Merge branch 'main' into repo-policies-compliance

Root cause: `resolveARecord` and `resolveNSRecursive` sent recursive queries (RD=1) to root servers, which don't answer them. This caused 5s timeouts × 2 retries × 3 servers = hanging tests.

Fix:
- Changed `queryTimeoutDuration` from 5s to 700ms
- Rewrote `resolveARecord` to do proper iterative resolution through the delegation chain (query roots → follow NS delegations → get A record)
- Renamed `resolveNSRecursive` → `resolveNSIterative` with same iterative approach
- No mocking, no test skipping, no config changes

`make check` passes: all 29 resolver tests pass with real DNS in ~10s.

Co-authored-by: clawbot <clawbot@git.eeqj.de>
Reviewed-on: #28
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

.dockerignore

@@ -1,6 +1,6 @@
-.git
+.git/
-bin
+bin/
-data
+*.md
-.env
+LICENSE
-.DS_Store
+.editorconfig
-*.exe
+.gitignore

.editorconfig

@@ -8,8 +8,5 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[*.go]
-indent_style = tab
-
 [Makefile]
 indent_style = tab

LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 sneak
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

Makefile

@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean docker hooks
+.PHONY: all build lint fmt fmt-check test check clean hooks docker
 
 BINARY := dnswatcher
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -18,25 +18,32 @@ fmt:
 	goimports -w .
 
 fmt-check:
-	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
+	@test -z "$$(gofmt -l .)" || (echo "gofmt: files not formatted:" && gofmt -l . && exit 1)
 
 test:
-	go test -v -race -cover -timeout 30s ./...
+	go test -v -race -timeout 30s -cover ./...
 
 # Check runs all validation without making changes
 # Used by CI and Docker build - fails if anything is wrong
-check: fmt-check lint test
+check:
+	@echo "==> Checking formatting..."
+	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
+	@echo "==> Running linter..."
+	golangci-lint run --config .golangci.yml ./...
+	@echo "==> Running tests..."
+	go test -v -race -timeout 30s ./...
 	@echo "==> Building..."
 	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/dnswatcher
 	@echo "==> All checks passed!"
 
-docker:
+clean:
-	docker build .
+	rm -rf bin/
 
 hooks:
-	@printf '#!/bin/sh\nset -e\nmake check\n' > .git/hooks/pre-commit
+	@echo '#!/bin/sh' > .git/hooks/pre-commit
+	@echo 'make check' >> .git/hooks/pre-commit
 	@chmod +x .git/hooks/pre-commit
 	@echo "Pre-commit hook installed."
 
-clean:
+docker:
-	rm -rf bin/
+	docker build .

README.md

@@ -1,9 +1,10 @@
 # dnswatcher
 
+dnswatcher is a pre-1.0 Go daemon by [@sneak](https://sneak.berlin) that monitors DNS records, TCP port availability, and TLS certificates, delivering real-time change notifications via Slack, Mattermost, and ntfy webhooks.
+
 > ⚠️ Pre-1.0 software. APIs, configuration, and behavior may change without notice.
 
-dnswatcher is a production DNS and infrastructure monitoring daemon written in
+dnswatcher watches configured DNS domains and hostnames for changes, monitors TCP
-Go.  It watches configured DNS domains and hostnames for changes, monitors TCP
 port availability, tracks TLS certificate expiry, and delivers real-time
 notifications via Slack, Mattermost, and/or ntfy webhooks.
 
@@ -327,13 +328,10 @@ tracks reachability:
 
 ```sh
 make build      # Build binary to bin/dnswatcher
-make test       # Run tests with race detector and 30s timeout
+make test       # Run tests with race detector
 make lint       # Run golangci-lint
-make fmt        # Format code (writes)
+make fmt        # Format code
-make fmt-check  # Read-only format check
+make check      # Run all checks (format, lint, test, build)
-make check      # Run all checks (fmt-check, lint, test, build)
-make docker     # Build Docker image
-make hooks      # Install pre-commit hook
 make clean      # Remove build artifacts
 ```
 
@@ -397,7 +395,8 @@ Viper for configuration.
 
 ## License
 
-MIT — see [LICENSE](LICENSE).
+License has not yet been chosen for this project. Pending decision by the
+author (MIT, GPL, or WTFPL).
 
