{"id":44787448,"url":"https://github.com/infobloxopen/dns-aid-core","last_synced_at":"2026-04-25T23:03:41.816Z","repository":{"id":338020612,"uuid":"1150940043","full_name":"infobloxopen/dns-aid-core","owner":"infobloxopen","description":"DNS-based Agent Identification and Discovery - Reference Implementation for IETF BANDAID","archived":false,"fork":false,"pushed_at":"2026-03-28T09:38:46.000Z","size":1071,"stargazers_count":4,"open_issues_count":1,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-28T13:57:07.140Z","etag":null,"topics":["a2a","agent-discovery","ai-agents","bandaid","dns","dns-aid","dnssec","ietf","linux-foundation","mcp","svcb"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/infobloxopen.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":"DCO","cla":null}},"created_at":"2026-02-05T21:40:15.000Z","updated_at":"2026-03-28T09:35:40.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/infobloxopen/dns-aid-core","commit_stats":null,"previous_names":["infobloxopen/dns-aid-core"],"tags_count":41,"template":false,"template_full_name":null,"purl":"pkg:github/infobloxopen/dns-aid-core","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobloxopen%2Fdns-aid-core","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobloxopen%2Fdns-aid-core/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobloxopen%2Fdns-aid-core/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobloxopen%2Fdns-aid-core/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/infobloxopen","download_url":"https://codeload.github.com/infobloxopen/dns-aid-core/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infobloxopen%2Fdns-aid-core/sbom","scorecard":{"id":1243296,"data":{"date":"2026-02-12T15:06:49Z","repo":{"name":"github.com/infobloxopen/dns-aid-core","commit":"7c859a333531eeb5d8b7c8739c6136256a08a143"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":5.8,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"12 out of 12 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/20 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: infoblox contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dco.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/dco.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dco.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/dco.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/infobloxopen/dns-aid-core/security.yml/main?enable=pin","Warn: pipCommand not pinned by hash: Dockerfile:30-32","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:35","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:36","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:81","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:82","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:101","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:102","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:124","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:125","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:27","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:28","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:86","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:87","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:88","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:30","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:59","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:60","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:61","Info: 0 out of 27 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 5 third-party GitHubAction dependencies pinned","Info: 2 out of 2 containerImage dependencies pinned","Info: 2 out of 20 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 2 commits out of 19 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":8,"reason":"3 out of the last 3 releases have a total of 3 signed artifacts.","details":["Info: signed release artifact: dns_aid-0.6.2-py3-none-any.whl.sig: https://api.github.com/repos/infobloxopen/dns-aid-core/releases/assets/354826828","Info: signed release artifact: dns_aid-0.6.1-py3-none-any.whl.sig: https://api.github.com/repos/infobloxopen/dns-aid-core/releases/assets/354803211","Info: signed release artifact: dns_aid-0.6.0-py3-none-any.whl.sig: https://api.github.com/repos/infobloxopen/dns-aid-core/releases/assets/354783871","Warn: release artifact v0.6.2 does not have provenance: https://api.github.com/repos/infobloxopen/dns-aid-core/releases/285714404","Warn: release artifact v0.6.1 does not have provenance: https://api.github.com/repos/infobloxopen/dns-aid-core/releases/285692105","Warn: release artifact v0.6.0 does not have provenance: https://api.github.com/repos/infobloxopen/dns-aid-core/releases/285671084"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:14","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/dco.yml:8","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/dco.yml:9","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/security.yml:13","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-02-13T03:35:31.375Z","repository_id":338020612,"created_at":"2026-02-13T03:35:31.375Z","updated_at":"2026-02-13T03:35:31.375Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31495466,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-06T17:22:55.647Z","status":"ssl_error","status_checked_at":"2026-04-06T17:22:54.741Z","response_time":112,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["a2a","agent-discovery","ai-agents","bandaid","dns","dns-aid","dnssec","ietf","linux-foundation","mcp","svcb"],"created_at":"2026-02-16T10:26:25.813Z","updated_at":"2026-04-25T23:03:41.808Z","avatar_url":"https://github.com/infobloxopen.png","language":"Python","funding_links":[],"categories":["Agent