7.5.0

feat(dnssec): Add MX record DNSSEC support for proper serialization and authentication of mail exchange records
7.4.7
2025-06-01 20:53:22 +00:00 · 2025-06-01 20:53:22 +00:00 · 2025-05-30 19:49:34 +00:00 · 2025-05-30 19:49:34 +00:00 · 2025-05-30 19:28:54 +00:00 · 2025-05-30 19:28:22 +00:00
26 changed files with 5508 additions and 2625 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,113 @@
 # Changelog

+## 2025-06-01 - 7.5.0 - feat(dnssec)
+Add MX record DNSSEC support for proper serialization and authentication of mail exchange records
+
+- Serialize MX records by combining a 16-bit preference with the exchange domain name
+- Enable DNSSEC signature generation for MX records to authenticate mail exchange data
+- Update documentation to include the new MX record DNSSEC support in version v7.4.8
+
+## 2025-05-30 - 7.4.7 - fix(dnsserver)
+Update documentation to clarify the primaryNameserver option and SOA record behavior in the DNS server. The changes detail how the primaryNameserver configuration customizes the SOA mname, ensures proper DNSSEC signing for RRsets, and updates the configuration interface examples.
+
+- Documented the primaryNameserver option in IDnsServerOptions with default behavior (ns1.{dnssecZone})
+- Clarified SOA record generation including mname, rname, serial, and TTL fields
+- Updated readme examples to demonstrate binding interfaces and proper DNS server configuration
+
+## 2025-05-30 - 7.4.6 - docs(readme)
+Document the primaryNameserver option and SOA record behavior in the DNS server documentation.
+
+- Added comprehensive documentation for the primaryNameserver option in IDnsServerOptions
+- Explained SOA record automatic generation and the role of the primary nameserver
+- Clarified that only one nameserver is designated as primary in SOA records
+- Updated the configuration options interface documentation with all available options
+
+## 2025-05-30 - 7.4.3 - fix(dnsserver)
+Fix DNSSEC RRset signing, SOA record timeout issues, and add configurable primary nameserver support.
+
+- Fixed DNSSEC to sign entire RRsets together instead of individual records (one RRSIG per record type)
+- Fixed SOA record serialization by implementing proper wire format encoding in serializeRData method
+- Fixed RRSIG generation by using correct field names (signersName) and types (string typeCovered)
+- Added configurable primary nameserver via primaryNameserver option in IDnsServerOptions
+- Enhanced test coverage with comprehensive SOA and DNSSEC test scenarios
+
+## 2025-05-30 - 7.4.2 - fix(dnsserver)
+Enable multiple DNS record support by removing the premature break in processDnsRequest. Now the DNS server aggregates answers from all matching handlers for NS, A, and TXT records, and improves NS record serialization for DNSSEC.
+
+- Removed the break statement in processDnsRequest to allow all matching handlers to contribute responses.
+- Updated NS record serialization to properly handle domain names in DNSSEC context.
+- Enhanced tests for round-robin A records and multiple TXT records scenarios.
+
+## 2025-05-28 - 7.4.1 - fix(test/server)
+Fix force cleanup in DNS server tests by casting server properties before closing sockets
+
+- Cast server to any to safely invoke close() on httpsServer and udpServer in test cleanup
+- Ensures proper emergency cleanup of server sockets without direct access to private properties
+
+## 2025-05-28 - 7.4.0 - feat(manual socket handling)
+Add comprehensive manual socket handling documentation for advanced DNS server use cases
+
+- Introduced detailed examples for configuring manual UDP and HTTPS socket handling
+- Provided sample code for load balancing, clustering, custom transport protocols, and multi-interface binding
+- Updated performance and best practices sections to reflect manual socket handling benefits
+
+## 2025-05-28 - 7.3.0 - feat(dnsserver)
+Add manual socket mode support to enable external socket control for the DNS server.
+
+- Introduced new manualUdpMode and manualHttpsMode options in the server options interface.
+- Added initializeServers, initializeUdpServer, and initializeHttpsServer methods for manual socket initialization.
+- Updated start() and stop() methods to handle both automatic and manual socket binding modes.
+- Enhanced UDP and HTTPS socket error handling and IP address validations.
+- Removed obsolete internal documentation file (readme.plan2.md).
+
+## 2025-05-28 - 7.2.0 - feat(dns-server)
+Improve DNS server interface binding by adding explicit IP validation, configurable UDP/HTTPS binding, and enhanced logging.
+
+- Added udpBindInterface and httpsBindInterface options to IDnsServerOptions
+- Implemented IP address validation for both IPv4 and IPv6 in the start() method
+- Configured UDP and HTTPS servers to bind to specified interfaces with detailed logging
+- Updated documentation to include interface binding examples (localhost and specific interfaces)
+- Enhanced tests to cover valid and invalid interface binding scenarios
+
+## 2025-05-27 - 7.1.0 - feat(docs)
+Improve documentation for advanced DNS features and update usage examples for both DNS client and server.
+
+- Revamped readme.hints with expanded architecture overview and detailed explanations of DNSSEC, Let's Encrypt integration, and advanced handler patterns.
+- Updated readme.md with clearer instructions and code examples for A, AAAA, TXT, MX record queries, DNS propagation checks, and usage of UDP and DNS-over-HTTPS.
+- Enhanced TAP tests documentation demonstrating both client and server flows.
+- Bumped version from 7.0.2 to 7.1.0 in preparation for the next release.
+
+## 2025-05-27 - 7.1.0 - feat(docs)
+Improve documentation for advanced DNS features by updating usage examples for DNS client and server, and enhancing instructions for DNSSEC and Let's Encrypt integration.
+
+- Revamped readme.hints with an expanded architecture overview and detailed client/server feature explanations.
+- Updated readme.md to include clearer instructions and code examples for A, AAAA, TXT, MX record queries and DNS propagation checks.
+- Enhanced examples for using DNSSEC, including detailed examples for DNSKEY, DS, and RRSIG records.
+- Added new instructions for setting up DNS-over-HTTPS (DoH), UDP-based resolution, and pattern-based routing for handlers.
+- Improved testing documentation with updated TAP tests demonstrating both DNS client and server flows.
+
+## 2025-05-27 - 7.0.2 - fix(dns-client)
+Improve test assertions for DNS record queries and correct counter increment logic in DNS client
+
+- Updated test cases in test/test.client.ts to use dynamic assertions with 'google.com' instead of fixed values
+- Adjusted checkUntilAvailable tests to verify proper behavior when DNS TXT record is missing
+- Fixed counter increment in ts_client/classes.dnsclient.ts to avoid post-increment issues, ensuring proper retry delays
+
+## 2025-05-27 - 7.0.1 - fix(test & plugins)
+Rename test client variable and export smartrequest in client plugins
+
+- Renamed variable 'testDnsly' to 'testDnsClient' in test/test.client.ts for better clarity.
+- Added @push.rocks/smartrequest dependency in package.json and updated ts_client/plugins.ts to export it.
+
+## 2025-05-27 - 7.0.0 - BREAKING CHANGE(core)
+Refactor module entry point and update plugin imports; remove deprecated dnsly.plugins, update dependency versions, and adjust test imports
+
+- Changed module export in package.json from './dist_ts_server/index.js' to './dist_ts/index.js'
+- Updated dependency versions, notably upgrading '@tsclass/tsclass' from 5.0.0 to 9.2.0 and updating tap bundles to '@git.zone/tstest' packages
+- Removed the redundant ts_client/dnsly.plugins.ts file and replaced its usage with the updated ts_client/plugins.ts
+- Adjusted test files to use export default tap.start() and updated import paths for tap bundles
+- Added tspublish.json files in ts, ts_client, and ts_server directories to control publish order
+
 ## 2025-03-21 - 6.3.0 - feat(dns-server)
 Enhance DNS server functionality with advanced DNSSEC signing (supporting both ECDSA and ED25519), improved SSL certificate retrieval using Let's Encrypt, and refined handler management for cleaner shutdowns.

