.RS
+
+.nf
+apiVersion: v1
+kind: Service
+metadata:
+ name: test
+ namespace: default
+spec:
+ clusterIP: None
+ externalIPs:
+ \- 192.168.200.123
+ type: ClusterIP
+
+.fi
+.RE
+
 .PP
 For some background see resolve external IP address
 \[la]https://github.com/kubernetes/dns/issues/242\[ra].
diff --git a/man/coredns-kubernetes.7 b/man/coredns-kubernetes.7
index 9b71d0b8e..6d7cfc555 100644
--- a/man/coredns-kubernetes.7
+++ b/man/coredns-kubernetes.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-KUBERNETES" 7 "June 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-KUBERNETES" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -21,7 +21,7 @@ to deploy CoreDNS in Kubernetes
 .PP
 stubDomains and upstreamNameservers
 \[la]https://kubernetes.io/blog/2017/04/configuring-private-dns-zones-upstream-nameservers-kubernetes/\[ra]
-are implemented via the \fIforward\fP plugin and kubernetes \fIupstream\fP. See the examples below.
+are implemented via the \fIforward\fP plugin. See the examples below.
 
 .PP
 This plugin can only be used once per Server Block.
@@ -55,7 +55,6 @@ kubernetes [ZONES...] {
     labels EXPRESSION
     pods POD\-MODE
     endpoint\_pod\_names
-    upstream
     ttl TTL
     noendpoints
     transfer to ADDRESS...
@@ -125,10 +124,6 @@ follows: Use the hostname of the endpoint, or if hostname is not set, use the
 pod name of the pod targeted by the endpoint. If there is no pod targeted by
 the endpoint, use the dashed IP address form.
 .IP \(bu 4
-\fB\fCupstream\fR defines the upstream resolvers used for resolving services
-that point to external hosts (aka External Services, aka CNAMEs).  CoreDNS
-will resolve External Services against itself.
-.IP \(bu 4
 \fB\fCttl\fR allows you to set a custom TTL for responses. The default is 5 seconds.  The minimum TTL allowed is
 0 seconds, and the maximum is capped at 3600 seconds. Setting TTL to 0 will prevent records from being cached.
 .IP \(bu 4
@@ -163,7 +158,7 @@ Kubernetes API.
 .PP
 Handle all queries in the \fB\fCcluster.local\fR zone. Connect to Kubernetes in-cluster. Also handle all
 \fB\fCin-addr.arpa\fR \fB\fCPTR\fR requests for \fB\fC10.0.0.0/17\fR . Verify the existence of pods when answering pod
-requests. Resolve upstream records against \fB\fC10.102.3.10\fR. Note we show the entire server block here:
+requests.
 
 .PP
 .RS
@@ -172,7 +167,6 @@ requests. Resolve upstream records against \fB\fC10.102.3.10\fR. Note we show th
 10.0.0.0/17 cluster.local {
     kubernetes {
         pods verified
-        upstream 10.102.3.10:53
     }
 }
 
@@ -211,7 +205,6 @@ kubernetes cluster.local {
 .SH "STUBDOMAINS AND UPSTREAMNAMESERVERS"
 .PP
 Here we use the \fIforward\fP plugin to implement a stubDomain that forwards \fB\fCexample.local\fR to the nameserver \fB\fC10.100.0.10:53\fR.
-The \fIupstream\fP option in the \fIkubernetes\fP plugin means that ExternalName services (CNAMEs) will be resolved using the respective proxy.
 Also configured is an upstreamNameserver \fB\fC8.8.8.8:53\fR that will be used for resolving names that do not fall in \fB\fCcluster.local\fR
 or \fB\fCexample.local\fR.
 
@@ -220,9 +213,7 @@ or \fB\fCexample.local\fR.
 
