resolver: reduce query timeout to 1s and limit root fan-out to 3 (closes #29 )

Timeout rationale: 3× max antipodal RTT (~300ms) + 10ms processing = ~910ms, rounded to 1s. Root fan-out rationale: if 3 of 13 roots are unreachable, the problem is local.
2026-02-22 03:44:10 -08:00
17 changed files with 1390 additions and 633 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +0,0 @@
 .git
 bin
 data
 .env
 .DS_Store
 *.exe
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,15 +0,0 @@
 root = true
 [*]
 indent_style = space
 indent_size = 4
 end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 [*.go]
 indent_style = tab
 [Makefile]
 indent_style = tab
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -1,9 +1,26 @@
-name: check
+name: Check
-on: [push]
+
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
 jobs:
  check:
    runs-on: ubuntu-latest
    steps:
-            # actions/checkout v4.2.2, 2026-02-28
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
-            - run: docker build .
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
        with:
          go-version-file: go.mod
      - name: Install golangci-lint
        run: go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
      - name: Install goimports
        run: go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
      - name: Run make check
        run: make check
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,68 @@
 # Repository Rules
 Last Updated 2026-01-08
 These rules MUST be followed at all times, it is very important.
 * Never use `git add -A` - add specific changes to a deliberate commit. A
  commit should contain one change. After each change, make a commit with a
  good one-line summary.
 * NEVER modify the linter config without asking first.
 * NEVER modify tests to exclude special cases or otherwise get them to pass
  without asking first. In almost all cases, the code should be changed,
  NOT the tests. If you think the test needs to be changed, make your case
  for that and ask for permission to proceed, then stop. You need explicit
  user approval to modify existing tests. (You do not need user approval
  for writing NEW tests.)
 * When linting, assume the linter config is CORRECT, and that each item
  output by the linter is something that legitimately needs fixing in the
  code.
 * When running tests, use `make test`.
 * Before commits, run `make check`. This runs `make lint` and `make test`
  and `make check-fmt`. Any issues discovered MUST be resolved before
  committing unless explicitly told otherwise.
 * When fixing a bug, write a failing test for the bug FIRST. Add
  appropriate logging to the test to ensure it is written correctly. Commit
  that. Then go about fixing the bug until the test passes (without
  modifying the test further). Then commit that.
 * When adding a new feature, do the same - implement a test first (TDD). It
  doesn't have to be super complex. Commit the test, then commit the
  feature.
 * When adding a new feature, use a feature branch. When the feature is
  completely finished and the code is up to standards (passes `make check`)
  then and only then can the feature branch be merged into `main` and the
  branch deleted.
 * Write godoc documentation comments for all exported types and functions as
  you go along.
 * ALWAYS be consistent in naming. If you name something one thing in one
  place, name it the EXACT SAME THING in another place.
 * Be descriptive and specific in naming. `wl` is bad;
  `SourceHostWhitelist` is good. `ConnsPerHost` is bad;
  `MaxConnectionsPerHost` is good.
 * This is not prototype or teaching code - this is designed for production.
  Any security issues (such as denial of service) or other web
  vulnerabilities are P1 bugs and must be added to TODO.md at the top.
 * As this is production code, no stubbing of implementations unless
  specifically instructed. We need working implementations.
 * Avoid vendoring deps unless specifically instructed to.  NEVER commit
  the vendor directory, NEVER commit compiled binaries.  If these
  directories or files exist, add them to .gitignore (and commit the
  .gitignore) if they are not already in there.  Keep the entire git
  repository (with history) small - under 20MiB, unless you specifically
  must commit larger files (e.g. test fixture example media files).  Only
  OUR source code and immediately supporting files (such as test examples)
  goes into the repo/history.