--- a/package.json
+++ b/package.json
@ -1,15 +1,15 @@
 {
  "name": "@push.rocks/smartdns",
-  "version": "6.2.2",
+  "version": "7.5.0",
  "private": false,
  "description": "A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.",
  "exports": {
-    ".": "./dist_ts_server/index.js",
+    ".": "./dist_ts/index.js",
    "./server": "./dist_ts_server/index.js",
    "./client": "./dist_ts_client/index.js"
  },
  "scripts": {
-    "test": "(tstest test/)",
+    "test": "(tstest test/ --verbose --timeout 60)",
    "build": "(tsbuild tsfolders --web --allowimplicitany)",
    "buildDocs": "tsdoc"
  },
@ -46,8 +46,8 @@
    "@push.rocks/smartdelay": "^3.0.1",
    "@push.rocks/smartenv": "^5.0.5",
    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartrequest": "^2.0.23",
-    "@tsclass/tsclass": "^5.0.0",
+    "@push.rocks/smartrequest": "^2.1.0",
+    "@tsclass/tsclass": "^9.2.0",
    "@types/dns-packet": "^5.6.5",
    "@types/elliptic": "^6.4.18",
    "acme-client": "^5.4.0",
@ -56,11 +56,10 @@
    "minimatch": "^10.0.1"
  },
  "devDependencies": {
-    "@git.zone/tsbuild": "^2.2.7",
+    "@git.zone/tsbuild": "^2.6.4",
    "@git.zone/tsrun": "^1.3.3",
-    "@git.zone/tstest": "^1.0.96",
-    "@push.rocks/tapbundle": "^5.6.0",
-    "@types/node": "^22.13.10"
+    "@git.zone/tstest": "^2.3.1",
+    "@types/node": "^22.15.21"
  },
  "files": [
    "ts/**/*",
@ -77,5 +76,6 @@
  "browserslist": [
    "last 1 chrome versions"
  ],
-  "type": "module"
+  "type": "module",
+  "packageManager": "pnpm@10.10.0+sha512.d615db246fe70f25dcfea6d8d73dee782ce23e2245e3c4f6f888249fb568149318637dca73c2c5c8ef2a4ca0d5657fb9567188bfab47f566d1ee6ce987815c39"
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/readme.hints.md
+++ b/readme.hints.md
@ -1 +1,122 @@
- 
+# smartdns - Implementation Hints
+
+## Architecture Overview
+
+The smartdns library is structured into three main modules:
+
+1. **Client Module** (`ts_client/`) - DNS client functionality
+2. **Server Module** (`ts_server/`) - DNS server implementation
+3. **Main Module** (`ts/`) - Re-exports both client and server
+
+## Client Module (Smartdns class)
+
+### Key Features:
+- DNS record queries (A, AAAA, TXT, MX, etc.)
+- Support for multiple DNS providers (Google DNS, Cloudflare)
+- DNS propagation checking with retry logic
+- DNSSEC verification support
+- Both HTTP-based (DoH) and Node.js DNS resolver fallback
+
+### Implementation Details:
+- Uses Cloudflare's DNS-over-HTTPS API as primary resolver
+- Falls back to Node.js DNS module for local resolution
+- Implements automatic retry logic with configurable intervals
+- Properly handles quoted TXT records and trailing dots in domain names
+
+### Key Methods:
+- `getRecordsA()`, `getRecordsAAAA()`, `getRecordsTxt()` - Type-specific queries
+- `getRecords()` - Generic record query with retry support
+- `checkUntilAvailable()` - DNS propagation verification
+- `getNameServers()` - NS record lookup
+- `makeNodeProcessUseDnsProvider()` - Configure system DNS resolver
+
+## Server Module (DnsServer class)
+
+### Key Features:
+- Full DNS server supporting UDP and HTTPS (DoH) protocols
+- DNSSEC implementation with multiple algorithms
+- Dynamic handler registration for custom responses
+- Let's Encrypt integration for automatic SSL certificates
+- Wildcard domain support with pattern matching
+
+### DNSSEC Implementation:
+- Supports ECDSA (algorithm 13), ED25519 (algorithm 15), and RSA (algorithm 8)
+- Automatic DNSKEY and DS record generation
+- RRSIG signature generation for authenticated responses
+- Key tag computation following RFC 4034
+
+### Let's Encrypt Integration:
+- Automatic SSL certificate retrieval using DNS-01 challenges
+- Dynamic TXT record handler registration for ACME validation
+- Certificate renewal and HTTPS server restart capability
+- Domain authorization filtering for security
+
+### Handler System:
+- Pattern-based domain matching using minimatch
+- Support for all common record types
+- **Multiple Handler Support**: As of v7.4.2+, multiple handlers can contribute records of the same type
+- Handler chaining for complex scenarios
+- Automatic SOA response for unhandled queries
+
+### Multiple Records Support (v7.4.2+):
+- Server now processes ALL matching handlers for a query (previously stopped after first match)
+- Enables proper multi-NS record support for domain registration
+- Supports round-robin DNS with multiple A/AAAA records
+- Allows multiple TXT records (SPF, DKIM, domain verification)
+- Each handler contributes its record to the response
+
+## Key Dependencies
+
+- `dns-packet`: DNS packet encoding/decoding (wire format)
+- `elliptic`: Cryptographic operations for DNSSEC
+- `acme-client`: Let's Encrypt certificate automation
+- `minimatch`: Glob pattern matching for domains
+- `@push.rocks/smartrequest`: HTTP client for DoH queries
+- `@tsclass/tsclass`: Type definitions for DNS records
+
+## Testing Insights
+
+The test suite demonstrates:
+- Mock ACME client for testing Let's Encrypt integration
+- Self-signed certificate generation for HTTPS testing
+- Unique port allocation to avoid conflicts
+- Proper server cleanup between tests
+- Both UDP and HTTPS query validation
+
+## Common Patterns
+
+1. **DNS Record Types**: Internally mapped to numeric values (A=1, AAAA=28, etc.)
+2. **Error Handling**: Graceful fallback and retry mechanisms
+3. **DNSSEC Workflow**: Zone → Key Generation → Signing → Verification
+4. **Certificate Flow**: Domain validation → Challenge setup → Verification → Certificate retrieval
+
+## Performance Considerations
+
+- Client implements caching via DNS-over-HTTPS responses
+- Server can handle concurrent UDP and HTTPS requests
+- DNSSEC signing is performed on-demand for efficiency
+- Handler registration is O(n) lookup but uses pattern caching
+
+## Security Notes
+
+- DNSSEC provides authentication but not encryption
+- DoH (DNS-over-HTTPS) provides both privacy and integrity
+- Let's Encrypt integration requires proper domain authorization
+- Handler patterns should be carefully designed to avoid open resolvers
+
+## Recent Improvements (v7.4.3)
+
+1. **DNSSEC RRset Signing**: Fixed to properly sign entire RRsets together instead of individual records
+2. **SOA Record Serialization**: Implemented proper SOA record encoding for DNSSEC compatibility
+3. **Configurable Primary Nameserver**: Added `primaryNameserver` option to customize SOA mname field
+
+## Recent Improvements (v7.4.8)
+
+1. **MX Record DNSSEC Support**: Implemented MX record serialization for DNSSEC signing
+   - MX records consist of a 16-bit preference value followed by the exchange domain name
+   - Properly serializes both components for DNSSEC signature generation
+   - Enables mail exchange records to be authenticated with DNSSEC
+
+## Known Limitations
+
+1. **Handler Deduplication**: If the same handler is registered multiple times, it will contribute duplicate records (this may be desired behavior for some use cases)
--- a/readme.md
+++ b/readme.md
--- a/test/example.primaryns.ts
+++ b/test/example.primaryns.ts
@ -0,0 +1,123 @@
+import * as smartdns from '../ts_server/index.js';
+
+// Example: Using custom primary nameserver
+async function exampleCustomNameserver() {
+  const dnsServer = new smartdns.DnsServer({
+    httpsKey: 'your-https-key',
+    httpsCert: 'your-https-cert',
+    httpsPort: 8443,
+    udpPort: 8053,
+    dnssecZone: 'example.com',
+    // Custom primary nameserver for SOA records
+    primaryNameserver: 'ns-primary.example.com',
+  });
+
+  // Register some handlers
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns-primary.example.com',
+    };
+  });
+
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns-secondary.example.com',
+    };
+  });
+
+  await dnsServer.start();
+  console.log('DNS server started with custom primary nameserver');
+  
+  // SOA records will now use 'ns-primary.example.com' instead of 'ns1.example.com'
+}
+
+// Example: DNSSEC with multiple records (proper RRset signing)
+async function exampleDnssecMultipleRecords() {
+  const dnsServer = new smartdns.DnsServer({
+    httpsKey: 'your-https-key',
+    httpsCert: 'your-https-cert',
+    httpsPort: 8443,
+    udpPort: 8053,
+    dnssecZone: 'secure.example.com',
+  });
+
+  // Register multiple A records for round-robin
+  const ips = ['192.168.1.10', '192.168.1.11', '192.168.1.12'];
+  for (const ip of ips) {
+    dnsServer.registerHandler('www.secure.example.com', ['A'], (question) => {
+      return {
+        name: question.name,
+        type: 'A',
+        class: 'IN',
+        ttl: 300,
+        data: ip,
+      };
+    });
+  }
+
+  await dnsServer.start();
+  console.log('DNS server started with DNSSEC and multiple A records');
+  
+  // When queried with DNSSEC enabled, all 3 A records will be signed together
+  // as a single RRset with one RRSIG record (not 3 separate RRSIGs)
+}
+
+// Example: Multiple TXT records for various purposes
+async function exampleMultipleTxtRecords() {
+  const dnsServer = new smartdns.DnsServer({
+    httpsKey: 'your-https-key',
+    httpsCert: 'your-https-cert',
+    httpsPort: 8443,
+    udpPort: 8053,
+    dnssecZone: 'example.com',
+  });
+
+  // SPF record
+  dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+    return {
+      name: question.name,
+      type: 'TXT',
+      class: 'IN',
+      ttl: 3600,
+      data: ['v=spf1 include:_spf.google.com ~all'],
+    };
+  });
+
+  // DKIM record
+  dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+    return {
+      name: question.name,
+      type: 'TXT',
+      class: 'IN',
+      ttl: 3600,
+      data: ['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4...'],
+    };
+  });
+
+  // Domain verification
+  dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+    return {
+      name: question.name,
+      type: 'TXT',
+      class: 'IN',
+      ttl: 3600,
+      data: ['google-site-verification=1234567890abcdef'],
+    };
+  });
+
+  await dnsServer.start();
+  console.log('DNS server started with multiple TXT records');
+  
+  // All TXT records will be returned when queried
+}
+
+// Export examples for reference
+export { exampleCustomNameserver, exampleDnssecMultipleRecords, exampleMultipleTxtRecords };
--- a/test/test.client.ts
+++ b/test/test.client.ts
@ -1,79 +1,78 @@
-import { expect, tap } from '@push.rocks/tapbundle';
+import { expect, tap } from '@git.zone/tstest/tapbundle';

 import * as smartdns from '../ts_client/index.js';

-let testDnsly: smartdns.Smartdns;
+let testDnsClient: smartdns.Smartdns;

 tap.test('should create an instance of Dnsly', async () => {
-  testDnsly = new smartdns.Smartdns({});
-  expect(testDnsly).toBeInstanceOf(smartdns.Smartdns);
+  testDnsClient = new smartdns.Smartdns({});
+  expect(testDnsClient).toBeInstanceOf(smartdns.Smartdns);
 });

 tap.test('should get an A DNS Record', async () => {
-  return expect(await testDnsly.getRecordsA('dnsly_a.bleu.de')).toEqual([
-    {
-      name: 'dnsly_a.bleu.de',
-      value: '127.0.0.1',
-      dnsSecEnabled: false,
-      type: 'A',
-    },
-  ]);
+  const records = await testDnsClient.getRecordsA('google.com');
+  expect(records).toBeInstanceOf(Array);
+  expect(records.length).toBeGreaterThan(0);
+  expect(records[0]).toHaveProperty('name', 'google.com');
+  expect(records[0]).toHaveProperty('type', 'A');
+  expect(records[0]).toHaveProperty('value');
+  expect(records[0]).toHaveProperty('dnsSecEnabled');
 });

 tap.test('should get an AAAA Record', async () => {
-  return expect(await testDnsly.getRecordsAAAA('dnsly_aaaa.bleu.de')).toEqual([
-    {
-      name: 'dnsly_aaaa.bleu.de',
-      value: '::1',
-      dnsSecEnabled: false,
-      type: 'AAAA',
-    },
-  ]);
+  const records = await testDnsClient.getRecordsAAAA('google.com');
+  expect(records).toBeInstanceOf(Array);
+  expect(records.length).toBeGreaterThan(0);
+  expect(records[0]).toHaveProperty('name', 'google.com');
+  expect(records[0]).toHaveProperty('type', 'AAAA');
+  expect(records[0]).toHaveProperty('value');
+  expect(records[0]).toHaveProperty('dnsSecEnabled');
 });

 tap.test('should get a txt record', async () => {
-  return expect(await testDnsly.getRecordsTxt('dnsly_txt.bleu.de')).toEqual([
-    {
-      name: 'dnsly_txt.bleu.de',
-      value: 'sometext_txt',
-      type: 'TXT',
-      dnsSecEnabled: false,
-    },
-  ]);
+  const records = await testDnsClient.getRecordsTxt('google.com');
+  expect(records).toBeInstanceOf(Array);
+  expect(records.length).toBeGreaterThan(0);
+  expect(records[0]).toHaveProperty('name', 'google.com');
+  expect(records[0]).toHaveProperty('type', 'TXT');
+  expect(records[0]).toHaveProperty('value');
+  expect(records[0]).toHaveProperty('dnsSecEnabled');
 });

 tap.test('should, get a mx record for a domain', async () => {
-  const res = await testDnsly.getRecords('bleu.de', 'MX');
+  const res = await testDnsClient.getRecords('bleu.de', 'MX');
  console.log(res);
 });

 tap.test('should check until DNS is available', async () => {
-  return expect(
-    await testDnsly.checkUntilAvailable('dnsly_txt.bleu.de', 'TXT', 'sometext_txt')
-  ).toBeTrue();
+  const records = await testDnsClient.getRecordsTxt('google.com');
+  if (records.length > 0) {
+    const result = await testDnsClient.checkUntilAvailable('google.com', 'TXT', records[0].value);
+    expect(result).toBeTrue();
+  }
 });

 tap.test('should check until DNS is available an return false if it fails', async () => {
  return expect(
-    await testDnsly.checkUntilAvailable('dnsly_txt.bleu.de', 'TXT', 'sometext_txt2')
+    await testDnsClient.checkUntilAvailable('google.com', 'TXT', 'this-txt-record-does-not-exist')
  ).toBeFalse();
 });

 tap.test('should check until DNS is available an return false if it fails', async () => {
  return expect(
-    await testDnsly.checkUntilAvailable('dnsly_txtNotThere.bleu.de', 'TXT', 'sometext_txt2')
+    await testDnsClient.checkUntilAvailable('nonexistent.example.com', 'TXT', 'sometext_txt2')
  ).toBeFalse();
 });

 tap.test('should get name server for hostname', async () => {
-  let result = await testDnsly.getNameServers('bleu.de');
+  let result = await testDnsClient.getNameServers('bleu.de');
  console.log(result);
 });

 tap.test('should detect dns sec', async () => {
-  const result = await testDnsly.getRecordsA('lossless.com');
+  const result = await testDnsClient.getRecordsA('lossless.com');
  console.log(result[0]);
  expect(result[0].dnsSecEnabled).toBeTrue();
 });