 .nf
 cluster.local:53 {
-    kubernetes cluster.local {
-        upstream
-    }
+    kubernetes cluster.local
 }
 example.local {
     forward . 10.100.0.10:53
diff --git a/man/coredns-loop.7 b/man/coredns-loop.7
index 353ff081a..7d11b0fb7 100644
--- a/man/coredns-loop.7
+++ b/man/coredns-loop.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-LOOP" 7 "June 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-LOOP" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -117,7 +117,7 @@ although this can be different depending on your distribution.
 Disable the local DNS cache on host nodes, and restore \fB\fC/etc/resolv.conf\fR to the original.
 .IP \(bu 4
 A quick and dirty fix is to edit your Corefile, replacing \fB\fCforward . /etc/resolv.conf\fR with
-the ip address of your upstream DNS, for example \fB\fCforward . 8.8.8.8\fR.  But this only fixes the issue for CoreDNS,
+the IP address of your upstream DNS, for example \fB\fCforward . 8.8.8.8\fR.  But this only fixes the issue for CoreDNS,
 kubelet will continue to forward the invalid \fB\fCresolv.conf\fR to all \fB\fCdefault\fR dnsPolicy Pods, leaving them unable to resolve DNS.
 
 
diff --git a/man/coredns-reload.7 b/man/coredns-reload.7
index 36d3eda9f..1f2efbab0 100644
--- a/man/coredns-reload.7
+++ b/man/coredns-reload.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-RELOAD" 7 "June 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-RELOAD" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
diff --git a/man/coredns-route53.7 b/man/coredns-route53.7
index 20a88b604..68e10a4ff 100644
--- a/man/coredns-route53.7
+++ b/man/coredns-route53.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-ROUTE53" 7 "April 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-ROUTE53" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -20,7 +20,6 @@ The route53 plugin can be used when coredns is deployed on AWS or elsewhere.
 .nf
 route53 [ZONE:HOSTED\_ZONE\_ID...] {
     [aws\_access\_key AWS\_ACCESS\_KEY\_ID AWS\_SECRET\_ACCESS\_KEY]
-    upstream
     credentials PROFILE [FILENAME]
     fallthrough [ZONES...]
 }
@@ -41,9 +40,6 @@ to be used when query AWS (optional). If they are not provided, then coredns tri
 AWS credentials the same way as AWS CLI, e.g., environmental variables, AWS credentials file,
 instance profile credentials, etc.
 .IP \(bu 4
-\fB\fCupstream\fRis used for resolving services that point to external hosts (eg. used to resolve
-CNAMEs). CoreDNS will resolve against itself.
-.IP \(bu 4
 \fB\fCcredentials\fR is used for reading the credential file and setting the profile name for a given
 zone.
 .IP \(bu 4
@@ -61,16 +57,14 @@ only queries for those zones will be subject to fallthrough.
 
 .SH "EXAMPLES"
 .PP
-Enable route53 with implicit AWS credentials and an upstream:
+Enable route53 with implicit AWS credentials and and resolve CNAMEs via 10.0.0.1:
 
 .PP
 .RS
 
 .nf
 \&. {
-	route53 example.org.:Z1Z2Z3Z4DZ5Z6Z7 {
-	  upstream
-	}
+	route53 example.org.:Z1Z2Z3Z4DZ5Z6Z7
     forward . 10.0.0.1
 }
 
diff --git a/man/coredns-secondary.7 b/man/coredns-secondary.7
index 82da717a7..b3f6ac362 100644
--- a/man/coredns-secondary.7
+++ b/man/coredns-secondary.7
@@ -1,5 +1,5 @@
 .\" Generated by Mmark Markdown Processer - mmark.nl
-.TH "COREDNS-SECONDARY" 7 "June 2019" "CoreDNS" "CoreDNS Plugins"
+.TH "COREDNS-SECONDARY" 7 "July 2019" "CoreDNS" "CoreDNS Plugins"
 
 .SH "NAME"
 .PP
@@ -35,7 +35,6 @@ A working syntax would be:
 secondary [zones...] {
     transfer from ADDRESS
     transfer to ADDRESS
-    upstream
 }
 
 .fi
@@ -46,10 +45,6 @@ secondary [zones...] {
 if one does not work, another will be tried.
 .IP \(bu 4
 \fB\fCtransfer to\fR can be enabled to allow this secondary zone to be transferred again.
-.IP \(bu 4
-\fB\fCupstream\fR resolve external names found (think CNAMEs) pointing to external names. This is only
-really useful when CoreDNS is configured as a proxy; for normal authoritative serving you don't
-need \fIor\fP want to use this. CoreDNS will resolve CNAMEs against itself.
 
 
 .PP