Skip to content
Latest commit 83f7d65 @miekg Merge pull request #309 from corny/patch-1
README: public-dns has moved
Failed to load latest commit information.
dnsutil Added new functions: TrimDomainName()/AddOrigin()
idn tidyup a little with the latest
.gitignore gitignore update
.travis.yml Travis: add -v to go test to catch stalling tests
CONTRIBUTORS Changed logic to typeswitch and added comments.
COPYRIGHT Remove all copyright notices
LICENSE Update the copy right for the original GO files README: public-dns has moved
client.go spelling
client_test.go Test client with TLS support
clientconfig.go A bunch of golint fixes
clientconfig_test.go Lowercase all error msg from the tests
defaults.go More documentation for IsDomainName
dns.go golint fixes
dns_test.go Expose TypeToRR
dnssec.go HINFO does not need downcasing for DNSSEC
dnssec_keygen.go Refactor DNSSEC to use crypto.{PrivateKey,Signer}
dnssec_keyscan.go Refactor DNSSEC to use crypto.{PrivateKey,Signer}
dnssec_privkey.go Refactor DNSSEC to use crypto.{PrivateKey,Signer}
dnssec_test.go Lowercase all error msg from the tests
doc.go typo
dyn_test.go Remove all copyright notices
edns.go Apply per-type code generation to .copy()
edns_test.go Fixup tests
example_test.go fix a stupid mistake "undefined: zone"
format.go Typo in comment
fuzz_test.go Check for l.err in $INCLUDE
labels.go Added new functions: TrimDomainName()/AddOrigin()
labels_test.go Added new functions: TrimDomainName()/AddOrigin()
msg.go spelling
nsecx.go A bunch of golint fixes
nsecx_test.go More test clean up
parse_test.go gofmt -s
privaterr.go Expose TypeToRR
privaterr_test.go Lowercase all error msg from the tests
rawmsg.go Remove the duplicate word length from the comment
remote_test.go Add remote test
sanitize.go some memory optimisations
sanitize_test.go gofmt -s
scanner.go Remove all copyright notices
server.go spelling
server_test.go Add option in server to allow DNS over TLS
sig0.go Refactor DNSSEC to use crypto.{PrivateKey,Signer}
sig0_test.go Lowercase all error msg from the tests
singleinflight.go Implement outstanding query detection.
tlsa.go If the Matching Type is 1 or 2 we need to return a hash.
tsig.go Apply per-type code generation to .copy()
types.go Apply per-type code generation to .copy()
types_generate.go gofmt -s
types_test.go Add tests for LOC record String() generation and fix small problems
udp.go golint fixes
udp_linux.go Set UDP conn to non-blocking on Linux to fix Shutdown()
udp_other.go Remove all copyright notices
udp_windows.go Export UDP interfaces
update.go Move all docs to docs.go
update_test.go Lowercase all error msg from the tests
xfr.go Make err explicit and drop the deref on *master
xfr_test.go Lowercase all error msg from the tests
zgenerate.go spelling
zscan.go fix typos
zscan_rr.go gofmt -s
ztypes.go Expose TypeToRR

Build Status

Alternative (more granular) approach to a DNS library

Less is more.

Complete and usable DNS library. All widely used Resource Records are supported, including the DNSSEC types. It follows a lean and mean philosophy. If there is stuff you should know as a DNS programmer there isn't a convenience function for it. Server side and client side programming is supported, i.e. you can build servers and resolvers with it.

We try to keep the "master" branch as sane as possible and at the bleeding edge of standards, avoiding breaking changes wherever reasonable. We support the last two versions of Go, currently: 1.4 and 1.5.


  • KISS;
  • Fast;
  • Small API, if its easy to code in Go, don't make a function for it.


A not-so-up-to-date-list-that-may-be-actually-current:

Send pull request if you want to be listed here.


  • UDP/TCP queries, IPv4 and IPv6;
  • RFC 1035 zone file parsing ($INCLUDE, $ORIGIN, $TTL and $GENERATE (for all record types) are supported;
  • Fast:
    • Reply speed around ~ 80K qps (faster hardware results in more qps);
    • Parsing RRs ~ 100K RR/s, that's 5M records in about 50 seconds;
  • Server side programming (mimicking the net/http package);
  • Client side programming;
  • DNSSEC: signing, validating and key generation for DSA, RSA and ECDSA;
  • EDNS0, NSID;
  • TSIG, SIG(0);
  • DNS over TLS: optional encrypted connection between client and server;
  • DNS name compression;
  • Depends only on the standard library.

Have fun!

Miek Gieben - 2010-2012 -


Building is done with the go tool. If you have setup your GOPATH correctly, the following should work:

go get
go build


A short "how to use the API" is at the beginning of doc.go (this also will show when you call godoc

Example programs can be found in the repository.

Supported RFCs

all of them

  • 103{4,5} - DNS standard
  • 1348 - NSAP record (removed the record)
  • 1982 - Serial Arithmetic
  • 1876 - LOC record
  • 1995 - IXFR
  • 1996 - DNS notify
  • 2136 - DNS Update (dynamic updates)
  • 2181 - RRset definition - there is no RRset type though, just []RR
  • 2537 - RSAMD5 DNS keys
  • 2065 - DNSSEC (updated in later RFCs)
  • 2671 - EDNS record
  • 2782 - SRV record
  • 2845 - TSIG record
  • 2915 - NAPTR record
  • 2929 - DNS IANA Considerations
  • 3110 - RSASHA1 DNS keys
  • 3225 - DO bit (DNSSEC OK)
  • 340{1,2,3} - NAPTR record
  • 3445 - Limiting the scope of (DNS)KEY
  • 3597 - Unknown RRs
  • 4025 - IPSECKEY
  • 403{3,4,5} - DNSSEC + validation functions
  • 4255 - SSHFP record
  • 4343 - Case insensitivity
  • 4408 - SPF record
  • 4509 - SHA256 Hash in DS
  • 4592 - Wildcards in the DNS
  • 4635 - HMAC SHA TSIG
  • 4701 - DHCID
  • 4892 - id.server
  • 5001 - NSID
  • 5155 - NSEC3 record
  • 5205 - HIP record
  • 5702 - SHA2 in the DNS
  • 5936 - AXFR
  • 5966 - TCP implementation recommendations
  • 6605 - ECDSA
  • 6725 - IANA Registry Update
  • 6742 - ILNP DNS
  • 6840 - Clarifications and Implementation Notes for DNS Security
  • 6844 - CAA record
  • 6891 - EDNS0 update
  • 6895 - DNS IANA considerations
  • 6975 - Algorithm Understanding in DNSSEC
  • 7043 - EUI48/EUI64 records
  • 7314 - DNS (EDNS) EXPIRE Option
  • 7553 - URI record
  • xxxx - EDNS0 DNS Update Lease (draft)
  • yyyy - DNS over TLS: Initiation and Performance Considerations (draft)

Loosely based upon

  • ldns
  • NSD
  • Net::DNS


  • privatekey.Precompute() when signing?
  • Last remaining RRs: APL, ATMA, A6, NSAP and NXT.
  • Missing in parsing: ISDN, UNSPEC, NSAP and ATMA.
  • NSEC(3) cover/match/closest enclose.
  • Replies with TC bit are not parsed to the end.
Something went wrong with that request. Please try again.