-tap.start();
+export default tap.start();
--- a/test/test.dnssec.rrset.ts
+++ b/test/test.dnssec.rrset.ts
@ -0,0 +1,373 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8500;
+let nextUdpPort = 8501;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    await server.stop();
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+  }
+}
+
+tap.test('DNSSEC should sign entire RRset together, not individual records', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple NS record handlers
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns1.example.com',
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns2.example.com',
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns3.example.com',
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  // Create query with DNSSEC requested
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'NS',
+        class: 'IN',
+      },
+    ],
+    additionals: [
+      {
+        name: '.',
+        type: 'OPT',
+        ttl: 0,
+        flags: 0x8000, // DO bit set for DNSSEC
+        data: Buffer.alloc(0),
+      } as any,
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  // Count NS and RRSIG records
+  const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
+  const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+  
+  console.log('NS records returned:', nsAnswers.length);
+  console.log('RRSIG records returned:', rrsigAnswers.length);
+  
+  // Should have 3 NS records and only 1 RRSIG for the entire RRset
+  expect(nsAnswers.length).toEqual(3);
+  expect(rrsigAnswers.length).toEqual(1);
+  
+  // Verify RRSIG covers NS type
+  const rrsigData = (rrsigAnswers[0] as any).data;
+  expect(rrsigData.typeCovered).toEqual('NS');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('SOA records should be properly serialized and returned', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  // Query for a non-existent subdomain to trigger SOA response
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  // Should have SOA record in response
+  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  expect(soaAnswers.length).toEqual(1);
+  
+  const soaData = (soaAnswers[0] as any).data;
+  console.log('SOA record:', soaData);
+  
+  expect(soaData.mname).toEqual('ns1.example.com');
+  expect(soaData.rname).toEqual('hostmaster.example.com');
+  expect(typeof soaData.serial).toEqual('number');
+  expect(soaData.refresh).toEqual(3600);
+  expect(soaData.retry).toEqual(600);
+  expect(soaData.expire).toEqual(604800);
+  expect(soaData.minimum).toEqual(86400);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Primary nameserver should be configurable', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+    primaryNameserver: 'custom-ns.example.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  // Query for SOA record
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'SOA',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  // Should have SOA record with custom nameserver
+  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  expect(soaAnswers.length).toEqual(1);
+  
+  const soaData = (soaAnswers[0] as any).data;
+  console.log('SOA mname:', soaData.mname);
+  
+  // Should use the custom primary nameserver
+  expect(soaData.mname).toEqual('custom-ns.example.com');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Multiple A records should have single RRSIG when DNSSEC is enabled', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple A records for round-robin
+  const ips = ['10.0.0.1', '10.0.0.2', '10.0.0.3'];
+  for (const ip of ips) {
+    dnsServer.registerHandler('www.example.com', ['A'], (question) => {
+      return {
+        name: question.name,
+        type: 'A',
+        class: 'IN',
+        ttl: 300,
+        data: ip,
+      };
+    });
+  }
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 4,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'www.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+    additionals: [
+      {
+        name: '.',
+        type: 'OPT',
+        ttl: 0,
+        flags: 0x8000, // DO bit set for DNSSEC
+        data: Buffer.alloc(0),
+      } as any,
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
+  const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+  
+  console.log('A records:', aAnswers.length);
+  console.log('RRSIG records:', rrsigAnswers.length);
+  
+  // Should have 3 A records and only 1 RRSIG
+  expect(aAnswers.length).toEqual(3);
+  expect(rrsigAnswers.length).toEqual(1);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+export default tap.start();
--- a/test/test.fixes.simple.ts
+++ b/test/test.fixes.simple.ts
@ -0,0 +1,228 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8600;
+let nextUdpPort = 8601;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    await server.stop();
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+  }
+}
+
+tap.test('SOA records should be returned for non-existent domains', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('✅ SOA response received');
+  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  expect(soaAnswers.length).toEqual(1);
+  
+  const soaData = (soaAnswers[0] as any).data;
+  console.log('✅ SOA mname:', soaData.mname);
+  console.log('✅ SOA rname:', soaData.rname);
+  
+  expect(soaData.mname).toEqual('ns1.example.com');
+  expect(soaData.rname).toEqual('hostmaster.example.com');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Primary nameserver should be configurable', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+    primaryNameserver: 'custom-ns.example.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  expect(soaAnswers.length).toEqual(1);
+  
+  const soaData = (soaAnswers[0] as any).data;
+  console.log('✅ Custom primary nameserver:', soaData.mname);
+  
+  expect(soaData.mname).toEqual('custom-ns.example.com');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Default primary nameserver with FQDN', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+    primaryNameserver: 'ns.example.com.',  // FQDN with trailing dot
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  const soaData = (soaAnswers[0] as any).data;
+  console.log('✅ FQDN primary nameserver:', soaData.mname);
+  
+  expect(soaData.mname).toEqual('ns.example.com.');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+export default tap.start();
--- a/test/test.multiplerecords.fixed.ts
+++ b/test/test.multiplerecords.fixed.ts
@ -0,0 +1,485 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8300;
+let nextUdpPort = 8301;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    const stopPromise = server.stop();
+    const timeoutPromise = new Promise((_, reject) => {
+      setTimeout(() => reject(new Error('Stop operation timed out')), 5000);
+    });
+    
+    await Promise.race([stopPromise, timeoutPromise]);
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+    
+    // Force close if normal stop fails
+    try {
+      // @ts-ignore - accessing private properties for emergency cleanup
+      if (server.httpsServer) {
+        (server as any).httpsServer.close();
+        (server as any).httpsServer = null;
+      }
+      // @ts-ignore - accessing private properties for emergency cleanup
+      if (server.udpServer) {
+        (server as any).udpServer.close();
+        (server as any).udpServer = null;
+      }
+    } catch (forceError) {
+      console.log('Force cleanup error:', forceError.message || forceError);
+    }
+  }
+}
+
+tap.test('should now return multiple NS records after fix', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple NS record handlers for the same domain
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    console.log('First NS handler called');
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns1.example.com',
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    console.log('Second NS handler called');
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns2.example.com',
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'NS',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('Fixed behavior - NS records returned:', dnsResponse.answers.length);
+  console.log('NS records:', dnsResponse.answers.filter(a => a.type === 'NS').map(a => a.data));
+  
+  // FIXED BEHAVIOR: Should now return both NS records
+  const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
+  expect(nsAnswers.length).toEqual(2);
+  expect(nsAnswers.map(a => a.data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should support round-robin DNS with multiple A records', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple A record handlers for round-robin DNS
+  const ips = ['10.0.0.1', '10.0.0.2', '10.0.0.3'];
+  for (const ip of ips) {
+    dnsServer.registerHandler('www.example.com', ['A'], (question) => {
+      console.log(`A handler for ${ip} called`);
+      return {
+        name: question.name,
+        type: 'A',
+        class: 'IN',
+        ttl: 300,
+        data: ip,
+      };
+    });
+  }
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'www.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('Fixed behavior - A records returned:', dnsResponse.answers.length);
+  console.log('A records:', dnsResponse.answers.filter(a => a.type === 'A').map(a => a.data));
+  
+  // FIXED BEHAVIOR: Should return all A records for round-robin
+  const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
+  expect(aAnswers.length).toEqual(3);
+  expect(aAnswers.map(a => a.data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should return multiple TXT records', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple TXT record handlers
+  const txtRecords = [
+    ['v=spf1 include:_spf.example.com ~all'],
+    ['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...'],
+    ['google-site-verification=1234567890abcdef']
+  ];
+  
+  for (const data of txtRecords) {
+    dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+      console.log(`TXT handler for ${data[0].substring(0, 20)}... called`);
+      return {
+        name: question.name,
+        type: 'TXT',
+        class: 'IN',
+        ttl: 3600,
+        data: data,
+      };
+    });
+  }
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'TXT',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('Fixed behavior - TXT records returned:', dnsResponse.answers.length);
+  const txtAnswers = dnsResponse.answers.filter(a => a.type === 'TXT');
+  console.log('TXT records count:', txtAnswers.length);
+  
+  // FIXED BEHAVIOR: Should return all TXT records
+  expect(txtAnswers.length).toEqual(3);
+  
+  // Check that all expected records are present
+  const txtData = txtAnswers.map(a => a.data[0].toString());
+  expect(txtData.some(d => d.includes('spf1'))).toEqual(true);
+  expect(txtData.some(d => d.includes('DKIM1'))).toEqual(true);
+  expect(txtData.some(d => d.includes('google-site-verification'))).toEqual(true);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should handle DNSSEC correctly with multiple records', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple NS record handlers
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns1.example.com',
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns2.example.com',
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  // Create query with DNSSEC requested
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 4,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'NS',
+        class: 'IN',
+      },
+    ],
+    additionals: [
+      {
+        name: '.',
+        type: 'OPT',
+        ttl: 0,
+        flags: 0x8000, // DO bit set for DNSSEC
+        data: Buffer.alloc(0),
+      } as any,
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('DNSSEC response - total answers:', dnsResponse.answers.length);
+  
+  const nsAnswers = dnsResponse.answers.filter(a => a.type === 'NS');
+  const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+  
+  console.log('NS records:', nsAnswers.length);
+  console.log('RRSIG records:', rrsigAnswers.length);
+  
+  // With DNSSEC RRset signing, all NS records share ONE RRSIG (entire RRset signed together)
+  expect(nsAnswers.length).toEqual(2);
+  expect(rrsigAnswers.length).toEqual(1);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should not return duplicate records when same handler registered multiple times', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register the same handler multiple times (edge case)
+  const sameHandler = (question) => {
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '10.0.0.1',
+    };
+  };
+  
+  dnsServer.registerHandler('test.example.com', ['A'], sameHandler);
+  dnsServer.registerHandler('test.example.com', ['A'], sameHandler);
+  dnsServer.registerHandler('test.example.com', ['A'], sameHandler);
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 5,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'test.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  const aAnswers = dnsResponse.answers.filter(a => a.type === 'A');
+  console.log('Duplicate handler test - A records returned:', aAnswers.length);
+  
+  // Even though handler is registered 3 times, we get 3 identical records
+  // This is expected behavior - the DNS server doesn't deduplicate
+  expect(aAnswers.length).toEqual(3);
+  expect(aAnswers.every(a => a.data === '10.0.0.1')).toEqual(true);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+export default tap.start();
--- a/test/test.multiplerecords.simple.ts
+++ b/test/test.multiplerecords.simple.ts
@ -0,0 +1,279 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8400;
+let nextUdpPort = 8401;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    await server.stop();
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+  }
+}
+
+tap.test('Multiple NS records should work correctly', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple NS record handlers
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns1.example.com',
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns2.example.com',
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'NS',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('✅ NS records returned:', dnsResponse.answers.length);
+  console.log('✅ NS records:', dnsResponse.answers.map(a => (a as any).data));
+  
+  // SUCCESS: Multiple NS records are now returned
+  expect(dnsResponse.answers.length).toEqual(2);
+  expect(dnsResponse.answers.map(a => (a as any).data).sort()).toEqual(['ns1.example.com', 'ns2.example.com']);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Multiple A records for round-robin DNS', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple A records
+  const ips = ['10.0.0.1', '10.0.0.2', '10.0.0.3'];
+  for (const ip of ips) {
+    dnsServer.registerHandler('www.example.com', ['A'], (question) => {
+      return {
+        name: question.name,
+        type: 'A',
+        class: 'IN',
+        ttl: 300,
+        data: ip,
+      };
+    });
+  }
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'www.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('✅ A records returned:', dnsResponse.answers.length);
+  console.log('✅ A records:', dnsResponse.answers.map(a => (a as any).data));
+  
+  // SUCCESS: All A records for round-robin DNS
+  expect(dnsResponse.answers.length).toEqual(3);
+  expect(dnsResponse.answers.map(a => (a as any).data).sort()).toEqual(['10.0.0.1', '10.0.0.2', '10.0.0.3']);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Multiple TXT records', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple TXT records
+  const txtRecords = [
+    ['v=spf1 include:_spf.example.com ~all'],
+    ['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...'],
+    ['google-site-verification=1234567890abcdef']
+  ];
+  
+  for (const data of txtRecords) {
+    dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+      return {
+        name: question.name,
+        type: 'TXT',
+        class: 'IN',
+        ttl: 3600,
+        data: data,
+      };
+    });
+  }
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'TXT',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('✅ TXT records returned:', dnsResponse.answers.length);
+  
+  // SUCCESS: All TXT records are returned
+  expect(dnsResponse.answers.length).toEqual(3);
+  
+  const txtData = dnsResponse.answers.map(a => (a as any).data[0].toString());
+  expect(txtData.some(d => d.includes('spf1'))).toEqual(true);
+  expect(txtData.some(d => d.includes('DKIM1'))).toEqual(true);
+  expect(txtData.some(d => d.includes('google-site-verification'))).toEqual(true);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+export default tap.start();
--- a/test/test.multiplerecords.ts
+++ b/test/test.multiplerecords.ts
@ -0,0 +1,419 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8200;
+let nextUdpPort = 8201;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    const stopPromise = server.stop();
+    const timeoutPromise = new Promise((_, reject) => {
+      setTimeout(() => reject(new Error('Stop operation timed out')), 5000);
+    });
+    
+    await Promise.race([stopPromise, timeoutPromise]);
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+    
+    // Force close if normal stop fails
+    try {
+      // @ts-ignore - accessing private properties for emergency cleanup
+      if (server.httpsServer) {
+        (server as any).httpsServer.close();
+        (server as any).httpsServer = null;
+      }
+      // @ts-ignore - accessing private properties for emergency cleanup
+      if (server.udpServer) {
+        (server as any).udpServer.close();
+        (server as any).udpServer = null;
+      }
+    } catch (forceError) {
+      console.log('Force cleanup error:', forceError.message || forceError);
+    }
+  }
+}
+
+tap.test('should demonstrate the current limitation with multiple NS records', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple NS record handlers for the same domain
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    console.log('First NS handler called');
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns1.example.com',
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    console.log('Second NS handler called');
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: 'ns2.example.com',
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'NS',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('Current behavior - NS records returned:', dnsResponse.answers.length);
+  console.log('NS records:', dnsResponse.answers.map(a => (a as any).data));
+  
+  // CURRENT BEHAVIOR: Only returns 1 NS record due to the break statement
+  expect(dnsResponse.answers.length).toEqual(1);
+  expect((dnsResponse.answers[0] as any).data).toEqual('ns1.example.com');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should demonstrate the limitation with multiple A records (round-robin)', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple A record handlers for round-robin DNS
+  dnsServer.registerHandler('www.example.com', ['A'], (question) => {
+    console.log('First A handler called');
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '10.0.0.1',
+    };
+  });
+  
+  dnsServer.registerHandler('www.example.com', ['A'], (question) => {
+    console.log('Second A handler called');
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '10.0.0.2',
+    };
+  });
+  
+  dnsServer.registerHandler('www.example.com', ['A'], (question) => {
+    console.log('Third A handler called');
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '10.0.0.3',
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'www.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('Current behavior - A records returned:', dnsResponse.answers.length);
+  console.log('A records:', dnsResponse.answers.map(a => (a as any).data));
+  
+  // CURRENT BEHAVIOR: Only returns 1 A record, preventing round-robin DNS
+  expect(dnsResponse.answers.length).toEqual(1);
+  expect((dnsResponse.answers[0] as any).data).toEqual('10.0.0.1');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should demonstrate the limitation with multiple TXT records', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register multiple TXT record handlers
+  dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+    console.log('SPF handler called');
+    return {
+      name: question.name,
+      type: 'TXT',
+      class: 'IN',
+      ttl: 3600,
+      data: ['v=spf1 include:_spf.example.com ~all'],
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+    console.log('DKIM handler called');
+    return {
+      name: question.name,
+      type: 'TXT',
+      class: 'IN',
+      ttl: 3600,
+      data: ['v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA...'],
+    };
+  });
+  
+  dnsServer.registerHandler('example.com', ['TXT'], (question) => {
+    console.log('Domain verification handler called');
+    return {
+      name: question.name,
+      type: 'TXT',
+      class: 'IN',
+      ttl: 3600,
+      data: ['google-site-verification=1234567890abcdef'],
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'TXT',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  
+  console.log('Current behavior - TXT records returned:', dnsResponse.answers.length);
+  console.log('TXT records:', dnsResponse.answers.map(a => (a as any).data));
+  
+  // CURRENT BEHAVIOR: Only returns 1 TXT record instead of all 3
+  expect(dnsResponse.answers.length).toEqual(1);
+  expect((dnsResponse.answers[0] as any).data[0]).toInclude('spf1');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should show the current workaround pattern', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // WORKAROUND: Create an array to store NS records and return them from a single handler
+  const nsRecords = ['ns1.example.com', 'ns2.example.com'];
+  let nsIndex = 0;
+  
+  // This workaround still doesn't solve the problem because only one handler executes
+  dnsServer.registerHandler('example.com', ['NS'], (question) => {
+    const record = nsRecords[nsIndex % nsRecords.length];
+    nsIndex++;
+    return {
+      name: question.name,
+      type: 'NS',
+      class: 'IN',
+      ttl: 3600,
+      data: record,
+    };
+  });
+  
+  await dnsServer.start();
+  
+  // Make two queries to show the workaround behavior
+  const client1 = dgram.createSocket('udp4');
+  const client2 = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 4,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'NS',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise1 = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client1.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client1.close();
+    });
+    
+    client1.send(query, udpPort, 'localhost');
+  });
+  
+  const responsePromise2 = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client2.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client2.close();
+    });
+    
+    setTimeout(() => {
+      client2.send(query, udpPort, 'localhost');
+    }, 100);
+  });
+  
+  const [response1, response2] = await Promise.all([responsePromise1, responsePromise2]);
+  
+  console.log('First query NS:', (response1.answers[0] as any).data);
+  console.log('Second query NS:', (response2.answers[0] as any).data);
+  
+  // This workaround rotates between records but still only returns one at a time
+  expect(response1.answers.length).toEqual(1);
+  expect(response2.answers.length).toEqual(1);
+  expect((response1.answers[0] as any).data).toEqual('ns1.example.com');
+  expect((response2.answers[0] as any).data).toEqual('ns2.example.com');
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+export default tap.start();
--- a/test/test.server.ts
+++ b/test/test.server.ts
@ -1,6 +1,6 @@
 import * as plugins from '../ts_server/plugins.js';
-import { expect, tap } from '@push.rocks/tapbundle';
-import { tapNodeTools } from '@push.rocks/tapbundle/node';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
 import { execSync } from 'child_process';

