chore: site navbar, updated roadmap, DoT blog listing, spec updates

- Add top nav bar to landing page (wordmark + links, responsive) - Add DoT blog post entry to blog index - Update roadmap: phases 8-13 (hostile-network, Windows, DoT shipped) - Update specs: listeners section, dependency description, port list - Blog: hostile-network SVG in DNSSEC post, text-transform fix - Blog template: wordmark text-transform fix Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 19:20:12 +03:00
parent c4b2c890e8
commit f5bd2da608
4 changed files with 102 additions and 10 deletions
--- a/blog/dnssec-from-scratch.md
+++ b/blog/dnssec-from-scratch.md
@@ -163,12 +163,12 @@ The fix has three parts:
 **TCP fallback.** Every outbound query tries UDP first (800ms timeout). If UDP fails or the response is truncated, retry immediately over TCP. TCP uses a 2-byte length prefix before the DNS message — trivial to implement, and it handles DNSSEC responses that exceed the UDP payload limit.
-**UDP auto-disable.** After 3 consecutive UDP failures, flip a global `AtomicBool` and skip UDP entirely — go TCP-first for all queries. This avoids burning 800ms per hop on a network where UDP will never work. The flag resets when the network changes (detected via LAN IP monitoring).
+**UDP auto-disable.** After 3 consecutive UDP failures, flip a global `AtomicBool` and skip UDP entirely — go TCP-first for all queries. The flag resets when the network changes (detected via LAN IP monitoring).
 <img src="../hostile-network.svg" alt="Latency profile on a hostile network: queries 1-3 each spend 800ms waiting for a UDP timeout before retrying over TCP, taking 1,100ms total per query. After 3 consecutive failures the UDP auto-disable flag flips, and queries 4+ go TCP-first and complete in 300ms each — 3.7× faster.">
 **Query minimization (RFC 7816).** When querying root servers, send only the TLD — `com` instead of `secret-project.example.com`. Root servers handle trillions of queries and are operated by 12 organizations. Minimization reduces what they learn from yours.
 The result: on a network that blocks UDP:53, Numa detects the block within the first 3 queries, switches to TCP, and resolves normally at 300-500ms per cold query. Cached queries remain 0ms. No manual config change needed — switch networks and it adapts.
 I wouldn't have found this without dogfooding. The code worked perfectly on my home network. It took a real hostile network to expose the assumption that UDP always works.
 ## What I learned
--- a/site/blog-template.html
+++ b/site/blog-template.html
@@ -74,6 +74,7 @@ body::before {
  font-weight: 400;
  color: var(--text-primary);
  text-decoration: none;
  text-transform: none;
  letter-spacing: -0.02em;
 }
 .blog-nav .wordmark:hover { color: var(--amber); }
--- a/site/blog/index.html
+++ b/site/blog/index.html
@@ -67,6 +67,7 @@ body::before {
  font-weight: 400;
  color: var(--text-primary);
  text-decoration: none;
  text-transform: none;
  letter-spacing: -0.02em;
 }
 .blog-nav .wordmark:hover { color: var(--amber); }
@@ -167,6 +168,13 @@ body::before {
 <main class="blog-index">
  <h1>Blog</h1>
  <ul class="post-list">
    <li>
      <a href="/blog/posts/dot-from-scratch.html">
        <div class="post-title">DNS-over-TLS from Scratch in Rust</div>
        <div class="post-desc">Building RFC 7858 on top of rustls — length-prefix framing, ALPN cross-protocol defense, iPhone dogfooding, and two bugs that only the strict clients caught.</div>
        <div class="post-date">April 2026</div>
      </a>
    </li>
    <li>
      <a href="/blog/posts/dnssec-from-scratch.html">
        <div class="post-title">Implementing DNSSEC from Scratch in Rust</div>
--- a/site/index.html
+++ b/site/index.html
@@ -188,11 +188,50 @@ p.lead {
  line-height: 1.8;
 }
 /* ===========================
   TOP NAV
   =========================== */
 .site-nav {
  padding: 1.5rem 2rem;
  display: flex;
