Go DNS Resolver - with DNSSEC validation

⚠️ Important warning This project is not suitable for production use. It is early-stage, experimental software, and should only be used for learning, experimentation, or non-critical tooling.

I’ve been tinkering with DNS again, and the result is a project simply called resolver: https://github.com/nsmithuk/resolver.

At a high level, it’s a recursive DNS resolver written in Go, with a Go-first API. Instead of relying on an upstream recursive resolver, it’s designed to do the “full walk” — starting at the root nameservers and resolving names step-by-step until you have an answer.

The part I cared about most is correctness and security properties, so the project includes DNSSEC validation support. The goal is to make it practical to verify the authenticity and integrity of DNS responses, rather than just trusting whatever comes back.

Under the hood, the resolver builds heavily on the excellent miekg/dns library. That project does an enormous amount of the heavy lifting around DNS message handling and protocol correctness, and this repo would not exist without it.

Right now, the DNSSEC functionality lives inside this repository (as a dnssec package). I’ve noted in the README that it will likely be split out into its own dedicated project over time, once the boundaries are clearer.

This is not a “replace your production resolver tomorrow” kind of thing. Expect rough edges, missing features, and breaking changes as the design evolves.

So what is it good for right now?

Learning and experimentation: understanding recursive resolution and DNSSEC chains end-to-end.
Programmatic resolution: a Go API you can embed in tooling, tests, or prototypes without shelling out to dig.
DNSSEC validation work: debugging tricky zones or exploring validation edge cases.

If you’re interested in DNS internals, or you’ve ever wanted to see what “resolving from the root” looks like as readable, hackable Go code, this repo is for you.