--- a/CONVENTIONS.md
+++ b/CONVENTIONS.md
--- a/15
+++ b/15
@@ -1,13 +1,11 @@
 # Build stage
-# golang 1.25-alpine, 2026-02-28
+FROM golang:1.25-alpine AS builder
 FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
-RUN apk add --no-cache git make gcc musl-dev binutils-gold
+RUN apk add --no-cache git make gcc musl-dev
-# golangci-lint v2.10.1
+# Install golangci-lint v2
-RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
-# goimports v0.42.0
+RUN go install golang.org/x/tools/cmd/goimports@latest
 RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0
 WORKDIR /src
 COPY go.mod go.sum ./
@@ -22,8 +20,7 @@ RUN make check
 RUN make build
 # Runtime stage
-# alpine 3.21, 2026-02-28
+FROM alpine:3.21
 FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
 RUN apk add --no-cache ca-certificates tzdata
--- a/21
+++ b/21
@@ -1,21 +0,0 @@
 MIT License
 Copyright (c) 2026 sneak
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/23
+++ b/23
@@ -1,4 +1,4 @@
-.PHONY: all build lint fmt fmt-check test check clean docker hooks
+.PHONY: all build lint fmt test check clean
 BINARY := dnswatcher
 VERSION := $(shell git describe --tags --always --dirty 2>/dev/null || echo "dev")
@@ -17,26 +17,21 @@ fmt:
 	gofmt -s -w .
 	goimports -w .
 fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 test:
-	go test -v -race -cover -timeout 30s ./...
+	go test -v -race -cover ./...
 # Check runs all validation without making changes
 # Used by CI and Docker build - fails if anything is wrong
-check: fmt-check lint test
+check:
 	@echo "==> Checking formatting..."
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)
 	@echo "==> Running linter..."
 	golangci-lint run --config .golangci.yml ./...
 	@echo "==> Running tests..."
 	go test -v -race ./...
 	@echo "==> Building..."
 	go build -ldflags "$(LDFLAGS)" -o /dev/null ./cmd/dnswatcher
 	@echo "==> All checks passed!"
 docker:
 	docker build .
 hooks:
 	@printf '#!/bin/sh\nset -e\nmake check\n' > .git/hooks/pre-commit
 	@chmod +x .git/hooks/pre-commit
 	@echo "Pre-commit hook installed."
 clean:
 	rm -rf bin/
--- a/README.md
+++ b/README.md
@@ -327,13 +327,10 @@ tracks reachability:
 ```sh
 make build      # Build binary to bin/dnswatcher
-make test       # Run tests with race detector and 30s timeout
+make test       # Run tests with race detector
 make lint       # Run golangci-lint
-make fmt        # Format code (writes)
+make fmt        # Format code
-make fmt-check  # Read-only format check
+make check      # Run all checks (format, lint, test, build)
 make check      # Run all checks (fmt-check, lint, test, build)
 make docker     # Build Docker image
 make hooks      # Install pre-commit hook
 make clean      # Remove build artifacts
 ```
@@ -388,17 +385,7 @@ docker run -d \
 ## Project Structure
-Follows the conventions defined in `REPO_POLICIES.md`, adapted from the
+Follows the conventions defined in `CONVENTIONS.md`, adapted from the
 [upaas](https://git.eeqj.de/sneak/upaas) project template.  Uses uber/fx
 for dependency injection, go-chi for HTTP routing, slog for logging, and
 Viper for configuration.
 ---
 ## License
 MIT — see [LICENSE](LICENSE).
 ## Author
 [@sneak](https://sneak.berlin)
--- a/REPO_POLICIES.md
+++ b/REPO_POLICIES.md
@@ -1,188 +0,0 @@
 ---
 title: Repository Policies
 last_modified: 2026-02-22
 ---
 This document covers repository structure, tooling, and workflow standards. Code
 style conventions are in separate documents:
 - [Code Styleguide](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE.md)
  (general, bash, Docker)
 - [Go](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_GO.md)
 - [JavaScript](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_JS.md)
 - [Python](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/CODE_STYLEGUIDE_PYTHON.md)
 - [Go HTTP Server Conventions](https://git.eeqj.de/sneak/prompts/raw/branch/main/prompts/GO_HTTP_SERVER_CONVENTIONS.md)
 ---
 - Cross-project documentation (such as this file) must include
  `last_modified: YYYY-MM-DD` in the YAML front matter so it can be kept in sync
  with the authoritative source as policies evolve.
 - **ALL external references must be pinned by cryptographic hash.** This
  includes Docker base images, Go modules, npm packages, GitHub Actions, and
  anything else fetched from a remote source. Version tags (`@v4`, `@latest`,
  `:3.21`, etc.) are server-mutable and therefore remote code execution
  vulnerabilities. The ONLY acceptable way to reference an external dependency
  is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm
  integrity hash in lockfile, GitHub Actions `@<commit-sha>`). No exceptions.