  align-items: center;
  gap: 1.5rem;
  position: relative;
  z-index: 10;
 }
 .site-nav a {
  font-family: var(--font-mono);
  font-size: 0.75rem;
  letter-spacing: 0.08em;
  text-transform: uppercase;
  color: var(--text-dim);
  text-decoration: none;
  transition: color 0.2s ease;
 }
 .site-nav a:hover { color: var(--amber); }
 .site-nav .wordmark {
  font-family: var(--font-display);
  font-size: 1.4rem;
  font-weight: 400;
  color: var(--text-primary);
  text-transform: none;
  letter-spacing: -0.02em;
 }
 .site-nav .wordmark:hover { color: var(--amber); }
 .site-nav .sep {
  color: var(--text-dim);
  font-family: var(--font-mono);
  font-size: 0.75rem;
 }
 /* ===========================
   HERO
   =========================== */
 .hero {
-  min-height: 100vh;
+  min-height: calc(100vh - 5rem);
  display: flex;
  align-items: center;
  position: relative;
@@ -1158,6 +1197,9 @@ footer .closing {
@media (max-width: 600px) {
  section { padding: 4rem 0; }
  .container { padding: 0 1.25rem; }
  .site-nav { padding: 1rem 1.25rem; gap: 1rem; }
  .site-nav .wordmark { font-size: 1.2rem; }
  .hero { min-height: calc(100vh - 4rem); }
  .network-grid { grid-template-columns: 1fr; }
  .pipeline { flex-direction: column; align-items: stretch; gap: 0; }
  .pipeline-arrow { transform: rotate(90deg); padding: 0.15rem 0; align-self: center; }
@@ -1171,6 +1213,14 @@ footer .closing {
 </head>
 <body>
 <nav class="site-nav">
  <a href="/" class="wordmark">Numa</a>
  <span class="sep">/</span>
  <a href="/blog/">Blog</a>
  <span class="sep">/</span>
  <a href="https://github.com/razvandimescu/numa" target="_blank" rel="noopener">GitHub</a>
 </nav>
 <!-- ==================== HERO ==================== -->
 <section class="hero">
  <div class="roman-bricks" aria-hidden="true"></div>
@@ -1243,6 +1293,8 @@ footer .closing {
          <li>Ad &amp; tracker blocking &mdash; 385K+ domains, zero config</li>
          <li>Recursive resolution &mdash; opt-in, resolve from root nameservers, no upstream needed</li>
          <li>DNSSEC validation &mdash; chain-of-trust + NSEC/NSEC3 denial proofs (RSA, ECDSA, Ed25519)</li>
          <li>DNS-over-TLS listener &mdash; encrypted DNS for phones and strict clients (RFC 7858 with ALPN defense)</li>
          <li>Hostile-network resilience &mdash; TCP fallback with UDP auto-disable when ISPs block port 53</li>
          <li>TTL-aware caching (sub-ms lookups)</li>
          <li>Single binary, portable &mdash; macOS, Linux, and Windows</li>
        </ul>
@@ -1261,7 +1313,7 @@ footer .closing {
        </ul>
      </div>
      <div class="layer-card reveal reveal-delay-3">
-        <div class="layer-badge">Coming Next</div>
+        <div class="layer-badge">The Vision</div>
        <h3>Self-Sovereign DNS</h3>
        <ul>
          <li>pkarr integration &mdash; DNS via Mainline DHT, no registrar needed</li>
@@ -1342,6 +1394,14 @@ footer .closing {
            <td class="cross">No</td>
            <td class="check">Root hints + full DNSSEC</td>
          </tr>
          <tr>
            <td>DNSSEC validation</td>
            <td class="muted">Passthrough</td>
            <td class="muted">Cloud only</td>
            <td class="muted">Cloud only</td>
            <td class="muted">Passthrough</td>
            <td class="check">Full chain-of-trust</td>
          </tr>
          <tr>
            <td>Ad &amp; tracker blocking</td>
            <td class="check">Yes</td>
@@ -1398,6 +1458,14 @@ footer .closing {
            <td class="cross">No</td>
            <td class="check">Built in (HTTP/2 + rustls)</td>
          </tr>
          <tr>
            <td>DNS-over-TLS listener</td>
            <td class="cross">No</td>
            <td class="muted">Cloud only</td>
            <td class="muted">Cloud only</td>
            <td class="check">Yes (cert required)</td>
            <td class="check">Self-signed or BYO</td>
          </tr>
          <tr>
