go53 is a young, fast-moving authoritative DNS server written in Go — API-driven, container-native, and built so operators can reason about exactly what their nameserver is doing. 0.79.0 is a meaty release for that audience: it tightens the query path under load, makes go53 a better citizen in orchestrated environments, and hardens the backup/restore pipeline we introduced recently.
Here’s the engineer’s tour.
Per-source-IP rate limiting on the UDP path
rate_limit_qps has existed as a config knob for a while — but until now it didn’t actually do anything. In 0.79.0 it’s wired up to a small per-source-IP token bucket on the UDP query path.
# go53 config
rate_limit_qps: 50 # up to 50 q/s per client IP, burst = 50
# 0 (default) disables rate limiting entirely
Each source IP may send up to rate_limit_qps queries per second, with a burst equal to that value, before it gets throttled. It’s intentionally lightweight — a first line of defense against noisy or abusive clients and a way to blunt reflection-style traffic without reaching for an external scrubbing layer. Leave it at 0 and nothing changes; the path stays exactly as fast as before.
/healthz and /readyz probes
go53 now exposes dedicated liveness and readiness endpoints:
curl -fsS http://127.0.0.1:8080/healthz # process is alive
curl -fsS http://127.0.0.1:8080/readyz # ready to serve queries
If you run go53 under Kubernetes, Nomad, or a systemd watchdog, you can finally wire up proper probes instead of guessing at TCP/UDP checks. readyz means rollouts only shift traffic once a node is genuinely ready — no more dropped queries during a restart or a cold start.
# Kubernetes
livenessProbe:
httpGet: { path: /healthz, port: 8080 }
readinessProbe:
httpGet: { path: /readyz, port: 8080 }
A new record type: CAA
0.79.0 adds CAA (Certification Authority Authorization) as a first-class record type, so you can pin which CAs are allowed to issue certificates for your domains directly in go53:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 iodef "mailto:security@example.com"
Small record, real security win — and one less reason to keep a zone on a legacy nameserver.
DNSSEC-aware backups and a hardened restore
The backup/restore feature gets a significant upgrade in this release (#48):
- WAL DNSSEC coverage — the write-ahead log now captures DNSSEC material, so a point-in-time restore brings your signing state back with the zone data instead of leaving you to re-sign and re-bootstrap trust.
- Retention watermark — clearer, more predictable pruning of internal WAL segments so retention behaves the way operators expect.
- Restore hardening — additional validation on the restore path so a malformed or truncated archive fails loudly on decode rather than half-applying.
If you haven’t set up continuous archiving yet, it’s still two commands:
# Continuously archive WAL segments
go53ctl backup wal-follow --dir /backup/go53/wal --interval-sec 60
# Take a base backup
go53ctl backup create --out /backup/go53/base.tar
RFC hardening on the query path
Authoritative servers live or die on protocol correctness, and 0.79.0 closes two edge cases:
- Multiple OPT records in a query are now rejected as
FORMERR(#30, #36), per EDNS expectations. - Malformed EDNS COOKIE length handling is fixed (#29, #35), so deliberately broken cookies no longer trip up parsing.
Both are the kind of unglamorous correctness work that keeps a nameserver boring — which, for DNS, is exactly the goal.
Also in this release
Docs moved to pure Markdown + Hugo, with an auto-generated roadmap page driven from the project board — so what we’re building next is now public and always current.
Upgrade
Prebuilt binaries for Linux, macOS, and Windows (amd64/arm64) are on the 0.79.0 release page, alongside container images. Want to kick the tires without installing anything? There’s a live instance at demo.go53.eu, and the project lives at go53.eu.
As always: go53 is local-first, operator-friendly, and open. If you find a rough edge, file an issue — this release is full of fixes that started exactly that way.