  This also means never `curl | bash` to install tools like pyenv, nvm, rustup,
  etc. Instead, download a specific release archive from GitHub, verify its hash
  (hardcoded in the Dockerfile or script), and only then install. Unverified
  install scripts are arbitrary remote code execution. This is the single most
  important rule in this document. Double-check every external reference in
  every file before committing. There are zero exceptions to this rule.
 - Every repo with software must have a root `Makefile` with these targets:
  `make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only),
  `make check` (prereqs: `test`, `lint`, `fmt-check`), `make docker`, and
  `make hooks` (installs pre-commit hook). A model Makefile is at
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/Makefile`.
 - Always use Makefile targets (`make fmt`, `make test`, `make lint`, etc.)
  instead of invoking the underlying tools directly. The Makefile is the single
  source of truth for how these operations are run.
 - The Makefile is authoritative documentation for how the repo is used. Beyond
  the required targets above, it should have targets for every common operation:
  running a local development server (`make run`, `make dev`), re-initializing
  or migrating the database (`make db-reset`, `make migrate`), building
  artifacts (`make build`), generating code, seeding data, or anything else a
  developer would do regularly. If someone checks out the repo and types
  `make<tab>`, they should see every meaningful operation available. A new
  contributor should be able to understand the entire development workflow by
  reading the Makefile.
 - Every repo should have a `Dockerfile`. All Dockerfiles must run `make check`
  as a build step so the build fails if the branch is not green. For non-server
  repos, the Dockerfile should bring up a development environment and run
  `make check`. For server repos, `make check` should run as an early build
  stage before the final image is assembled.
 - Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that
  runs `docker build .` on push. Since the Dockerfile already runs `make check`,
  a successful build implies all checks pass.
 - Use platform-standard formatters: `black` for Python, `prettier` for
  JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with
  two exceptions: four-space indents (except Go), and `proseWrap: always` for
  Markdown (hard-wrap at 80 columns). Documentation and writing repos (Markdown,
  HTML, CSS) should also have `.prettierrc` and `.prettierignore`.
 - Pre-commit hook: `make check` if local testing is possible, otherwise
  `make lint && make fmt-check`. The Makefile should provide a `make hooks`
  target to install the pre-commit hook.
 - All repos with software must have tests that run via the platform-standard
  test framework (`go test`, `pytest`, `jest`/`vitest`, etc.). If no meaningful
  tests exist yet, add the most minimal test possible — e.g. importing the
  module under test to verify it compiles/parses. There is no excuse for
  `make test` to be a no-op.
 - `make test` must complete in under 20 seconds. Add a 30-second timeout in the
  Makefile.
 - Docker builds must complete in under 5 minutes.
 - `make check` must not modify any files in the repo. Tests may use temporary
  directories.
 - `main` must always pass `make check`, no exceptions.
 - Never commit secrets. `.env` files, credentials, API keys, and private keys
  must be in `.gitignore`. No exceptions.
 - `.gitignore` should be comprehensive from the start: OS files (`.DS_Store`),
  editor files (`.swp`, `*~`), language build artifacts, and `node_modules/`.
  Fetch the standard `.gitignore` from
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` when setting up
  a new repo.
 - Never use `git add -A` or `git add .`. Always stage files explicitly by name.
 - Never force-push to `main`.
 - Make all changes on a feature branch. You can do whatever you want on a
  feature branch.
 - `.golangci.yml` is standardized and must _NEVER_ be modified by an agent, only
  manually by the user. Fetch from
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/.golangci.yml`.
 - When pinning images or packages by hash, add a comment above the reference
  with the version and date (YYYY-MM-DD).
 - Use `yarn`, not `npm`.
 - Write all dates as YYYY-MM-DD (ISO 8601).
 - Simple projects should be configured with environment variables.
 - Dockerized web services listen on port 8080 by default, overridable with
  `PORT`.