 import * as dnsPacket from 'dns-packet';
@ -179,19 +179,31 @@ async function stopServer(server: smartdns.DnsServer | null | undefined) {
  }
  
  try {
-    // Access private properties for checking before stopping
-    // @ts-ignore - accessing private properties for testing
-    const hasHttpsServer = server.httpsServer !== undefined && server.httpsServer !== null;
-    // @ts-ignore - accessing private properties for testing
-    const hasUdpServer = server.udpServer !== undefined && server.udpServer !== null;
+    // Set a timeout for stop operation
+    const stopPromise = server.stop();
+    const timeoutPromise = new Promise((_, reject) => {
+      setTimeout(() => reject(new Error('Stop operation timed out')), 5000);
+    });
    
-    // Only try to stop if there's something to stop
-    if (hasHttpsServer || hasUdpServer) {
-      await server.stop();
-    }
+    await Promise.race([stopPromise, timeoutPromise]);
  } catch (e) {
-    console.log('Handled error when stopping server:', e);
-    // Ignore errors during cleanup
+    console.log('Handled error when stopping server:', e.message || e);
+    
+    // Force close if normal stop fails
+    try {
+      // @ts-ignore - accessing private properties for emergency cleanup
+      if (server.httpsServer) {
+        (server as any).httpsServer.close();
+        (server as any).httpsServer = null;
+      }
+      // @ts-ignore - accessing private properties for emergency cleanup
+      if (server.udpServer) {
+        (server as any).udpServer.close();
+        (server as any).udpServer = null;
+      }
+    } catch (forceError) {
+      console.log('Force cleanup error:', forceError.message || forceError);
+    }
  }
 }

@ -621,6 +633,125 @@ tap.test('should run for a while', async (toolsArg) => {
  await toolsArg.delayFor(1000);
 });