            <td>Conditional forwarding</td>
            <td class="cross">No</td>
@@ -1567,11 +1635,14 @@ footer .closing {
        <dt>Resolution Modes</dt>
        <dd>Recursive (iterative from root hints, CNAME chasing, glue extraction) or Forward (DoH / plain UDP)</dd>
        <dt>Listeners</dt>
        <dd>UDP:53 + TCP:53 (plain DNS), DoT:853 (RFC 7858 + ALPN), HTTP proxy :80 / HTTPS proxy :443, dashboard :5380</dd>
        <dt>DNSSEC</dt>
        <dd>Chain-of-trust via ring &mdash; RSA/SHA-256, ECDSA P-256, Ed25519. NSEC/NSEC3 denial proofs. EDNS0 DO bit, 1232-byte payload (DNS Flag Day 2020).</dd>
        <dt>Dependencies</dt>
-        <dd>19 runtime crates &mdash; tokio, axum, hyper, ring (DNSSEC), reqwest (DoH), rcgen + rustls (TLS), socket2 (multicast), serde, and more</dd>
+        <dd>A focused set &mdash; tokio, axum, hyper, ring (DNSSEC), reqwest (DoH), rcgen + rustls + tokio-rustls (TLS/DoT), socket2 (multicast), serde. No transitive DNS library.</dd>
        <dt>Packet Format</dt>
        <dd>RFC 1035 compliant. EDNS0 OPT pseudo-record. Parses A, AAAA, NS, CNAME, MX, SOA, SRV, HTTPS, DNSKEY, DS, RRSIG, NSEC, NSEC3.</dd>
@@ -1586,7 +1657,7 @@ footer .closing {
 <span class="prompt">$</span> <span class="cmd">curl</span> <span class="flag">-fsSL</span> https://raw.githubusercontent.com/razvandimescu/numa/main/install.sh <span class="flag">|</span> <span class="cmd">sh</span>
 <span class="comment"># Run</span>
-<span class="prompt">$</span> <span class="cmd">sudo numa</span>                          <span class="comment"># bind to :53, :80, :5380</span>
+<span class="prompt">$</span> <span class="cmd">sudo numa</span>                          <span class="comment"># bind :53, :80, :443, :853, :5380</span>
 <span class="prompt">$</span> <span class="cmd">dig</span> <span class="flag">@127.0.0.1</span> google.com         <span class="comment"># test resolution</span>
 <span class="prompt">$</span> <span class="cmd">open</span> http://localhost:5380           <span class="comment"># dashboard</span>
 <span class="prompt">$</span> <span class="cmd">curl</span> <span class="flag">-X POST</span> localhost:5380/services \
@@ -1639,16 +1710,28 @@ footer .closing {
        <span class="phase">Phase 7</span>
        <span class="phase-desc">DNSSEC validation &mdash; chain-of-trust, NSEC/NSEC3 denial proofs, RSA + ECDSA + Ed25519</span>
      </div>
-      <div class="roadmap-item phase-teal">
+      <div class="roadmap-item done">
        <span class="phase">Phase 8</span>
        <span class="phase-desc">Hostile-network resilience &mdash; TCP fallback with UDP auto-disable when ISPs block :53, RFC 7816 query minimization</span>
      </div>
      <div class="roadmap-item done">
        <span class="phase">Phase 9</span>
        <span class="phase-desc">Windows support &mdash; cross-platform install/uninstall, <code>netsh</code> DNS config, service integration</span>
      </div>
      <div class="roadmap-item done">
        <span class="phase">Phase 10</span>
        <span class="phase-desc">DNS-over-TLS listener (RFC 7858) &mdash; ALPN enforcement, persistent connections, self-signed or BYO cert</span>
      </div>
      <div class="roadmap-item phase-teal">
        <span class="phase">Phase 11</span>
        <span class="phase-desc">pkarr integration &mdash; self-sovereign DNS via Mainline DHT, no registrar needed</span>
      </div>
      <div class="roadmap-item phase-teal">
-        <span class="phase">Phase 9</span>
+        <span class="phase">Phase 12</span>
        <span class="phase-desc">Global .numa names &mdash; self-publish, DHT-backed, first-come-first-served</span>
      </div>
      <div class="roadmap-item phase-teal">
-        <span class="phase">Phase 10</span>
+        <span class="phase">Phase 13</span>
        <span class="phase-desc">.onion bridge &mdash; human-readable Tor naming via Ed25519 same-key binding</span>
      </div>
    </div>