 - `README.md` is the primary documentation. Required sections:
    - **Description**: First line must include the project name, purpose,
      category (web server, SPA, CLI tool, etc.), license, and author. Example:
      "µPaaS is an MIT-licensed Go web application by @sneak that receives
      git-frontend webhooks and deploys applications via Docker in realtime."
    - **Getting Started**: Copy-pasteable install/usage code block.
    - **Rationale**: Why does this exist?
    - **Design**: How is the program structured?
    - **TODO**: Update meticulously, even between commits. When planning, put
      the todo list in the README so a new agent can pick up where the last one
      left off.
    - **License**: MIT, GPL, or WTFPL. Ask the user for new projects. Include a
      `LICENSE` file in the repo root and a License section in the README.
    - **Author**: [@sneak](https://sneak.berlin).
 - First commit of a new repo should contain only `README.md`.
 - Go module root: `sneak.berlin/go/<name>`. Always run `go mod tidy` before
  committing.
 - Use SemVer.
 - Database migrations live in `internal/db/migrations/` and must be embedded in
  the binary.
  - `000_migration.sql` — contains ONLY the creation of the migrations tracking
    table itself. Nothing else.
  - `001_schema.sql` — the full application schema.
  - **Pre-1.0.0:** never add additional migration files (002, 003, etc.). There
    is no installed base to migrate. Edit `001_schema.sql` directly.
  - **Post-1.0.0:** add new numbered migration files for each schema change.
    Never edit existing migrations after release.
 - All repos should have an `.editorconfig` enforcing the project's indentation
  settings.
 - Avoid putting files in the repo root unless necessary. Root should contain
  only project-level config files (`README.md`, `Makefile`, `Dockerfile`,
  `LICENSE`, `.gitignore`, `.editorconfig`, `REPO_POLICIES.md`, and
  language-specific config). Everything else goes in a subdirectory. Canonical
  subdirectory names:
    - `bin/` — executable scripts and tools
    - `cmd/` — Go command entrypoints
    - `configs/` — configuration templates and examples
    - `deploy/` — deployment manifests (k8s, compose, terraform)
    - `docs/` — documentation and markdown (README.md stays in root)
    - `internal/` — Go internal packages
    - `internal/db/migrations/` — database migrations
    - `pkg/` — Go library packages
    - `share/` — systemd units, data files
    - `static/` — static assets (images, fonts, etc.)
    - `web/` — web frontend source
 - When setting up a new repo, files from the `prompts` repo may be used as
  templates. Fetch them from
  `https://git.eeqj.de/sneak/prompts/raw/branch/main/<path>`.
 - New repos must contain at minimum:
    - `README.md`, `.git`, `.gitignore`, `.editorconfig`
    - `LICENSE`, `REPO_POLICIES.md` (copy from the `prompts` repo)
    - `Makefile`
    - `Dockerfile`, `.dockerignore`
    - `.gitea/workflows/check.yml`
    - Go: `go.mod`, `go.sum`, `.golangci.yml`
    - JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
    - Python: `pyproject.toml`
--- a/TESTING.md
+++ b/TESTING.md
@@ -1,34 +0,0 @@
 # Testing Policy
 ## DNS Resolution Tests
 All resolver tests **MUST** use live queries against real DNS servers.
 No mocking of the DNS client layer is permitted.
 ### Rationale
 The resolver performs iterative resolution from root nameservers through
 the full delegation chain. Mocked responses cannot faithfully represent
 the variety of real-world DNS behavior (truncation, referrals, glue
 records, DNSSEC, varied response times, EDNS, etc.). Testing against
 real servers ensures the resolver works correctly in production.
 ### Constraints
 - Tests hit real DNS infrastructure and require network access
 - Test duration depends on network conditions; timeout tuning keeps
  the suite within the 30-second target
 - Query timeout is calibrated to 3× maximum antipodal RTT (~300ms)
  plus processing margin
 - Root server fan-out is limited to reduce parallel query load
 - Flaky failures from transient network issues are acceptable and
  should be investigated as potential resolver bugs, not papered over
  with mocks or skip flags
 ### What NOT to do
 - **Do not mock `DNSClient`** for resolver tests (the mock constructor
  exists for unit-testing other packages that consume the resolver)
 - **Do not add `-short` flags** to skip slow tests
 - **Do not increase `-timeout`** to hide hanging queries
 - **Do not modify linter configuration** to suppress findings
--- a/internal/resolver/errors.go
+++ b/internal/resolver/errors.go
@@ -4,6 +4,11 @@ import "errors"
 // Sentinel errors returned by the resolver.
 var (
 	// ErrNotImplemented indicates a method is stubbed out.