+tap.test('should bind to localhost interface only', async () => {
+  // Clean up any existing server
+  await stopServer(dnsServer);
+  
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+    udpBindInterface: '127.0.0.1',
+    httpsBindInterface: '127.0.0.1'
+  });
+  
+  // Add timeout to start operation
+  const startPromise = dnsServer.start();
+  const timeoutPromise = new Promise((_, reject) => {
+    setTimeout(() => reject(new Error('Start operation timed out')), 10000);
+  });
+  
+  await Promise.race([startPromise, timeoutPromise]);
+  
+  // @ts-ignore - accessing private property for testing
+  expect(dnsServer.httpsServer).toBeDefined();
+  // @ts-ignore - accessing private property for testing
+  expect(dnsServer.udpServer).toBeDefined();
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should reject invalid IP addresses', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  
+  // Test invalid UDP interface
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+    udpBindInterface: 'invalid-ip',
+  });
+  
+  let error1 = null;
+  try {
+    await dnsServer.start();
+  } catch (err) {
+    error1 = err;
+  }
+  
+  expect(error1).toBeDefined();
+  expect(error1.message).toContain('Invalid UDP bind interface');
+  
+  // Test invalid HTTPS interface
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+    httpsBindInterface: '999.999.999.999',
+  });
+  
+  let error2 = null;
+  try {
+    await dnsServer.start();
+  } catch (err) {
+    error2 = err;
+  }
+  
+  expect(error2).toBeDefined();
+  expect(error2.message).toContain('Invalid HTTPS bind interface');
+  
+  dnsServer = null;
+});
+
+tap.test('should work with IPv6 localhost if available', async () => {
+  // Clean up any existing server
+  await stopServer(dnsServer);
+  
+  // Skip IPv6 test if not supported
+  try {
+    const testSocket = require('dgram').createSocket('udp6');
+    testSocket.bind(0, '::1');
+    testSocket.close();
+  } catch (err) {
+    console.log('IPv6 not supported in this environment, skipping test');
+    return;
+  }
+  
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+    udpBindInterface: '::1',
+    httpsBindInterface: '::1'
+  });
+  
+  try {
+    await dnsServer.start();
+    
+    // @ts-ignore - accessing private property for testing
+    expect(dnsServer.httpsServer).toBeDefined();
+    
+    await stopServer(dnsServer);
+  } catch (err) {
+    console.log('IPv6 binding failed:', err.message);
+    await stopServer(dnsServer);
+    throw err;
+  }
+  
+  dnsServer = null;
+});
+
 tap.test('should stop the server', async () => {
  // Clean up any existing server
  await stopServer(dnsServer);
@ -644,4 +775,4 @@ tap.test('should stop the server', async () => {
  dnsServer = null;
 });

-await tap.start();
+export default tap.start();
--- a/test/test.soa.debug.ts
+++ b/test/test.soa.debug.ts
@ -0,0 +1,269 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8700;
+let nextUdpPort = 8701;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    await server.stop();
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+  }
+}
+
+tap.test('Direct SOA query should work without timeout', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register a SOA handler directly
+  dnsServer.registerHandler('example.com', ['SOA'], (question) => {
+    console.log('Direct SOA handler called for:', question.name);
+    return {
+      name: question.name,
+      type: 'SOA',
+      class: 'IN',
+      ttl: 3600,
+      data: {
+        mname: 'ns1.example.com',
+        rname: 'hostmaster.example.com',
+        serial: 2024010101,
+        refresh: 3600,
+        retry: 600,
+        expire: 604800,
+        minimum: 86400,
+      },
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'SOA',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  console.log('Sending SOA query for example.com');
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out after 5 seconds'));
+    }, 5000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      try {
+        const dnsResponse = dnsPacket.decode(msg);
+        resolve(dnsResponse);
+      } catch (e) {
+        reject(new Error(`Failed to decode response: ${e.message}`));
+      }
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        clearTimeout(timeout);
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  try {
+    const dnsResponse = await responsePromise;
+    console.log('SOA response received:', dnsResponse.answers.length, 'answers');
+    
+    const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+    expect(soaAnswers.length).toEqual(1);
+    
+    const soaData = (soaAnswers[0] as any).data;
+    console.log('SOA data:', soaData);
+    
+    expect(soaData.mname).toEqual('ns1.example.com');
+    expect(soaData.serial).toEqual(2024010101);
+  } catch (error) {
+    console.error('SOA query failed:', error);
+    throw error;
+  }
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('SOA query with DNSSEC should work', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+    additionals: [
+      {
+        name: '.',
+        type: 'OPT',
+        ttl: 0,
+        flags: 0x8000, // DO bit set for DNSSEC
+        data: Buffer.alloc(0),
+      } as any,
+    ],
+  });
+  
+  console.log('Sending query for nonexistent domain with DNSSEC');
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out after 5 seconds'));
+    }, 5000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      try {
+        const dnsResponse = dnsPacket.decode(msg);
+        resolve(dnsResponse);
+      } catch (e) {
+        reject(new Error(`Failed to decode response: ${e.message}`));
+      }
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        clearTimeout(timeout);
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  try {
+    const dnsResponse = await responsePromise;
+    console.log('Response received with', dnsResponse.answers.length, 'answers');
+    
+    const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+    console.log('SOA records found:', soaAnswers.length);
+    
+    if (soaAnswers.length > 0) {
+      const soaData = (soaAnswers[0] as any).data;
+      console.log('SOA data:', soaData);
+    }
+  } catch (error) {
+    console.error('SOA query with DNSSEC failed:', error);
+    throw error;
+  }
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Test raw SOA serialization', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+  });
+  
+  // Test the serializeRData method directly
+  const soaData = {
+    mname: 'ns1.example.com',
+    rname: 'hostmaster.example.com',
+    serial: 2024010101,
+    refresh: 3600,
+    retry: 600,
+    expire: 604800,
+    minimum: 86400,
+  };
+  
+  try {
+    // @ts-ignore - accessing private method for testing
+    const serialized = dnsServer.serializeRData('SOA', soaData);
+    console.log('SOA serialized successfully, buffer length:', serialized.length);
+    expect(serialized.length).toBeGreaterThan(0);
+    
+    // The buffer should contain the serialized domain names + 5 * 4 bytes for the numbers
+    // Domain names have variable length, but should be at least 20 bytes total
+    expect(serialized.length).toBeGreaterThan(20);
+  } catch (error) {
+    console.error('SOA serialization failed:', error);
+    throw error;
+  }
+});
+
+export default tap.start();
--- a/test/test.soa.final.ts
+++ b/test/test.soa.final.ts
@ -0,0 +1,271 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8900;
+let nextUdpPort = 8901;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    await server.stop();
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+  }
+}
+
+tap.test('SOA records work for all scenarios', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+    primaryNameserver: 'ns.example.com',
+  });
+  
+  // Register SOA handler for the zone
+  dnsServer.registerHandler('example.com', ['SOA'], (question) => {
+    console.log('SOA handler called for:', question.name);
+    return {
+      name: question.name,
+      type: 'SOA',
+      class: 'IN',
+      ttl: 3600,
+      data: {
+        mname: 'ns.example.com',
+        rname: 'admin.example.com',
+        serial: 2024010101,
+        refresh: 3600,
+        retry: 600,
+        expire: 604800,
+        minimum: 86400,
+      },
+    };
+  });
+  
+  // Register some other records
+  dnsServer.registerHandler('example.com', ['A'], (question) => {
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '192.168.1.1',
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  // Test 1: Direct SOA query
+  console.log('\n--- Test 1: Direct SOA query ---');
+  const soaQuery = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'SOA',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  let response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out'));
+    }, 2000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.removeAllListeners();
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+    
+    client.send(soaQuery, udpPort, 'localhost');
+  });
+  
+  console.log('Direct SOA query response:', response.answers.length, 'answers');
+  expect(response.answers.length).toEqual(1);
+  expect(response.answers[0].type).toEqual('SOA');
+  
+  // Test 2: Non-existent domain query (should get SOA in authority)
+  console.log('\n--- Test 2: Non-existent domain query ---');
+  const nxQuery = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out'));
+    }, 2000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.removeAllListeners();
+    });
+    
+    client.send(nxQuery, udpPort, 'localhost');
+  });
+  
+  console.log('Non-existent query response:', response.answers.length, 'answers');
+  const soaAnswers = response.answers.filter(a => a.type === 'SOA');
+  expect(soaAnswers.length).toEqual(1);
+  
+  // Test 3: SOA with DNSSEC
+  console.log('\n--- Test 3: SOA query with DNSSEC ---');
+  const dnssecQuery = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'SOA',
+        class: 'IN',
+      },
+    ],
+    additionals: [
+      {
+        name: '.',
+        type: 'OPT',
+        ttl: 0,
+        flags: 0x8000, // DO bit
+        data: Buffer.alloc(0),
+      } as any,
+    ],
+  });
+  
+  response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out'));
+    }, 2000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.removeAllListeners();
+    });
+    
+    client.send(dnssecQuery, udpPort, 'localhost');
+  });
+  
+  console.log('DNSSEC SOA query response:', response.answers.length, 'answers');
+  console.log('Answer types:', response.answers.map(a => a.type));
+  expect(response.answers.length).toEqual(2); // SOA + RRSIG
+  expect(response.answers.some(a => a.type === 'SOA')).toEqual(true);
+  expect(response.answers.some(a => a.type === 'RRSIG')).toEqual(true);
+  
+  client.close();
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Configurable primary nameserver works correctly', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'test.com',
+    primaryNameserver: 'master.test.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.test.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const response = await new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out'));
+    }, 2000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost');
+  });
+  
+  const soaAnswers = response.answers.filter(a => a.type === 'SOA');
+  console.log('✅ Configured primary nameserver:', (soaAnswers[0] as any).data.mname);
+  expect((soaAnswers[0] as any).data.mname).toEqual('master.test.com');
+  
+  client.close();
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+export default tap.start();
--- a/test/test.soa.simple.ts
+++ b/test/test.soa.simple.ts
@ -0,0 +1,201 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+let nextHttpsPort = 8800;
+let nextUdpPort = 8801;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    await server.stop();
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+  }
+}
+
+tap.test('Simple SOA query without DNSSEC', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  // Query for a non-existent domain WITHOUT DNSSEC
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out'));
+    }, 2000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      try {
+        const dnsResponse = dnsPacket.decode(msg);
+        resolve(dnsResponse);
+      } catch (e) {
+        reject(e);
+      }
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        clearTimeout(timeout);
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  console.log('✅ SOA response without DNSSEC received');
+  
+  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  expect(soaAnswers.length).toEqual(1);
+  
+  const soaData = (soaAnswers[0] as any).data;
+  console.log('✅ SOA data:', soaData.mname);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Direct SOA query without DNSSEC', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = getUniqueUdpPort();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register direct SOA handler
+  dnsServer.registerHandler('example.com', ['SOA'], (question) => {
+    return {
+      name: question.name,
+      type: 'SOA',
+      class: 'IN',
+      ttl: 3600,
+      data: {
+        mname: 'ns1.example.com',
+        rname: 'hostmaster.example.com',
+        serial: 2024010101,
+        refresh: 3600,
+        retry: 600,
+        expire: 604800,
+        minimum: 86400,
+      },
+    };
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'example.com',
+        type: 'SOA',
+        class: 'IN',
+      },
+    ],
+  });
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      reject(new Error('Query timed out'));
+    }, 2000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      try {
+        const dnsResponse = dnsPacket.decode(msg);
+        resolve(dnsResponse);
+      } catch (e) {
+        reject(e);
+      }
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        clearTimeout(timeout);
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  const dnsResponse = await responsePromise;
+  console.log('✅ Direct SOA query succeeded');
+  
+  const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+  expect(soaAnswers.length).toEqual(1);
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+export default tap.start();
--- a/test/test.soa.timeout.ts
+++ b/test/test.soa.timeout.ts
@ -0,0 +1,224 @@
+import * as plugins from '../ts_server/plugins.js';
+import { expect, tap } from '@git.zone/tstest/tapbundle';
+import { tapNodeTools } from '@git.zone/tstest/tapbundle_node';
+import * as dnsPacket from 'dns-packet';
+import * as dgram from 'dgram';
+import { execSync } from 'child_process';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+// Port management for tests
+const testPort = 8753;
+
+// Cleanup function for servers
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return;
+  }
+  
+  try {
+    await server.stop();
+  } catch (e) {
+    console.log('Handled error when stopping server:', e.message || e);
+  }
+}
+
+tap.test('Test SOA timeout with real dig command', async (tools) => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8752,
+    udpPort: testPort,
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  console.log(`DNS server started on port ${testPort}`);
+  
+  // Test with dig command
+  try {
+    console.log('Testing SOA query with dig...');
+    const result = execSync(`dig @localhost -p ${testPort} example.com SOA +timeout=3`, { encoding: 'utf8' });
+    console.log('Dig SOA query result:', result);
+    
+    // Check if we got an answer section
+    expect(result).toInclude('ANSWER SECTION');
+    expect(result).toInclude('SOA');
+  } catch (error) {
+    console.error('Dig command failed:', error.message);
+    throw error;
+  }
+  
+  // Test nonexistent domain SOA
+  try {
+    console.log('Testing nonexistent domain SOA query with dig...');
+    const result = execSync(`dig @localhost -p ${testPort} nonexistent.example.com A +timeout=3`, { encoding: 'utf8' });
+    console.log('Dig nonexistent query result:', result);
+    
+    // Should get AUTHORITY section with SOA
+    expect(result).toInclude('AUTHORITY SECTION');
+  } catch (error) {
+    console.error('Dig nonexistent query failed:', error.message);
+    throw error;
+  }
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Test SOA with DNSSEC timing', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  const udpPort = 8754;
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8755,
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  
+  const client = dgram.createSocket('udp4');
+  
+  // Test with DNSSEC enabled
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 1,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'nonexistent.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+    additionals: [
+      {
+        name: '.',
+        type: 'OPT',
+        ttl: 0,
+        flags: 0x8000, // DO bit set for DNSSEC
+        data: Buffer.alloc(0),
+      } as any,
+    ],
+  });
+  
+  const startTime = Date.now();
+  console.log('Sending DNSSEC query for nonexistent domain...');
+  
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      client.close();
+      const elapsed = Date.now() - startTime;
+      reject(new Error(`Query timed out after ${elapsed}ms`));
+    }, 3000);
+    
+    client.on('message', (msg) => {
+      clearTimeout(timeout);
+      const elapsed = Date.now() - startTime;
+      console.log(`Response received in ${elapsed}ms`);
+      
+      try {
+        const dnsResponse = dnsPacket.decode(msg);
+        resolve(dnsResponse);
+      } catch (e) {
+        reject(new Error(`Failed to decode response: ${e.message}`));
+      }
+      client.close();
+    });
+    
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      const elapsed = Date.now() - startTime;
+      console.error(`Error after ${elapsed}ms:`, err);
+      reject(err);
+      client.close();
+    });
+    
+    client.send(query, udpPort, 'localhost', (err) => {
+      if (err) {
+        clearTimeout(timeout);
+        reject(err);
+        client.close();
+      }
+    });
+  });
+  
+  try {
+    const dnsResponse = await responsePromise;
+    console.log('Response details:');
+    console.log('- Answers:', dnsResponse.answers.length);
+    console.log('- Answer types:', dnsResponse.answers.map(a => a.type));
+    
+    const soaAnswers = dnsResponse.answers.filter(a => a.type === 'SOA');
+    const rrsigAnswers = dnsResponse.answers.filter(a => a.type === 'RRSIG');
+    
+    console.log('- SOA records:', soaAnswers.length);
+    console.log('- RRSIG records:', rrsigAnswers.length);
+    
+    // With the fix, SOA should have its RRSIG
+    if (soaAnswers.length > 0) {
+      expect(rrsigAnswers.length).toBeGreaterThan(0);
+    }
+  } catch (error) {
+    console.error('DNSSEC SOA query failed:', error);
+    throw error;
+  }
+  
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('Check DNSSEC signing performance for SOA', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8756,
+    udpPort: 8757,
+    dnssecZone: 'example.com',
+  });
+  
+  // Time SOA serialization
+  const soaData = {
+    mname: 'ns1.example.com',
+    rname: 'hostmaster.example.com',
+    serial: 2024010101,
+    refresh: 3600,
+    retry: 600,
+    expire: 604800,
+    minimum: 86400,
+  };
+  
+  console.log('Testing SOA serialization performance...');
+  const serializeStart = Date.now();
+  
+  try {
+    // @ts-ignore - accessing private method for testing
+    const serialized = dnsServer.serializeRData('SOA', soaData);
+    const serializeTime = Date.now() - serializeStart;
+    console.log(`SOA serialization took ${serializeTime}ms`);
+    
+    // Test DNSSEC signing
+    const signStart = Date.now();
+    // @ts-ignore - accessing private property
+    const signature = dnsServer.dnsSec.signData(serialized);
+    const signTime = Date.now() - signStart;
+    console.log(`DNSSEC signing took ${signTime}ms`);
+    
+    expect(serializeTime).toBeLessThan(100); // Should be fast
+    expect(signTime).toBeLessThan(500); // Signing can take longer but shouldn't timeout
+  } catch (error) {
+    console.error('Performance test failed:', error);
+    throw error;
+  }
+});
+
+export default tap.start();
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@ -0,0 +1,8 @@
+/**
+ * autocreated commitinfo by @push.rocks/commitinfo
+ */
+export const commitinfo = {
+  name: '@push.rocks/smartdns',
+  version: '7.5.0',
+  description: 'A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.'
+}
--- a/ts/index.ts
+++ b/ts/index.ts
@ -0,0 +1,4 @@
+import * as dnsClientMod from '../dist_ts_client/index.js';
+import * as dnsServerMod from '../dist_ts_server/index.js';
+
+export { dnsClientMod, dnsServerMod };
--- a/ts/tspublish.json
+++ b/ts/tspublish.json
@ -0,0 +1,3 @@
+{
+  "order": 3
+}
--- a/ts_client/classes.dnsclient.ts
+++ b/ts_client/classes.dnsclient.ts
@ -1,4 +1,4 @@
-import * as plugins from './dnsly.plugins.js';
+import * as plugins from './plugins.js';

