A PowerDNS Pipe backend that serves a small DNS zone using the local node's view of the tailnet. When PowerDNS is queried for a name in your domain, Authoritah responds with the Tailscale IP of the node it is running on — so MagicDNS naturally routes callers to the nearest replica.
This is a clean Go rewrite of the original Python implementation.
Behaviour-equivalent for the on-the-wire protocol and config schema;
no Redis, no venv, no shelling out to the tailscale CLI.
When you delegate example.com to several nodes (each running PowerDNS
- Authoritah), Tailscale's MagicDNS will query every nameserver in parallel and use the first response that arrives. The first response, in practice, comes from the geographically closest node — yielding latency-based load balancing for free.
Each Authoritah instance answers queries with its own Tailscale IP, so the response is always "this node, right here."
| Concern | Python | Go |
|---|---|---|
| Tailscale data | subprocess calls to tailscale |
tailscale.com/client/tailscale LocalClient |
| Cache | Redis (or in-memory monkey patch) | In-process TTL snapshot |
| Deployment | venv + shebang in pipe-command |
Single static binary |
| qname normalisation | Mismatched on peer queries (bug) | Both ends lowercased + trailing-dot stripped |
| Logging | loguru to stdout (risk of corrupting pipe) |
log/slog to stderr |
| Health check | None | Optional GET /healthz |
| Tests | None | Pipe-protocol table tests |
The config file schema is a superset of the Python version's: existing configs work unchanged.
Copy and edit:
cp config.example.json /etc/authoritah/config.jsonThe binary looks for config.json next to itself, or at the path in
$AUTHORITAH_CONFIG, or whatever you pass with --config.
Requires Go 1.23+.
go build -o authoritah .Or for a stripped static binary:
CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o authoritah .# /etc/powerdns/pdns.conf
launch=pipe
pipe-command=/usr/local/bin/authoritah
pipe-regex=^\w*\.*example\.com$
pipe-timeout=2000A reference unit file is included in deploy/pdns-authoritah.service.
docker build -t authoritah .
docker run --rm -it \
--network host \
-v /var/run/tailscale:/var/run/tailscale \
-v $PWD/config.example.json:/etc/authoritah/config.json:ro \
authoritahHost networking is required for tailscaled's local API socket.
go test ./...See LICENSE.
{ "domain": "example.com", // your delegated domain "subdomains": ["www", "login"], // names you want to be authoritative for "default_relay": "nyc", // fallback when tailscaled reports no relay "local_cache_expire": 300, // seconds to cache the tailnet snapshot "dns_record_expires": 90, // record TTL returned to pdns "healthz_addr": "", // optional, e.g. "127.0.0.1:8081" "log_level": "info" }