 	ErrNotImplemented = errors.New(
 		"resolver not yet implemented",
 	)
 	// ErrNoNameservers is returned when no authoritative NS
 	// could be discovered for a domain.
 	ErrNoNameservers = errors.New(
--- a/internal/resolver/iterative.go
+++ b/internal/resolver/iterative.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand"
+	"math/rand/v2"
 	"net"
 	"sort"
 	"strings"
@@ -14,7 +14,13 @@ import (
 )
 const (
-	queryTimeoutDuration = 2 * time.Second
+	// queryTimeoutDuration is the per-exchange DNS timeout.
 	//
 	// Rationale: maximum RTT to antipodal root/TLD servers is
 	// ~300ms. We use 3× max RTT + 10ms processing ≈ 910ms,
 	// rounded to 1s. Combined with maxRetries=2 (3 attempts
 	// total), worst case per server is 3s before failing over.
 	queryTimeoutDuration = 1 * time.Second
 	maxRetries           = 2
 	maxDelegation        = 20
 	timeoutMultiplier    = 2
@@ -24,7 +30,7 @@ const (
 // ErrRefused is returned when a DNS server refuses a query.
 var ErrRefused = errors.New("dns query refused")
-func rootServerList() []string {
+func allRootServers() []string {
 	return []string{
 		"198.41.0.4",     // a.root-servers.net
 		"170.247.170.2",  // b
@@ -42,20 +48,17 @@ func rootServerList() []string {
 	}
 }
-const maxRootServers = 3
+// rootServerList returns 3 randomly-selected root servers.
-
+// The full set is 13; we limit fan-out because the root is
-// randomRootServers returns a shuffled subset of root servers.
+// operated reliably — if 3 are unreachable, the problem is
-func randomRootServers() []string {
+// local network, not the root.
-	all := rootServerList()
+func rootServerList() []string {
-	rand.Shuffle(len(all), func(i, j int) {
+	shuffled := allRootServers()
-		all[i], all[j] = all[j], all[i]
+	rand.Shuffle(len(shuffled), func(i, j int) {
 		shuffled[i], shuffled[j] = shuffled[j], shuffled[i]
 	})
-	if len(all) > maxRootServers {
+	return shuffled[:3]
 		return all[:maxRootServers]
 	}
 	return all
 }
 func checkCtx(ctx context.Context) error {
@@ -319,7 +322,7 @@ func (r *Resolver) resolveNSRecursive(
 	msg.SetQuestion(domain, dns.TypeNS)
 	msg.RecursionDesired = true
-	for _, ip := range randomRootServers() {
+	for _, ip := range rootServerList() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -350,7 +353,7 @@ func (r *Resolver) resolveARecord(
 	msg.SetQuestion(hostname, dns.TypeA)
 	msg.RecursionDesired = true
-	for _, ip := range randomRootServers() {
+	for _, ip := range rootServerList() {
 		if checkCtx(ctx) != nil {
 			return nil, ErrContextCanceled
 		}
@@ -402,7 +405,7 @@ func (r *Resolver) FindAuthoritativeNameservers(
 		candidate := strings.Join(labels[i:], ".") + "."
 		nsNames, err := r.followDelegation(
-			ctx, candidate, randomRootServers(),
+			ctx, candidate, rootServerList(),
 		)
 		if err == nil && len(nsNames) > 0 {
 			sort.Strings(nsNames)
@@ -435,23 +438,6 @@ func (r *Resolver) QueryNameserver(
 	return r.queryAllTypes(ctx, nsHostname, nsIPs[0], hostname)
 }
 // QueryNameserverIP queries a nameserver by its IP address directly,
 // bypassing NS hostname resolution.