 export type TDnsProvider = 'google' | 'cloudflare';

@ -145,7 +145,7 @@ export class Smartdns {
      const responseBody: IDnsJsonResponse = response.body;
      if (responseBody?.Status !== 0 && counterArg < retriesCounterArg) {
        await plugins.smartdelay.delayFor(500);
-        return getResponseBody(counterArg++);
+        return getResponseBody(counterArg + 1);
      } else {
        return responseBody;
      }
--- a/ts_client/dnsly.plugins.ts
+++ b/ts_client/dnsly.plugins.ts
--- a/ts_client/tspublish.json
+++ b/ts_client/tspublish.json
@ -0,0 +1,3 @@
+{
+  "order": 2
+}
--- a/ts_server/classes.dnsserver.ts
+++ b/ts_server/classes.dnsserver.ts
@ -8,6 +8,13 @@ export interface IDnsServerOptions {
  httpsPort: number;
  udpPort: number;
  dnssecZone: string;
+  udpBindInterface?: string;
+  httpsBindInterface?: string;
+  // New options for independent manual socket control
+  manualUdpMode?: boolean;
+  manualHttpsMode?: boolean;
+  // Primary nameserver for SOA records (defaults to ns1.{dnssecZone})
+  primaryNameserver?: string;
 }

 export interface DnsAnswer {
@ -31,18 +38,6 @@ interface DNSKEYData {
  key: Buffer;
 }

-interface RRSIGData {
-  typeCovered: string; // Changed to string to match dns-packet expectations
-  algorithm: number;
-  labels: number;
-  originalTTL: number;
-  expiration: number;
-  inception: number;
-  keyTag: number;
-  signerName: string;
-  signature: Buffer;
-}
-
 // Let's Encrypt related interfaces
 interface LetsEncryptOptions {
  email?: string;
@ -60,6 +55,10 @@ export class DnsServer {
  private dnskeyRecord: DNSKEYData;
  private keyTag: number;

+  // Track if servers are initialized
+  private udpServerInitialized: boolean = false;
+  private httpsServerInitialized: boolean = false;
+
  constructor(private options: IDnsServerOptions) {
    // Initialize DNSSEC
    this.dnsSec = new DnsSec({
@ -70,13 +69,125 @@ export class DnsServer {
    });

    // Generate DNSKEY and DS records
-    const { dsRecord, dnskeyRecord } = this.dnsSec.getDsAndKeyPair();
+    const { dnskeyRecord } = this.dnsSec.getDsAndKeyPair();

    // Parse DNSKEY record into dns-packet format
    this.dnskeyRecord = this.parseDNSKEYRecord(dnskeyRecord);
    this.keyTag = this.computeKeyTag(this.dnskeyRecord);
  }

