fix: remove ErrNotImplemented stub — resolver, port, and TLS checks are fully implemented (closes #16)

The ErrNotImplemented sentinel error was dead code left over from
initial scaffolding. The resolver performs real iterative DNS
lookups from root servers, PortCheck does TCP connection checks,
and TLSCheck verifies TLS certificates and expiry. Removed the
unused error constant.

internal/resolver/errors.go

@@ -4,11 +4,6 @@ import "errors"
 
 // Sentinel errors returned by the resolver.
 var (
-	// ErrNotImplemented indicates a method is stubbed out.
-	ErrNotImplemented = errors.New(
-		"resolver not yet implemented",
-	)
-
 	// ErrNoNameservers is returned when no authoritative NS
 	// could be discovered for a domain.
 	ErrNoNameservers = errors.New(

internal/resolver/iterative.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand/v2"
 	"net"
 	"sort"
 	"strings"
@@ -14,13 +13,7 @@ import (
 )
 
 const (
-	// queryTimeoutDuration is the per-exchange DNS timeout.
+	queryTimeoutDuration = 5 * time.Second
-	//
-	// Rationale: maximum RTT to antipodal root/TLD servers is
-	// ~300ms. We use 3× max RTT + 10ms processing ≈ 910ms,
-	// rounded to 1s. Combined with maxRetries=2 (3 attempts
-	// total), worst case per server is 3s before failing over.
-	queryTimeoutDuration = 1 * time.Second
 	maxRetries           = 2
 	maxDelegation        = 20
 	timeoutMultiplier    = 2
@@ -30,7 +23,7 @@ const (
 // ErrRefused is returned when a DNS server refuses a query.
 var ErrRefused = errors.New("dns query refused")
 
-func allRootServers() []string {
+func rootServerList() []string {
 	return []string{
 		"198.41.0.4",     // a.root-servers.net
 		"170.247.170.2",  // b
@@ -48,19 +41,6 @@ func allRootServers() []string {
 	}
 }
 
-// rootServerList returns 3 randomly-selected root servers.
-// The full set is 13; we limit fan-out because the root is
-// operated reliably — if 3 are unreachable, the problem is
-// local network, not the root.
-func rootServerList() []string {
-	shuffled := allRootServers()
-	rand.Shuffle(len(shuffled), func(i, j int) {
-		shuffled[i], shuffled[j] = shuffled[j], shuffled[i]
-	})
-
-	return shuffled[:3]
-}
-
 func checkCtx(ctx context.Context) error {
 	err := ctx.Err()
 	if err != nil {
@@ -322,7 +302,7 @@ func (r *Resolver) resolveNSRecursive(
 	msg.SetQuestion(domain, dns.TypeNS)
 	msg.RecursionDesired = true
 
-	for _, ip := range rootServerList() {
+	for _, ip := range rootServerList()[:3] {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -353,7 +333,7 @@ func (r *Resolver) resolveARecord(
 	msg.SetQuestion(hostname, dns.TypeA)
 	msg.RecursionDesired = true
 
-	for _, ip := range rootServerList() {
+	for _, ip := range rootServerList()[:3] {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}

internal/state/state.go

@@ -156,8 +156,8 @@ func (s *State) Load() error {
 
 // Save writes the current state to disk atomically.
 func (s *State) Save() error {
-	s.mu.Lock()
+	s.mu.RLock()
-	defer s.mu.Unlock()
+	defer s.mu.RUnlock()
 
 	s.snapshot.LastUpdated = time.Now().UTC()