 func (r *Resolver) QueryNameserverIP(
 	ctx context.Context,
 	nsHostname string,
 	nsIP string,
 	hostname string,
 ) (*NameserverResponse, error) {
 	if checkCtx(ctx) != nil {
 		return nil, ErrContextCanceled
 	}
 	hostname = dns.Fqdn(hostname)
 	return r.queryAllTypes(ctx, nsHostname, nsIP, hostname)
 }
 func (r *Resolver) queryAllTypes(
 	ctx context.Context,
 	nsHostname string,
@@ -479,7 +465,6 @@ func (r *Resolver) queryAllTypes(
 type queryState struct {
 	gotNXDomain bool
 	gotSERVFAIL bool
 	gotTimeout  bool
 	hasRecords  bool
 }
@@ -517,10 +502,6 @@ func (r *Resolver) querySingleType(
 ) {
 	msg, err := r.queryDNS(ctx, nsIP, hostname, qtype)
 	if err != nil {
 		if isTimeout(err) {
 			state.gotTimeout = true
 		}
 		return
 	}
@@ -558,26 +539,12 @@ func collectAnswerRecords(
 	}
 }
 // isTimeout checks whether an error is a network timeout.
 func isTimeout(err error) bool {
 	var netErr net.Error
 	if errors.As(err, &netErr) {
 		return netErr.Timeout()
 	}
 	return false
 }
 func classifyResponse(resp *NameserverResponse, state queryState) {
 	switch {
 	case state.gotNXDomain && !state.hasRecords:
 		resp.Status = StatusNXDomain
 	case state.gotTimeout && !state.hasRecords:
 		resp.Status = StatusTimeout
 		resp.Error = "all queries timed out"
 	case state.gotSERVFAIL && !state.hasRecords:
 		resp.Status = StatusError
 		resp.Error = "server returned SERVFAIL"
 	case !state.hasRecords && !state.gotNXDomain:
 		resp.Status = StatusNoData
 	}
--- a/internal/resolver/resolver.go
+++ b/internal/resolver/resolver.go
@@ -17,7 +17,6 @@ const (
 	StatusError    = "error"
 	StatusNXDomain = "nxdomain"
 	StatusNoData   = "nodata"
 	StatusTimeout  = "timeout"
 )
 // MaxCNAMEDepth is the maximum CNAME chain depth to follow.
--- a/internal/resolver/resolver_test.go
+++ b/internal/resolver/resolver_test.go
@@ -10,7 +10,6 @@ import (
 	"testing"
 	"time"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -623,59 +622,6 @@ func TestQueryAllNameservers_ContextCanceled(t *testing.T) {
 	assert.Error(t, err)
 }
 // ----------------------------------------------------------------
 // Timeout tests
 // ----------------------------------------------------------------
 func TestQueryNameserverIP_Timeout(t *testing.T) {
 	t.Parallel()
 	log := slog.New(slog.NewTextHandler(
 		os.Stderr,
 		&slog.HandlerOptions{Level: slog.LevelDebug},
 	))
 	r := resolver.NewFromLoggerWithClient(
 		log, &timeoutClient{},
 	)
 	ctx, cancel := context.WithTimeout(
 		context.Background(), 10*time.Second,
 	)
 	t.Cleanup(cancel)
 	// Query any IP — the client always returns a timeout error.
 	resp, err := r.QueryNameserverIP(
 		ctx, "unreachable.test.", "192.0.2.1",
 		"example.com",
 	)
 	require.NoError(t, err)
 	assert.Equal(t, resolver.StatusTimeout, resp.Status)
 	assert.NotEmpty(t, resp.Error)
 }
 // timeoutClient simulates DNS timeout errors for testing.
 type timeoutClient struct{}
 func (c *timeoutClient) ExchangeContext(
 	_ context.Context,
 	_ *dns.Msg,
 	_ string,
 ) (*dns.Msg, time.Duration, error) {
 	return nil, 0, &net.OpError{
 		Op:  "read",
 		Net: "udp",
 		Err: &timeoutError{},
 	}
 }
 type timeoutError struct{}
 func (e *timeoutError) Error() string   { return "i/o timeout" }
 func (e *timeoutError) Timeout() bool   { return true }
 func (e *timeoutError) Temporary() bool { return true }
 func TestResolveIPAddresses_ContextCanceled(t *testing.T) {
 	t.Parallel()
--- a/internal/watcher/watcher.go
+++ b/internal/watcher/watcher.go
@@ -6,7 +6,6 @@ import (
 	"log/slog"
 	"sort"
 	"strings"
 	"sync"
 	"time"
 	"go.uber.org/fx"
@@ -50,8 +49,6 @@ type Watcher struct {
 	notify    Notifier
 	cancel    context.CancelFunc
 	firstRun  bool
 	expiryNotifiedMu sync.Mutex
 	expiryNotified   map[string]time.Time
 }
 // New creates a new Watcher instance wired into the fx lifecycle.