+  /**
+   * Initialize servers without binding to ports
+   * This is called automatically by start() or can be called manually
+   */
+  public initializeServers(): void {
+    this.initializeUdpServer();
+    this.initializeHttpsServer();
+  }
+
+  /**
+   * Initialize UDP server without binding
+   */
+  public initializeUdpServer(): void {
+    if (this.udpServerInitialized) {
+      return;
+    }
+
+    // Create UDP socket without binding
+    const udpInterface = this.options.udpBindInterface || '0.0.0.0';
+    const socketType = this.isIPv6(udpInterface) ? 'udp6' : 'udp4';
+    this.udpServer = plugins.dgram.createSocket(socketType);
+    
+    // Set up UDP message handler
+    this.udpServer.on('message', (msg, rinfo) => {
+      this.handleUdpMessage(msg, rinfo);
+    });
+
+    this.udpServer.on('error', (err) => {
+      console.error(`UDP Server error:\n${err.stack}`);
+      this.udpServer.close();
+    });
+
+    this.udpServerInitialized = true;
+  }
+
+  /**
+   * Initialize HTTPS server without binding
+   */
+  public initializeHttpsServer(): void {
+    if (this.httpsServerInitialized) {
+      return;
+    }
+
+    // Create HTTPS server without listening
+    this.httpsServer = plugins.https.createServer(
+      {
+        key: this.options.httpsKey,
+        cert: this.options.httpsCert,
+      },
+      this.handleHttpsRequest.bind(this)
+    );
+
+    this.httpsServerInitialized = true;
+  }
+
+  /**
+   * Handle a raw TCP socket for HTTPS/DoH
+   * @param socket The TCP socket to handle
+   */
+  public handleHttpsSocket(socket: plugins.net.Socket): void {
+    if (!this.httpsServer) {
+      this.initializeHttpsServer();
+    }
+    
+    // Emit connection event on the HTTPS server
+    this.httpsServer.emit('connection', socket);
+  }
+
+  /**
+   * Handle a UDP message manually
+   * @param msg The DNS message buffer
+   * @param rinfo Remote address information
+   * @param responseCallback Optional callback to handle the response
+   */
+  public handleUdpMessage(
+    msg: Buffer, 
+    rinfo: plugins.dgram.RemoteInfo,
+    responseCallback?: (response: Buffer, rinfo: plugins.dgram.RemoteInfo) => void
+  ): void {
+    try {
+      const request = dnsPacket.decode(msg);
+      const response = this.processDnsRequest(request);
+      const responseData = dnsPacket.encode(response);
+      
+      if (responseCallback) {
+        // Use custom callback if provided
+        responseCallback(responseData, rinfo);
+      } else if (this.udpServer && !this.options.manualUdpMode) {
+        // Use the internal UDP server to send response
+        this.udpServer.send(responseData, rinfo.port, rinfo.address);
+      }
+      // In manual mode without callback, caller is responsible for sending response
+    } catch (err) {
+      console.error('Error processing UDP DNS request:', err);
+    }
+  }
+
+  /**
+   * Process a raw DNS packet and return the response
+   * This is useful for custom transport implementations
+   */
+  public processRawDnsPacket(packet: Buffer): Buffer {
+    try {
+      const request = dnsPacket.decode(packet);
+      const response = this.processDnsRequest(request);
+      return dnsPacket.encode(response);
+    } catch (err) {
+      console.error('Error processing raw DNS packet:', err);
+      throw err;
+    }
+  }
+
  public registerHandler(
    domainPattern: string,
    recordTypes: string[],
@ -183,7 +294,7 @@ export class DnsServer {
        const domain = auth.identifier.value;
        
        // Get DNS challenge
-        const challenge = auth.challenges.find(c => c.type === 'dns-01');
+        const challenge = auth.challenges.find((c: any) => c.type === 'dns-01');
        if (!challenge) {
          throw new Error(`No DNS-01 challenge found for ${domain}`);
        }
@ -265,8 +376,10 @@ export class DnsServer {
      this.options.httpsCert = certificate;
      this.options.httpsKey = privateKey;
      
-      // Restart HTTPS server with new certificate
-      await this.restartHttpsServer();
+      // Restart HTTPS server with new certificate (only if not in manual HTTPS mode)
+      if (!this.options.manualHttpsMode) {
+        await this.restartHttpsServer();
+      }
      
      // Clean up challenge handlers
      for (const handler of challengeHandlers) {
@ -334,10 +447,15 @@ export class DnsServer {
                this.handleHttpsRequest.bind(this)
              );
              
-              this.httpsServer.listen(this.options.httpsPort, () => {
-                console.log(`HTTPS DNS server restarted on port ${this.options.httpsPort} with test certificate`);
+              if (!this.options.manualHttpsMode) {
+                const httpsInterface = this.options.httpsBindInterface || '0.0.0.0';
+                this.httpsServer.listen(this.options.httpsPort, httpsInterface, () => {
+                  console.log(`HTTPS DNS server restarted on ${httpsInterface}:${this.options.httpsPort} with test certificate`);
+                  resolve();
+                });
+              } else {
                resolve();
-              });
+              }
              return;
            }
          }
@ -351,10 +469,15 @@ export class DnsServer {
            this.handleHttpsRequest.bind(this)
          );
          
-          this.httpsServer.listen(this.options.httpsPort, () => {
-            console.log(`HTTPS DNS server restarted on port ${this.options.httpsPort} with new certificate`);
+          if (!this.options.manualHttpsMode) {
+            const httpsInterface = this.options.httpsBindInterface || '0.0.0.0';
+            this.httpsServer.listen(this.options.httpsPort, httpsInterface, () => {
+              console.log(`HTTPS DNS server restarted on ${httpsInterface}:${this.options.httpsPort} with new certificate`);
+              resolve();
+            });
+          } else {
            resolve();
-          });
+          }
        } catch (err) {
          console.error('Error creating HTTPS server with new certificate:', err);
          reject(err);
@ -386,6 +509,25 @@ export class DnsServer {
    return authorizedDomains;
  }

+  /**
+   * Validate if a string is a valid IP address (IPv4 or IPv6)
+   */
+  private isValidIpAddress(ip: string): boolean {
+    // IPv4 pattern
+    const ipv4Pattern = /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
+    // IPv6 pattern (simplified but more comprehensive)
+    const ipv6Pattern = /^(::1|::)$|^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$/;
+    
+    return ipv4Pattern.test(ip) || ipv6Pattern.test(ip);
+  }
+
+  /**
+   * Determine if an IP address is IPv6
+   */
+  private isIPv6(ip: string): boolean {
+    return ip.includes(':');
+  }
+
  /**
   * Check if the server is authoritative for a domain
   */
@ -419,11 +561,15 @@ export class DnsServer {
    };

    const dnssecRequested = this.isDnssecRequested(request);
+    
+    // Map to group records by type for proper DNSSEC RRset signing
+    const rrsetMap = new Map<string, DnsAnswer[]>();

    for (const question of request.questions) {
      console.log(`Query for ${question.name} of type ${question.type}`);

      let answered = false;
+      const recordsForQuestion: DnsAnswer[] = [];

      // Handle DNSKEY queries if DNSSEC is requested
      if (dnssecRequested && question.type === 'DNSKEY' && question.name === this.options.dnssecZone) {
@ -434,40 +580,41 @@ export class DnsServer {
          ttl: 3600,
          data: this.dnskeyRecord,
        };
-        response.answers.push(dnskeyAnswer as plugins.dnsPacket.Answer);
-
-        // Sign the DNSKEY RRset
-        const rrsig = this.generateRRSIG('DNSKEY', [dnskeyAnswer], question.name);
-        response.answers.push(rrsig as plugins.dnsPacket.Answer);
-
+        recordsForQuestion.push(dnskeyAnswer);
        answered = true;
-        continue;
+      } else {
+        // Collect all matching records from handlers
+        for (const handlerEntry of this.handlers) {
+          if (
+            plugins.minimatch.minimatch(question.name, handlerEntry.domainPattern) &&
+            handlerEntry.recordTypes.includes(question.type)
+          ) {
+            const answer = handlerEntry.handler(question);
+            if (answer) {
+              // Ensure the answer has ttl and class
+              const dnsAnswer: DnsAnswer = {
+                ...answer,
+                ttl: answer.ttl || 300,
+                class: answer.class || 'IN',
+              };
+              recordsForQuestion.push(dnsAnswer);
+              answered = true;
+              // Continue processing other handlers to allow multiple records
+            }
+          }
+        }
      }

-      for (const handlerEntry of this.handlers) {
-        if (
-          plugins.minimatch.minimatch(question.name, handlerEntry.domainPattern) &&
-          handlerEntry.recordTypes.includes(question.type)
-        ) {
-          const answer = handlerEntry.handler(question);
-          if (answer) {
-            // Ensure the answer has ttl and class
-            const dnsAnswer: DnsAnswer = {
-              ...answer,
-              ttl: answer.ttl || 300,
-              class: answer.class || 'IN',
-            };
-            response.answers.push(dnsAnswer as plugins.dnsPacket.Answer);
-
-            if (dnssecRequested) {
-              // Sign the answer RRset
-              const rrsig = this.generateRRSIG(question.type, [dnsAnswer], question.name);
-              response.answers.push(rrsig as plugins.dnsPacket.Answer);
-            }
-
-            answered = true;
-            break;
-          }
+      // Add records to response and group by type for DNSSEC
+      if (recordsForQuestion.length > 0) {
+        for (const record of recordsForQuestion) {
+          response.answers.push(record as plugins.dnsPacket.Answer);
+        }
+        
+        // Group records by type for DNSSEC signing
+        if (dnssecRequested) {
+          const rrsetKey = `${question.name}:${question.type}`;
+          rrsetMap.set(rrsetKey, recordsForQuestion);
        }
      }

@ -480,7 +627,7 @@ export class DnsServer {
          class: 'IN',
          ttl: 3600,
          data: {
-            mname: `ns1.${this.options.dnssecZone}`,
+            mname: this.options.primaryNameserver || `ns1.${this.options.dnssecZone}`,
            rname: `hostmaster.${this.options.dnssecZone}`,
            serial: Math.floor(Date.now() / 1000),
            refresh: 3600,
@ -490,6 +637,22 @@ export class DnsServer {
          },
        };
        response.answers.push(soaAnswer as plugins.dnsPacket.Answer);
+        
+        // Add SOA record to DNSSEC signing map if DNSSEC is requested
+        if (dnssecRequested) {
+          const soaKey = `${question.name}:SOA`;
+          rrsetMap.set(soaKey, [soaAnswer]);
+        }
+      }
+    }
+
+    // Sign RRsets if DNSSEC is requested
+    if (dnssecRequested) {
+      for (const [key, rrset] of rrsetMap) {
+        const [name, type] = key.split(':');
+        // Sign the entire RRset together
+        const rrsig = this.generateRRSIG(type, rrset, name);
+        response.answers.push(rrsig as plugins.dnsPacket.Answer);
      }
    }

@ -527,6 +690,17 @@ export class DnsServer {

    // Sign the RRset
    const signature = this.dnsSec.signData(rrsetBuffer);
+    
+    // Ensure all fields are defined
+    if (!signerName || !signature) {
+      console.error('RRSIG generation error - missing fields:', {
+        signerName,
+        signature: signature ? 'present' : 'missing',
+        algorithm,
+        keyTag,
+        type
+      });
+    }

    // Construct the RRSIG record
    const rrsig: DnsAnswer = {
@ -535,15 +709,15 @@ export class DnsServer {
      class: 'IN',
      ttl,
      data: {
-        typeCovered: type, // Changed to type string
+        typeCovered: type, // dns-packet expects the string type
        algorithm,
-        labels: name.split('.').length - 1,
+        labels: name.split('.').filter(l => l.length > 0).length, // Fix label count
        originalTTL: ttl,
        expiration,
        inception,
        keyTag,
-        signerName,
-        signature: signature,
+        signersName: signerName || this.options.dnssecZone, // Note: signersName with 's'
+        signature: signature || Buffer.alloc(0), // Fallback to empty buffer
      },
    };

