First release

leaf is a lightweight authoritative DNS server for nip.io/xip-style hostnames, written in Rust and designed for public internet exposure.

Highlights

• Authoritative DNS answers for IPv4-encoded hostnames (dash and dotted forms).
• Supports one or more configured zones per process.
• Correct authoritative apex behavior for SOA and NS.
• Strict DNS response policy for malformed/out-of-zone/unsupported queries.
• No recursion (RA=0), authoritative-only operation.

Security and Abuse Controls

• Global query rate limiting.
• Per-IP query rate limiting.
• Per-IP + qname invalid-query throttling (NXDOMAIN/REFUSED/FORMERR).
• Global and per-IP TCP connection caps.
• TCP idle/read/write timeouts.
• UDP/TCP request size bounds.

Configuration and Operations

• Config precedence: CLI > environment > TOML.
• Structured TOML layout with backward-compatible legacy keys.
• Multi-zone-aware defaults for SOA/NS host fields.
• Structured logs for startup and drop events.
• Optional query logging with GDPR-oriented data minimization.

Quality and Testing

• Unit tests across config, DNS behavior, and limiters.
• End-to-end tests over real UDP/TCP sockets.
• Coverage includes response-policy matrix, multi-zone behavior, and throttling paths.

CI/CD and Distribution

• GitLab pipeline includes fmt, check, clippy, test, extended test, release.
• Tag releases produce packaged Linux artifacts:
  • leaf-amd64-linux-.tar.gz
  • leaf-arm64-linux-.tar.gz
  • SHA256SUMS
• Container release publishes multi-arch images (amd64, arm64) to Quay.

Current Scope

• IPv4 A synthesis only.
• Shared TTL/SOA/limits across zones.
• No DNSSEC.
• No built-in metrics endpoint.