Skip to content


Subversion checkout URL

You can clone with
Download ZIP

Merge pull request #215 from aaronlehmann/dnssec-invalid-rrset

Check that the RRs passed to Sign and Verify form a valid RFC2181 RRSet
latest commit 16c1d54948
@miekg authored
Failed to load latest commit information.
idn add final dot in function comment
.gitignore gitignore update
.travis.yml Cleanup travis.yml
CONTRIBUTORS Changed logic to typeswitch and added comments.
COPYRIGHT Remove all copyright notices
LICENSE Update the copy right for the original GO files Fix URI record
client.go Rename to ReadMsgHeader
client_test.go And of course the test too
clientconfig.go A bunch of golint fixes
clientconfig_test.go Use %v as the format arg for errors
defaults.go Rename isValidRRSet to IsRRset, and move it to defaults.go
dns.go Update the value of MaxMsgSize
dns_test.go Enable CAA parsing
dnssec.go Rename isValidRRSet to IsRRset, and move it to defaults.go
dnssec_keygen.go A bunch of golint fixes
dnssec_keyscan.go Use algorithm number to determine private key type.
dnssec_privkey.go A bunch of golint fixes
dnssec_test.go Rename isValidRRSet to IsRRset, and move it to defaults.go
doc.go Add link to web article explaining it further
dyn_test.go Remove all copyright notices
edns.go Changes applied:
edns_test.go Fixup tests
example_test.go DNSSEC algorithm and digest types now uint8
format.go Typo in comment
labels.go extra docs
labels_test.go Revert "Use gofmt to simplify code"
msg.go fuzzzz
nsecx.go A bunch of golint fixes
nsecx_test.go More test clean up
parse_test.go merge conflict
privaterr.go Move all docs to docs.go
privaterr_test.go Use %v as the format arg for errors
rawmsg.go Remove all copyright notices
scanner.go Remove all copyright notices
server.go Expose the udp/tcp listening socket w/ ListenAndServe()
server_test.go Check that the query ID matches the answer ID.
sig0.go Move all docs to docs.go
sig0_test.go Convert tests from being t.Log(..) then t.Fail() to just t.Error(...) as
singleinflight.go Implement outstanding query detection.
tlsa.go If the Matching Type is 1 or 2 we need to return a hash.
tsig.go Move all docs to docs.go
types.go merge conflict
types_test.go Add tests for LOC record String() generation and fix small problems
udp.go Export UDP interfaces
udp_linux.go Remove all copyright notices
udp_other.go Remove all copyright notices
udp_windows.go Export UDP interfaces
update.go Move all docs to docs.go
update_test.go CAA now also be tested in TestDynamicUpdateParsing
xfr.go Fix crash in inIxfr when ReadMsg fails
xfr_test.go Replace t.Logf("%s", var) with t.Log(var)
zgenerate.go $GENERATE: don't crash when printing the result.
zscan.go Fix off-by-one on the maxTok and maxCom check
zscan_rr.go disallow multiple uri fragments

Build Status

Alternative (more granular) approach to a DNS library

Less is more.

Complete and usable DNS library. All widely used Resource Records are supported, including the DNSSEC types. It follows a lean and mean philosophy. If there is stuff you should know as a DNS programmer there isn't a convenience function for it. Server side and client side programming is supported, i.e. you can build servers and resolvers with it.

If you like this, you may also be interested in:


  • KISS;
  • Fast;
  • Small API, if its easy to code in Go, don't make a function for it.


A not-so-up-to-date-list-that-may-be-actually-current:

Send pull request if you want to be listed here.


  • UDP/TCP queries, IPv4 and IPv6;
  • RFC 1035 zone file parsing ($INCLUDE, $ORIGIN, $TTL and $GENERATE (for all record types) are supported;
  • Fast:
    • Reply speed around ~ 80K qps (faster hardware results in more qps);
    • Parsing RRs ~ 100K RR/s, that's 5M records in about 50 seconds;
  • Server side programming (mimicking the net/http package);
  • Client side programming;
  • DNSSEC: signing, validating and key generation for DSA, RSA and ECDSA;
  • EDNS0, NSID;
  • TSIG, SIG(0);
  • DNS name compression;
  • Depends only on the standard library.

Have fun!

Miek Gieben - 2010-2012 -


Building is done with the go tool. If you have setup your GOPATH correctly, the following should work:

go get
go build


A short "how to use the API" is at the beginning of doc.go (this also will show when you call godoc

Example programs can be found in the repository.

Supported RFCs

all of them

  • 103{4,5} - DNS standard
  • 1348 - NSAP record
  • 1982 - Serial Arithmetic
  • 1876 - LOC record
  • 1995 - IXFR
  • 1996 - DNS notify
  • 2136 - DNS Update (dynamic updates)
  • 2181 - RRset definition - there is no RRset type though, just []RR
  • 2537 - RSAMD5 DNS keys
  • 2065 - DNSSEC (updated in later RFCs)
  • 2671 - EDNS record
  • 2782 - SRV record
  • 2845 - TSIG record
  • 2915 - NAPTR record
  • 2929 - DNS IANA Considerations
  • 3110 - RSASHA1 DNS keys
  • 3225 - DO bit (DNSSEC OK)
  • 340{1,2,3} - NAPTR record
  • 3445 - Limiting the scope of (DNS)KEY
  • 3597 - Unknown RRs
  • 4025 - IPSECKEY
  • 403{3,4,5} - DNSSEC + validation functions
  • 4255 - SSHFP record
  • 4343 - Case insensitivity
  • 4408 - SPF record
  • 4509 - SHA256 Hash in DS
  • 4592 - Wildcards in the DNS
  • 4635 - HMAC SHA TSIG
  • 4701 - DHCID
  • 4892 - id.server
  • 5001 - NSID
  • 5155 - NSEC3 record
  • 5205 - HIP record
  • 5702 - SHA2 in the DNS
  • 5936 - AXFR
  • 5966 - TCP implementation recommendations
  • 6605 - ECDSA
  • 6725 - IANA Registry Update
  • 6742 - ILNP DNS
  • 6844 - CAA record
  • 6891 - EDNS0 update
  • 6895 - DNS IANA considerations
  • 6975 - Algorithm Understanding in DNSSEC
  • 7043 - EUI48/EUI64 records
  • 7314 - DNS (EDNS) EXPIRE Option
  • 7553 - URI record
  • xxxx - EDNS0 DNS Update Lease (draft)

Loosely based upon

  • ldns
  • NSD
  • Net::DNS


  • privatekey.Precompute() when signing?
  • Last remaining RRs: APL, ATMA, A6 and NXT.
  • Missing in parsing: ISDN, UNSPEC, ATMA.
  • NSEC(3) cover/match/closest enclose.
  • Replies with TC bit are not parsed to the end.
Something went wrong with that request. Please try again.