@@ -68,7 +65,6 @@ func New(
 		tlsCheck:  params.TLSCheck,
 		notify:    params.Notify,
 		firstRun:  true,
 		expiryNotified: make(map[string]time.Time),
 	}
 	lifecycle.Append(fx.Hook{
@@ -112,7 +108,6 @@ func NewForTest(
 		tlsCheck:  tc,
 		notify:    n,
 		firstRun:  true,
 		expiryNotified: make(map[string]time.Time),
 	}
 }
@@ -211,28 +206,6 @@ func (w *Watcher) checkDomain(
 		Nameservers: nameservers,
 		LastChecked: now,
 	})
 	// Also look up A/AAAA records for the apex domain so that
 	// port and TLS checks (which read HostnameState) can find
 	// the domain's IP addresses.
 	records, err := w.resolver.LookupAllRecords(ctx, domain)
 	if err != nil {
 		w.log.Error(
 			"failed to lookup records for domain",
 			"domain", domain,
 			"error", err,
 		)
 		return
 	}
 	prevHS, hasPrevHS := w.state.GetHostnameState(domain)
 	if hasPrevHS && !w.firstRun {
 		w.detectHostnameChanges(ctx, domain, prevHS, records)
 	}
 	newState := buildHostnameState(records, now)
 	w.state.SetHostnameState(domain, newState)
 }
 func (w *Watcher) detectNSChanges(
@@ -718,22 +691,6 @@ func (w *Watcher) checkTLSExpiry(
 		return
 	}
 	// Deduplicate expiry warnings: don't re-notify for the same
 	// hostname within the TLS check interval.
 	dedupKey := fmt.Sprintf("expiry:%s:%s", hostname, ip)
 	w.expiryNotifiedMu.Lock()
 	lastNotified, seen := w.expiryNotified[dedupKey]
 	if seen && time.Since(lastNotified) < w.config.TLSInterval {
 		w.expiryNotifiedMu.Unlock()
 		return
 	}
 	w.expiryNotified[dedupKey] = time.Now()
 	w.expiryNotifiedMu.Unlock()
 	msg := fmt.Sprintf(
 		"Host: %s\nIP: %s\nCN: %s\n"+
 			"Expires: %s (%.0f days)",
--- a/internal/watcher/watcher_test.go
+++ b/internal/watcher/watcher_test.go
@@ -273,10 +273,6 @@ func setupBaselineMocks(deps *testDeps) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
 	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 		"ns2.example.com.": {"A": {"93.184.216.34"}},
 	}
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 		"ns2.example.com.": {"A": {"93.184.216.34"}},
@@ -294,14 +290,6 @@ func setupBaselineMocks(deps *testDeps) {
 			"www.example.com",
 		},
 	}
 	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
 		CommonName: "example.com",
 		Issuer:     "DigiCert",
 		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
 		SubjectAlternativeNames: []string{
 			"example.com",
 		},
 	}
 }
 func assertNoNotifications(
@@ -334,74 +322,14 @@ func assertStatePopulated(
 		)
 	}
-	// Hostnames includes both explicit hostnames and domains
+	if len(snap.Hostnames) != 1 {
 	// (domains now also get hostname state for port/TLS checks).
