Secure authoritative DNS nodes connected across a distributed infrastructure
go53 logo Authoritative DNS for API-managed infrastructure

go53 authoritative DNS

A Go-based authoritative DNS server with in-memory serving, API-managed zones, DNSSEC, transfer support, and signed distributed replication between nodes.

Project Snapshot

go53 focuses on authoritative DNS only. The server keeps zone data in memory for read performance and persists changes through Badger-backed storage.

Authoritative UDP/TCP DNS serving with zone data managed through HTTP API routes.
DNSSEC Query-time signing, cached RRSIGs, NSEC/NSEC3 denial, and key lifecycle metadata.
Distributed Persistent TLS socket replication with signed events, vector clocks, and Merkle repair.

Try go53 with webadmin

Use the browser-based go53-webadmin UI to evaluate go53 without writing API calls by hand.

Implemented

Completed items are shown as struck-through roadmap entries with the RFCs or protocol references they target.

Authoritative DNS over UDP and TCP

done

Authoritative query handling, TCP fallback paths, CHAOS version response, and no recursive service scope.

RFC 1034RFC 1035RFC 7766

EDNS-aware responses

done

Configurable EDNS enablement and UDP payload sizing for modern resolver interoperability.

RFC 6891

NSID support

done

EDNS NSID response support for node identification and anycast-style operations.

RFC 5001

ANY-query policy

done

Controlled ANY response behavior reduces amplification exposure while preserving useful diagnostics.

RFC 8482

API-managed zones and RRsets

done

HTTP API routes for zone record creation, lookup, deletion, TSIG keys, DNSSEC keys, and runtime config.

RFC 1035JSON API

AXFR, IXFR, and NOTIFY paths

done

Zone transfer handling, SOA serial behavior, transfer ACLs, DNSSEC material in AXFR, and NOTIFY scheduling.

RFC 1995RFC 1996RFC 5936

Catalog zones

done

RFC 9432 catalog-zone workflow for secondary provisioning and fleet-scale zone membership.

RFC 9432

TSIG validation and key API

done

TSIG key storage, API management, transfer enforcement option, and distributed TSIG key replication.

RFC 2845RFC 4635

DNSSEC signing and denial

done

DNSKEY/RRSIG support, query-time signing cache, NSEC/NSEC3 chains, wildcard denial, and no-data proofs.

RFC 4033RFC 4034RFC 4035RFC 5155

DNSSEC key lifecycle and parent signaling

done

KSK/ZSK metadata, rollover helpers, revoke/retire timing, DS, CDS, and CDNSKEY endpoints.

RFC 5011RFC 7344RFC 8078

CNAME and DNAME DNSSEC chains

done

Signed answer-chain handling and denial coverage around target and no-data cases.

RFC 6672RFC 4035

Canonical DNSSEC ordering

done

Canonical owner-name comparison for escaped labels, case folding, IDNA, root, and wildcard names.

RFC 4034

Distributed mode

done

Signed event replication over persistent TCP/TLS, vector clocks, Merkle repair, and config/key/zone event coverage.

TLS 1.3Ed25519Internal protocol

go53ctl cluster onboarding

done

JWT invite creation, one-time invite consume, self-registering joins, and generated distributed node keys.

RFC 7519EdDSA

In-memory read path with persistent mutations

done

Zone and DNSSEC key material are loaded for read-heavy serving, while Badger persists changes.

BadgerDBOperational

Per-client rate limiting

done

Optional per-source-IP token-bucket QPS limiting on the UDP query path, with silent drops and bounded memory to blunt query floods. TCP and zone transfers are exempt.

Abuse protectionOperational

Health and readiness probes

done

Unauthenticated /healthz and /readyz HTTP endpoints for liveness and readiness checks behind load balancers and orchestrators.

OperationalKubernetes

DNSSEC and Replication

The current beta focus is validation quality: interop testing with common validating resolvers, transfer edge cases, and operational hardening around distributed cluster membership.

The DNSSEC implementation is built around RFC 4033/4034/4035 behavior, with NSEC3 coverage from RFC 5155 and parent signaling through CDS/CDNSKEY endpoints.

Technical illustration of DNSSEC signatures and replicated authoritative DNS nodes

Future Work

These items remain planned or intentionally deferred until the beta test surface is stable.

API authentication and authorization

next

Define production auth for all API routes, including operator roles, token lifecycle, and secure automation.

Resolver interoperability matrix

next

Automated validation against BIND, Knot, Unbound, PowerDNS Recursor, and common secondary setups.

DoT listener

planned

Native DNS-over-TLS listener for authoritative service once the core DNS and auth surfaces settle.

RFC 7858

Metrics and structured observability

planned

Prometheus metrics and structured query/error logging. Operational health and readiness endpoints are already in place.

Import/export tooling

planned

Zone-file import/export and safer administrative workflows around bulk changes.

Documentation

Operational setup and parameter-level reference are split so admins can either follow workflows or inspect exact config behavior.