If I am reading rfc4514 correctly the null byte as to be escaped as \00 which would be:

Only ' ', '"', '#', '+', ',', ';', '<', '=', '>', or '\' can be escape by prepending a backslash

This is a tricky one but I argue that this is correct.

The left side is the "search" pattern so we are looking for the null byte which as a string is represented like \000 (octal) or \x00 (hex) both forms result in the null byte.

Now the right (replace) part is actually to things. First \\ and second \000 Together it results in \00 but in string form it needs to be typed as it is above.

https://go.dev/play/p/IzDMsTunmaj

I am still not fully convinced 🙂 what I am referring to is this sentence of the RFC:

Each octet of the character to be escaped is replaced by a backslash
and two hex digits, which form a single octet in the code of the
character.  Alternatively, if and only if the character to be escaped
is one of

      ' ', '"', '#', '+', ',', ';', '<', '=', '>', or '\'

it can be prefixed by a backslash ('\' U+005C).

So the null Byte (\000 in go) needs to be translated into the string \00 (backslash + two hex digits representing the single octet of the "null character"). As the backslash needs to be escaped in go we get \\00. (At least if I am not missing anything obvious)

Yeah, after researching a bit I found that you are right.
This also means that the python library I took inspiration from must be wrong 😅 : https://github.com/python-ldap/python-ldap/blob/44a593d1c55a007a43fcf30d2b027ac910ea1b96/Lib/ldap/dn.py#L31

This is a tricky one but I argue that this is correct.

The left side is the "search" pattern so we are looking for the null byte which as a string is represented like \000 (octal) or \x00 (hex) both forms result in the null byte.

Now the right (replace) part is actually to things. First \\ and second \000 Together it results in \00 but in string form it needs to be typed as it is above.

https://go.dev/play/p/

I see now why this doesn't make sense. :D