Waymark is a desired-state DNS and edge-policy control plane.
It is designed to model, diff, plan and eventually apply DNS, TLS, HTTPS, ECH and post-quantum readiness policy through provider adapters.
Waymark is in early development and is not ready for production use.
The current implementation is a minimal dry-run planner. It reads desired state from a local configuration file, compares it with supplied current state and prints a deterministic plan. It does not yet query live providers or apply changes.
Waymark aims to:
- provide deterministic desired-state policy for DNS and related edge posture
- support provider-backed planning and orchestration without hiding provider-specific behaviour
- integrate with Surveyor evidence where useful while keeping Surveyor observational
- make trust boundaries explicit
- support serious operational use without pretending to replace every network control
- maintain a repository and release process that can withstand professional scrutiny
Waymark is not intended to be:
- a generic ad-blocking DNS clone
- a recursive resolver or DNS forwarder
- a full firewall replacement
- a catch-all zero trust platform
- a vague privacy or security tool without explicit guarantees and boundaries
See docs/architecture/scope.md for the canonical project scope.
Waymark is being designed for:
- technically capable individual operators
- infrastructure operators managing DNS and edge-provider posture
- managed organisational environments
- security, infrastructure, enterprise and public-sector practitioners who value explicit control and operational clarity
Core documentation:
- Project scope:
docs/architecture/scope.md - Security model:
docs/security/model.md - Security policy:
SECURITY.md - Contributing:
CONTRIBUTING.md - Governance:
GOVERNANCE.md
Architecture and security:
- Architecture overview:
docs/architecture/overview.md - Threat model:
docs/security/threat-model.md - Trust boundaries:
docs/security/boundaries.md
Development and compliance:
- Development standards:
docs/development/standards.md - Testing:
docs/development/testing.md - Compliance matrix:
docs/compliance/matrix.md
Run the example dry-run plan:
go run ./cmd/waymark plan -f examples/waymark.yamlThe command prints the zone, provider binding, policy modes, planned record changes and detected risks or unknowns.
To read current state from Cloudflare instead of the embedded example fixture, set a scoped API token and use the Cloudflare example:
CLOUDFLARE_API_TOKEN=... go run ./cmd/waymark plan -f examples/cloudflare.yamlThe Cloudflare path is read-only. It lists DNS records for the configured zone and feeds them into the same dry-run planner.
Please do not report security vulnerabilities in public issues.
See SECURITY.md for reporting guidance.
Before opening an issue or pull request, read CONTRIBUTING.md.
All commits must be signed off in accordance with the Developer Certificate of Origin. See DCO.md.
Waymark is licensed under the Apache License 2.0. See LICENSE.