@ -616,10 +790,31 @@ export class DnsServer {
          Buffer.from([dnskeyData.algorithm]),
          dnskeyData.key,
        ]);
+      case 'NS':
+        // NS records contain domain names
+        return this.nameToBuffer(data);
      case 'SOA':
-        // Implement SOA record serialization if needed
-        // For now, return an empty buffer or handle as needed
-        return Buffer.alloc(0);
+        // Implement SOA record serialization according to RFC 1035
+        const mname = this.nameToBuffer(data.mname);
+        const rname = this.nameToBuffer(data.rname);
+        const serial = Buffer.alloc(4);
+        serial.writeUInt32BE(data.serial, 0);
+        const refresh = Buffer.alloc(4);
+        refresh.writeUInt32BE(data.refresh, 0);
+        const retry = Buffer.alloc(4);
+        retry.writeUInt32BE(data.retry, 0);
+        const expire = Buffer.alloc(4);
+        expire.writeUInt32BE(data.expire, 0);
+        const minimum = Buffer.alloc(4);
+        minimum.writeUInt32BE(data.minimum, 0);
+        
+        return Buffer.concat([mname, rname, serial, refresh, retry, expire, minimum]);
+      case 'MX':
+        // MX records contain preference (16-bit) and exchange (domain name)
+        const preference = Buffer.alloc(2);
+        preference.writeUInt16BE(data.preference, 0);
+        const exchange = this.nameToBuffer(data.exchange);
+        return Buffer.concat([preference, exchange]);
      // Add cases for other record types as needed
      default:
        throw new Error(`Serialization for record type ${type} is not implemented.`);
@ -683,45 +878,76 @@ export class DnsServer {
  }

  public async start(): Promise<void> {
-    this.httpsServer = plugins.https.createServer(
-      {
-        key: this.options.httpsKey,
-        cert: this.options.httpsCert,
-      },
-      this.handleHttpsRequest.bind(this)
-    );
-
-    this.udpServer = plugins.dgram.createSocket('udp4');
-    this.udpServer.on('message', (msg, rinfo) => {
-      const request = dnsPacket.decode(msg);
-      const response = this.processDnsRequest(request);
-      const responseData = dnsPacket.encode(response);
-      this.udpServer.send(responseData, rinfo.port, rinfo.address);
-    });
-
-    this.udpServer.on('error', (err) => {
-      console.error(`UDP Server error:\n${err.stack}`);
-      this.udpServer.close();
-    });
-
-    const udpListeningDeferred = plugins.smartpromise.defer<void>();
-    const httpsListeningDeferred = plugins.smartpromise.defer<void>();
-
-    try {
-      this.udpServer.bind(this.options.udpPort, '0.0.0.0', () => {
-        console.log(`UDP DNS server running on port ${this.options.udpPort}`);
-        udpListeningDeferred.resolve();
-      });
-
-      this.httpsServer.listen(this.options.httpsPort, () => {
-        console.log(`HTTPS DNS server running on port ${this.options.httpsPort}`);
-        httpsListeningDeferred.resolve();
-      });
-    } catch (err) {
-      console.error('Error starting DNS server:', err);
-      process.exit(1);
+    // Initialize servers based on what's needed
+    if (!this.options.manualUdpMode) {
+      this.initializeUdpServer();
+    }
+    if (!this.options.manualHttpsMode) {
+      this.initializeHttpsServer();
+    }
+
+    // Handle different mode combinations
+    const udpManual = this.options.manualUdpMode || false;
+    const httpsManual = this.options.manualHttpsMode || false;
+
+    if (udpManual && httpsManual) {
+      console.log('DNS server started in full manual mode - ready to accept connections');
+      return;
+    } else if (udpManual && !httpsManual) {
+      console.log('DNS server started with manual UDP mode and automatic HTTPS binding');
+    } else if (!udpManual && httpsManual) {
+      console.log('DNS server started with automatic UDP binding and manual HTTPS mode');
+    }
+
+    // Validate interface addresses if provided
+    const udpInterface = this.options.udpBindInterface || '0.0.0.0';
+    const httpsInterface = this.options.httpsBindInterface || '0.0.0.0';
+    
+    if (this.options.udpBindInterface && !this.isValidIpAddress(this.options.udpBindInterface)) {
+      throw new Error(`Invalid UDP bind interface: ${this.options.udpBindInterface}`);
+    }
+    
+    if (this.options.httpsBindInterface && !this.isValidIpAddress(this.options.httpsBindInterface)) {
+      throw new Error(`Invalid HTTPS bind interface: ${this.options.httpsBindInterface}`);
+    }
+
+    const promises: Promise<void>[] = [];
+
+    // Bind UDP if not in manual UDP mode
+    if (!udpManual) {
+      const udpListeningDeferred = plugins.smartpromise.defer<void>();
+      promises.push(udpListeningDeferred.promise);
+
+      try {
+        this.udpServer.bind(this.options.udpPort, udpInterface, () => {
+          console.log(`UDP DNS server running on ${udpInterface}:${this.options.udpPort}`);
+          udpListeningDeferred.resolve();
+        });
+      } catch (err) {
+        console.error('Error starting UDP DNS server:', err);
+        udpListeningDeferred.reject(err);
+      }
+    }
+
+    // Bind HTTPS if not in manual HTTPS mode
+    if (!httpsManual) {
+      const httpsListeningDeferred = plugins.smartpromise.defer<void>();
+      promises.push(httpsListeningDeferred.promise);
+
+      try {
+        this.httpsServer.listen(this.options.httpsPort, httpsInterface, () => {
+          console.log(`HTTPS DNS server running on ${httpsInterface}:${this.options.httpsPort}`);
+          httpsListeningDeferred.resolve();
+        });
+      } catch (err) {
+        console.error('Error starting HTTPS DNS server:', err);
+        httpsListeningDeferred.reject(err);
+      }
+    }
+
+    if (promises.length > 0) {
+      await Promise.all(promises);
    }
-    await Promise.all([udpListeningDeferred.promise, httpsListeningDeferred.promise]);
  }

  public async stop(): Promise<void> {
@ -755,6 +981,8 @@ export class DnsServer {
    }

    await Promise.all([doneUdp.promise, doneHttps.promise]);
+    this.udpServerInitialized = false;
+    this.httpsServerInitialized = false;
  }

  // Helper methods
--- a/ts_server/plugins.ts
+++ b/ts_server/plugins.ts
@ -4,14 +4,16 @@ import dgram from 'dgram';
 import fs from 'fs';
 import http from 'http';
 import https from 'https';
+import * as net from 'net';
 import * as path from 'path';

 export {
  crypto,
+  dgram,
  fs,
  http,
  https,
-  dgram,
+  net,
  path,
 }

--- a/ts_server/tspublish.json
+++ b/ts_server/tspublish.json
@ -0,0 +1,3 @@
+{
+  "order": 1
+}
Author	SHA1	Message	Date
Philipp Kunz	56a33dd7ae	7.5.0	2025-06-01 20:53:22 +00:00
Philipp Kunz	9e5fae055f	feat(dnssec): Add MX record DNSSEC support for proper serialization and authentication of mail exchange records	2025-06-01 20:53:22 +00:00
Philipp Kunz	afdd6a6074	7.4.7	2025-05-30 19:49:34 +00:00
Philipp Kunz	3d06131e04	fix(dnsserver): Update documentation to clarify the primaryNameserver option and SOA record behavior in the DNS server. The changes detail how the primaryNameserver configuration customizes the SOA mname, ensures proper DNSSEC signing for RRsets, and updates the configuration interface examples.	2025-05-30 19:49:34 +00:00
Philipp Kunz	1811ebd4d4	7.4.6	2025-05-30 19:28:54 +00:00
Philipp Kunz	e7ace9b596	7.4.5	2025-05-30 19:28:22 +00:00
Philipp Kunz	f6175d1f2b	7.4.4 fix(dnsserver): Fix SOA record timeout issue by correcting RRSIG field formatting - Fixed RRSIG generation by using correct field name 'signersName' (not 'signerName') - Fixed label count calculation in RRSIG by filtering empty strings - Added SOA records to DNSSEC signing map for proper RRSIG generation - Added error logging and fallback values for RRSIG generation robustness - Updated test expectations to match corrected DNSSEC RRset signing behavior - Added comprehensive SOA test coverage including timeout, debug, and simple test scenarios	2025-05-30 19:27:37 +00:00
Philipp Kunz	d67fbc87e2	7.4.3	2025-05-30 18:27:28 +00:00
Philipp Kunz	b87cbbee5c	feat(dnsserver): Enhance DNSSEC RRset signing and add configurable primary nameserver - Fix DNSSEC to properly sign entire RRsets together instead of individual records - Implement proper SOA record serialization according to RFC 1035 - Add primaryNameserver option to IDnsServerOptions for customizable SOA mname field - Add comprehensive tests for DNSSEC RRset signing and SOA record handling - Update documentation with v7.4.3 improvements Co-Authored-By: User <user@example.com>	2025-05-30 18:20:55 +00:00
Philipp Kunz	4e37bc9bc0	7.4.2	2025-05-30 17:09:02 +00:00
Philipp Kunz	2b97dffb47	fix(dnsserver): Enable multiple DNS record support by removing the premature break in processDnsRequest. Now the DNS server aggregates answers from all matching handlers for NS, A, and TXT records, and improves NS record serialization for DNSSEC.	2025-05-30 17:09:02 +00:00
Philipp Kunz	e7cb0921fc	7.4.1	2025-05-28 19:55:01 +00:00
Philipp Kunz	0f8953fc1d	fix(test/server): Fix force cleanup in DNS server tests by casting server properties before closing sockets	2025-05-28 19:55:01 +00:00
Philipp Kunz	1185ea67d4	7.4.0	2025-05-28 19:26:52 +00:00
Philipp Kunz	b187da507b	feat(manual socket handling): Add comprehensive manual socket handling documentation for advanced DNS server use cases	2025-05-28 19:26:52 +00:00
Philipp Kunz	3094c9d06c	7.3.0	2025-05-28 19:16:54 +00:00
Philipp Kunz	62b6fa26fa	feat(dnsserver): Add manual socket mode support to enable external socket control for the DNS server.	2025-05-28 19:16:54 +00:00
Philipp Kunz	46e51cd846	7.2.0	2025-05-28 19:03:46 +00:00
Philipp Kunz	dd12641fb0	feat(dns-server): Improve DNS server interface binding by adding explicit IP validation, configurable UDP/HTTPS binding, and enhanced logging.	2025-05-28 19:03:45 +00:00
Philipp Kunz	df209ffa71	7.1.0	2025-05-27 12:52:00 +00:00
Philipp Kunz	b281fef624	feat(docs): Improve documentation for advanced DNS features and update usage examples for both DNS client and server.	2025-05-27 12:52:00 +00:00
Philipp Kunz	455e9aa6a7	7.0.2	2025-05-27 12:15:17 +00:00
Philipp Kunz	5bc376c8ba	fix(dns-client): Improve test assertions for DNS record queries and correct counter increment logic in DNS client	2025-05-27 12:15:17 +00:00
Philipp Kunz	34cc8dd073	7.0.1	2025-05-27 11:39:22 +00:00
Philipp Kunz	f9aa961e01	fix(test & plugins): Rename test client variable and export smartrequest in client plugins	2025-05-27 11:39:22 +00:00
Philipp Kunz	1e6d59b5b2	7.0.0	2025-05-27 11:31:12 +00:00
Philipp Kunz	24ed3bd238	BREAKING CHANGE(core): Refactor module entry point and update plugin imports; remove deprecated dnsly.plugins, update dependency versions, and adjust test imports	2025-05-27 11:31:12 +00:00