How we prevent conflicts in authoritative DNS configuration using formal verification

Cloudflare has been formally verifying the correctness of its internal DNS addressing behavior using a custom Lisp-like programming language and a formal verification tool called Topaz. This process ensures that every possible DNS query for a proxied domain is mathematically proven to be handled correctly by the nameserver, which can help improve the reliability of the internet. The Topaz system executes a list of policies in sequence until a match is found, returning an IP address to the resolver. Cloudflare uses Topaz to manage its global DNS addressing behavior and ensure that different systems within the company have contradictory views on which IP addresses should be returned. The formal verification process has been implemented using Rosette, a solver-enhanced domain-specific language written in Racket, and has been shown to be effective in detecting bugs and conflicts between programs. Topaz's verifier is now deployed to production and formally verifies all changes made to the authoritative DNS behavior specified in Topaz.