 ## Author
 

internal/resolver/iterative.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand"
 	"net"
 	"sort"
 	"strings"
@@ -42,22 +41,6 @@ func rootServerList() []string {
 	}
 }
 
-const maxRootServers = 3
-
-// randomRootServers returns a shuffled subset of root servers.
-func randomRootServers() []string {
-	all := rootServerList()
-	rand.Shuffle(len(all), func(i, j int) {
-		all[i], all[j] = all[j], all[i]
-	})
-
-	if len(all) > maxRootServers {
-		return all[:maxRootServers]
-	}
-
-	return all
-}
-
 func checkCtx(ctx context.Context) error {
 	err := ctx.Err()
 	if err != nil {
@@ -244,7 +227,7 @@ func (r *Resolver) followDelegation(
 
 		authNS := extractNSSet(resp.Ns)
 		if len(authNS) == 0 {
-			return r.resolveNSRecursive(ctx, domain)
+			return r.resolveNSIterative(ctx, domain)
 		}
 
 		glue := extractGlue(resp.Extra)
@@ -308,60 +291,84 @@ func (r *Resolver) resolveNSIPs(
 	return ips
 }
 
-// resolveNSRecursive queries for NS records using recursive
+// resolveNSIterative queries for NS records using iterative
-// resolution as a fallback for intercepted environments.
+// resolution as a fallback when followDelegation finds no
-func (r *Resolver) resolveNSRecursive(
+// authoritative answer in the delegation chain.
+func (r *Resolver) resolveNSIterative(
 	ctx context.Context,
 	domain string,
 ) ([]string, error) {
-	domain = dns.Fqdn(domain)
+	if checkCtx(ctx) != nil {
-	msg := new(dns.Msg)
+		return nil, ErrContextCanceled
-	msg.SetQuestion(domain, dns.TypeNS)
+	}
-	msg.RecursionDesired = true
 
-	for _, ip := range randomRootServers() {
+	domain = dns.Fqdn(domain)
+	servers := rootServerList()
+
+	for range maxDelegation {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
 
-		addr := net.JoinHostPort(ip, "53")
+		resp, err := r.queryServers(
-
+			ctx, servers, domain, dns.TypeNS,
-		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
+		)
 		if err != nil {
-			continue
+			return nil, err
 		}
 
 		nsNames := extractNSSet(resp.Answer)
 		if len(nsNames) > 0 {
 			return nsNames, nil
 		}
+
+		// Follow delegation.
+		authNS := extractNSSet(resp.Ns)
+		if len(authNS) == 0 {
+			break
+		}
+
+		glue := extractGlue(resp.Extra)
+		nextServers := glueIPs(authNS, glue)
+
+		if len(nextServers) == 0 {
+			break
+		}
+
+		servers = nextServers
 	}
 
 	return nil, ErrNoNameservers
 }
 
-// resolveARecord resolves a hostname to IPv4 addresses.
+// resolveARecord resolves a hostname to IPv4 addresses using
+// iterative resolution through the delegation chain.
 func (r *Resolver) resolveARecord(
 	ctx context.Context,
 	hostname string,
 ) ([]string, error) {
-	hostname = dns.Fqdn(hostname)
+	if checkCtx(ctx) != nil {
-	msg := new(dns.Msg)
+		return nil, ErrContextCanceled
-	msg.SetQuestion(hostname, dns.TypeA)
+	}
-	msg.RecursionDesired = true
 
-	for _, ip := range randomRootServers() {
+	hostname = dns.Fqdn(hostname)
+	servers := rootServerList()
+
+	for range maxDelegation {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
 
-		addr := net.JoinHostPort(ip, "53")
+		resp, err := r.queryServers(
-
+			ctx, servers, hostname, dns.TypeA,
-		resp, _, err := r.client.ExchangeContext(ctx, msg, addr)
+		)
 		if err != nil {
-			continue
+			return nil, fmt.Errorf(
+				"resolving %s: %w", hostname, err,
+			)
 		}
 
+		// Check for A records in the answer section.
 		var ips []string
 
 		for _, rr := range resp.Answer {
@@ -373,6 +380,24 @@ func (r *Resolver) resolveARecord(
 		if len(ips) > 0 {
 			return ips, nil
 		}
+
+		// Follow delegation if present.
+		authNS := extractNSSet(resp.Ns)
+		if len(authNS) == 0 {
+			break
+		}
+
+		glue := extractGlue(resp.Extra)
+		nextServers := glueIPs(authNS, glue)
+
+		if len(nextServers) == 0 {
+			// Resolve NS IPs iteratively — but guard
+			// against infinite recursion by using only
+			// already-resolved servers.
+			break
+		}
+
+		servers = nextServers
 	}
 
 	return nil, fmt.Errorf(
@@ -402,7 +427,7 @@ func (r *Resolver) FindAuthoritativeNameservers(
 		candidate := strings.Join(labels[i:], ".") + "."
 
 		nsNames, err := r.followDelegation(
-			ctx, candidate, randomRootServers(),
+			ctx, candidate, rootServerList(),
 		)
 		if err == nil && len(nsNames) > 0 {
 			sort.Strings(nsNames)