 	if len(snap.Hostnames) < 1 {
 		t.Errorf(
-			"expected at least 1 hostname in state, got %d",
+			"expected 1 hostname in state, got %d",
 			len(snap.Hostnames),
 		)
 	}
 }
 func TestDomainPortAndTLSChecks(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Domains = []string{"example.com"}
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 	}
 	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"93.184.216.34"}},
 	}
 	deps.portChecker.results["93.184.216.34:80"] = true
 	deps.portChecker.results["93.184.216.34:443"] = true
 	deps.tlsChecker.certs["93.184.216.34:example.com"] = &tlscheck.CertificateInfo{
 		CommonName: "example.com",
 		Issuer:     "DigiCert",
 		NotAfter:   time.Now().Add(90 * 24 * time.Hour),
 		SubjectAlternativeNames: []string{
 			"example.com",
 		},
 	}
 	w.RunOnce(t.Context())
 	snap := deps.state.GetSnapshot()
 	// Domain should have port state populated
 	if len(snap.Ports) == 0 {
 		t.Error("expected port state for domain, got none")
 	}
 	// Domain should have certificate state populated
 	if len(snap.Certificates) == 0 {
 		t.Error("expected certificate state for domain, got none")
 	}
 	// Verify port checker was actually called
 	deps.portChecker.mu.Lock()
 	calls := deps.portChecker.calls
 	deps.portChecker.mu.Unlock()
 	if calls == 0 {
 		t.Error("expected port checker to be called for domain")
 	}
 	// Verify TLS checker was actually called
 	deps.tlsChecker.mu.Lock()
 	tlsCalls := deps.tlsChecker.calls
 	deps.tlsChecker.mu.Unlock()
 	if tlsCalls == 0 {
 		t.Error("expected TLS checker to be called for domain")
 	}
 }
 func TestNSChangeDetection(t *testing.T) {
 	t.Parallel()
@@ -414,12 +342,6 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns2.example.com.",
 	}
 	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 		"ns2.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.portChecker.results["1.2.3.4:80"] = false
 	deps.portChecker.results["1.2.3.4:443"] = false
 	ctx := t.Context()
 	w.RunOnce(ctx)
@@ -429,10 +351,6 @@ func TestNSChangeDetection(t *testing.T) {
 		"ns1.example.com.",
 		"ns3.example.com.",
 	}
 	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 		"ns3.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.resolver.mu.Unlock()
 	w.RunOnce(ctx)
@@ -588,61 +506,6 @@ func TestTLSExpiryWarning(t *testing.T) {
 	}
 }
 func TestTLSExpiryWarningDedup(t *testing.T) {
 	t.Parallel()
 	cfg := defaultTestConfig(t)
 	cfg.Hostnames = []string{"www.example.com"}
 	cfg.TLSInterval = 24 * time.Hour
 	w, deps := newTestWatcher(t, cfg)
 	deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.resolver.ipAddresses["www.example.com"] = []string{
 		"1.2.3.4",
 	}
 	deps.portChecker.results["1.2.3.4:80"] = true
 	deps.portChecker.results["1.2.3.4:443"] = true
 	deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
 		CommonName: "www.example.com",
 		Issuer:     "DigiCert",
 		NotAfter:   time.Now().Add(3 * 24 * time.Hour),
 		SubjectAlternativeNames: []string{
 			"www.example.com",
 		},
 	}
 	ctx := t.Context()
 	// First run = baseline, no notifications
 	w.RunOnce(ctx)
 	// Second run should fire one expiry warning
 	w.RunOnce(ctx)
 	// Third run should NOT fire another warning (dedup)
 	w.RunOnce(ctx)
 	notifications := deps.notifier.getNotifications()
 	expiryCount := 0
 	for _, n := range notifications {
 		if n.Title == "TLS Expiry Warning: www.example.com" {
 			expiryCount++
 		}
 	}
 	if expiryCount != 1 {
 		t.Errorf(
 			"expected exactly 1 expiry warning (dedup), got %d",
 			expiryCount,
 		)
 	}
 }
 func TestGracefulShutdown(t *testing.T) {
 	t.Parallel()
@@ -656,11 +519,6 @@ func TestGracefulShutdown(t *testing.T) {
 	deps.resolver.nsRecords["example.com"] = []string{
 		"ns1.example.com.",
 	}
 	deps.resolver.allRecords["example.com"] = map[string]map[string][]string{
 		"ns1.example.com.": {"A": {"1.2.3.4"}},
 	}
 	deps.portChecker.results["1.2.3.4:80"] = false
 	deps.portChecker.results["1.2.3.4:443"] = false
 	ctx, cancel := context.WithCancel(t.Context())