Authoritative DNS over UDP and TCP
doneAuthoritative query handling, TCP fallback paths, CHAOS version response, and no recursive service scope.

Authoritative DNS for API-managed infrastructureA Go-based authoritative DNS server with in-memory serving, API-managed zones, DNSSEC, transfer support, and signed distributed replication between nodes.
go53 focuses on authoritative DNS only. The server keeps zone data in memory for read performance and persists changes through Badger-backed storage.
Use the browser-based go53-webadmin UI to evaluate go53 without writing API calls by hand.
The demo runs go53 with a resettable go53.demo. DNSSEC zone, distributed mode enabled, and representative A, AAAA, NS, MX, SRV, TXT, and CNAME records.
SvelteKit-based administration UI for zones, records, DNSSEC keys, TSIG/transfers, distributed state, users, roles, and audit history.
Username: go53_admin
Password: go53_admin
Completed items are shown as struck-through roadmap entries with the RFCs or protocol references they target.
Authoritative query handling, TCP fallback paths, CHAOS version response, and no recursive service scope.
Configurable EDNS enablement and UDP payload sizing for modern resolver interoperability.
EDNS NSID response support for node identification and anycast-style operations.
Controlled ANY response behavior reduces amplification exposure while preserving useful diagnostics.
HTTP API routes for zone record creation, lookup, deletion, TSIG keys, DNSSEC keys, and runtime config.
Zone transfer handling, SOA serial behavior, transfer ACLs, DNSSEC material in AXFR, and NOTIFY scheduling.
RFC 9432 catalog-zone workflow for secondary provisioning and fleet-scale zone membership.
TSIG key storage, API management, transfer enforcement option, and distributed TSIG key replication.
DNSKEY/RRSIG support, query-time signing cache, NSEC/NSEC3 chains, wildcard denial, and no-data proofs.
KSK/ZSK metadata, rollover helpers, revoke/retire timing, DS, CDS, and CDNSKEY endpoints.
Signed answer-chain handling and denial coverage around target and no-data cases.
Canonical owner-name comparison for escaped labels, case folding, IDNA, root, and wildcard names.
Signed event replication over persistent TCP/TLS, vector clocks, Merkle repair, and config/key/zone event coverage.
JWT invite creation, one-time invite consume, self-registering joins, and generated distributed node keys.
Zone and DNSSEC key material are loaded for read-heavy serving, while Badger persists changes.
Optional per-source-IP token-bucket QPS limiting on the UDP query path, with silent drops and bounded memory to blunt query floods. TCP and zone transfers are exempt.
Unauthenticated /healthz and /readyz HTTP endpoints for liveness and readiness checks behind load balancers and orchestrators.
The current beta focus is validation quality: interop testing with common validating resolvers, transfer edge cases, and operational hardening around distributed cluster membership.
The DNSSEC implementation is built around RFC 4033/4034/4035 behavior, with NSEC3 coverage from RFC 5155 and parent signaling through CDS/CDNSKEY endpoints.

These items remain planned or intentionally deferred until the beta test surface is stable.
Define production auth for all API routes, including operator roles, token lifecycle, and secure automation.
Automated validation against BIND, Knot, Unbound, PowerDNS Recursor, and common secondary setups.
Native DNS-over-TLS listener for authoritative service once the core DNS and auth surfaces settle.
Prometheus metrics and structured query/error logging. Operational health and readiness endpoints are already in place.
Zone-file import/export and safer administrative workflows around bulk changes.
Operational setup and parameter-level reference are split so admins can either follow workflows or inspect exact config behavior.
Primary/secondary/distributed setup, API examples, DNSSEC, TSIG, transfers, and go53ctl workflows.
Every environment and live config parameter with type, default, and implementation effect.
Deep dives into DNSSEC behavior and multi-node replication: encryption, signed events, vector clocks, and Merkle repair.
Notes on persistence behavior, storage layout, the zone model, and RFC compliance.