fix(dnsserver): Update documentation to clarify the primaryNameserver option and SOA record behavior in the DNS server. The changes detail how the primaryNameserver configuration customizes the SOA mname, ensures proper DNSSEC signing for RRsets, and updates the configuration interface examples.

readme.md

@@ -198,7 +198,8 @@ const secureServer = new DnsServer({
   httpsCert: 'path/to/cert.pem',
   dnssecZone: 'example.com',
   udpBindInterface: '127.0.0.1',    // Bind UDP to localhost only
-  httpsBindInterface: '127.0.0.1'   // Bind HTTPS to localhost only
+  httpsBindInterface: '127.0.0.1',  // Bind HTTPS to localhost only
+  primaryNameserver: 'ns1.example.com' // Optional: primary nameserver for SOA records (defaults to ns1.{dnssecZone})
 });
 
 // Register a handler for all subdomains of example.com
@@ -224,6 +225,35 @@ await dnsServer.start();
 console.log('DNS Server started!');
 ```
 
+### SOA Records and Primary Nameserver
+
+The DNS server automatically generates SOA (Start of Authority) records for zones when no specific handler matches a query. The SOA record contains important zone metadata including the primary nameserver.
+
+```typescript
+const dnsServer = new DnsServer({
+  udpPort: 53,
+  httpsPort: 443,
+  httpsKey: 'path/to/key.pem',
+  httpsCert: 'path/to/cert.pem',
+  dnssecZone: 'example.com',
+  primaryNameserver: 'ns1.example.com'  // Specify your actual primary nameserver
+});
+
+// Without primaryNameserver, the SOA mname defaults to 'ns1.{dnssecZone}'
+// In this case, it would be 'ns1.example.com'
+
+// The automatic SOA record includes:
+// - mname: Primary nameserver (from primaryNameserver option)
+// - rname: Responsible person email (hostmaster.{dnssecZone})
+// - serial: Unix timestamp
+// - refresh: 3600 (1 hour)
+// - retry: 600 (10 minutes)
+// - expire: 604800 (7 days)
+// - minimum: 86400 (1 day)
+```
+
+**Important**: Even if you have multiple nameservers (NS records), only one is designated as the primary in the SOA record. All authoritative nameservers should return the same SOA record.
+
 ### DNSSEC Support
 
 The DNS server includes comprehensive DNSSEC support with automatic key generation and record signing:
@@ -314,9 +344,16 @@ The DNS server supports manual socket handling for advanced use cases like clust
 
 ```typescript
 export interface IDnsServerOptions {
-  // ... standard options ...
-  manualUdpMode?: boolean;    // Handle UDP sockets manually
-  manualHttpsMode?: boolean;  // Handle HTTPS sockets manually
+  httpsKey: string;              // Path or content of HTTPS private key
+  httpsCert: string;             // Path or content of HTTPS certificate
+  httpsPort: number;             // Port for DNS-over-HTTPS
+  udpPort: number;               // Port for standard UDP DNS
+  dnssecZone: string;            // Zone name for DNSSEC signing
+  udpBindInterface?: string;     // IP address to bind UDP socket (default: '0.0.0.0')
+  httpsBindInterface?: string;   // IP address to bind HTTPS server (default: '0.0.0.0')
+  manualUdpMode?: boolean;       // Handle UDP sockets manually
+  manualHttpsMode?: boolean;     // Handle HTTPS sockets manually
+  primaryNameserver?: string;    // Primary nameserver for SOA records (default: 'ns1.{dnssecZone}')
 }
 ```