Identity \u0026 Credentials"],"sub_categories":[],"readme":"# DNS-AID\n\n[![CI](https://github.com/infobloxopen/dns-aid-core/actions/workflows/ci.yml/badge.svg)](https://github.com/infobloxopen/dns-aid-core/actions/workflows/ci.yml)\n[![Security](https://github.com/infobloxopen/dns-aid-core/actions/workflows/security.yml/badge.svg)](https://github.com/infobloxopen/dns-aid-core/actions/workflows/security.yml)\n[![CodeQL](https://github.com/infobloxopen/dns-aid-core/actions/workflows/codeql.yml/badge.svg)](https://github.com/infobloxopen/dns-aid-core/actions/workflows/codeql.yml)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/infobloxopen/dns-aid-core/badge)](https://scorecard.dev/viewer/?uri=github.com/infobloxopen/dns-aid-core)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12651/badge)](https://www.bestpractices.dev/projects/12651)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue)](LICENSE)\n[![Python](https://img.shields.io/badge/python-3.11%20%7C%203.12%20%7C%203.13-blue)](https://www.python.org/)\n[![PyPI](https://img.shields.io/pypi/v/dns-aid)](https://pypi.org/project/dns-aid/)\n\n**DNS-based Agent Identification and Discovery**\n\nReference implementation for [IETF draft-mozleywilliams-dnsop-dnsaid-01](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/).\n\nDNS-AID enables AI agents to discover each other via DNS, using the internet's existing naming infrastructure instead of centralized registries or hardcoded URLs.\n\n\u003e **New to DNS-AID?** Start with the [Getting Started Guide](docs/getting-started.md) for install, first agent publication, and backend setup.\n\n## Documentation\n\n- [Getting Started Guide](docs/getting-started.md) — install, first agent publication, backend setup\n- [API Reference](docs/api-reference.md) — Python SDK, CLI, and MCP server tool reference\n- [Architecture](docs/architecture.md) — protocol layers, metadata resolution, integration points\n- [Integrations](docs/integrations.md) — backend-specific setup notes\n- [Demo Guide](docs/demo-guide.md) — end-to-end walkthrough for talks and presentations\n- [Privacy Policy](PRIVACY.md) | [Security Policy](SECURITY.md) | [Trademarks](TRADEMARKS.md)\n\n## Companion services\n\nThe DNS-AID protocol is implementation-agnostic — it works against any DNS provider and any directory implementation. The library in this repository is sufficient on its own; the items below are independent, community-operated services that demonstrate what can be built on top of DNS-AID.\n\n🌐 **Hosted Agent Directory** (operated by Infoblox): [directory.velosecurity-ai.io](https://directory.velosecurity-ai.io) — indexes DNS-AID agents discovered across public DNS, with full-text search, capability filtering, trust scoring, lifecycle/sunset tracking, and copy-paste configs for Claude Desktop / Cursor / the SDK. API docs at [api.velosecurity-ai.io/api/v1/docs](https://api.velosecurity-ai.io/api/v1/docs).\n\nYou are encouraged to run your own directory or telemetry backend — the indexer is a thin layer over the same DNS records this library publishes and discovers, and the SDK telemetry sink is configurable via `DNS_AID_SDK_HTTP_PUSH_URL` (off by default).\n\n## Quick Start\n\n### Install\n\n```bash\n# Install from PyPI\npip install \"dns-aid[cli,mcp]\"\n\n# Or install the latest unreleased main from GitHub\npip install \"dns-aid[cli,mcp] @ git+https://github.com/infobloxopen/dns-aid-core.git\"\n```\n\nFor backend-specific extras (`route53`, `cloudflare`, `ns1`, `cloud_dns`, `infoblox`, `ddns`), see the [Getting Started Guide](docs/getting-started.md#install).\n\n### Python Library\n\n```python\nimport dns_aid\n\n# Publish your agent to DNS\nawait dns_aid.publish(\n name=\"my-agent\",\n domain=\"example.com\",\n protocol=\"mcp\",\n endpoint=\"agent.example.com\",\n capabilities=[\"chat\", \"code-review\"]\n)\n\n# Discover agents at a domain (pure DNS - default)\nagents = await dns_aid.discover(\"example.com\")\nfor agent in agents:\n print(f\"{agent.name}: {agent.endpoint_url}\")\n\n# Discover via HTTP index (ANS-compatible, richer metadata)\nagents = await dns_aid.discover(\"example.com\", use_http_index=True)\n\n# Verify an agent's DNS records\nresult = await dns_aid.verify(\"_my-agent._mcp._agents.example.com\")\nprint(f\"Security Score: {result.security_score}/100\")\n```\n\n### SDK: Invoke Agents \u0026 Capture Telemetry (v0.6.0+)\n\n```python\nimport dns_aid\n\n# Discover + invoke in one line — telemetry captured automatically\nresult = await dns_aid.discover(\"example.com\", protocol=\"mcp\")\nagent = result.agents[0]\n\nresp = await dns_aid.invoke(agent, method=\"tools/list\")\nprint(f\"Latency: {resp.signal.invocation_latency_ms}ms\")\nprint(f\"Status: {resp.signal.status}\")\nprint(f\"Tools: {resp.data}\")\n\n# Rank multiple agents by performance\nranked = await dns_aid.rank(result.agents, method=\"tools/list\")\nfor r in ranked:\n print(f\"{r.agent_fqdn}: score={r.composite_score:.1f}\")\n\n# Fetch community-wide rankings from telemetry API (v0.6.0+)\nfrom dns_aid.sdk import AgentClient, SDKConfig\n\nconfig = SDKConfig(telemetry_api_url=\"https://api.example.com\")\nasync with AgentClient(config) as client:\n rankings = await client.fetch_rankings(limit=10)\n for r in rankings:\n print(f\"{r['agent_fqdn']}: {r['composite_score']}\")\n```\n\nFor advanced usage (connection reuse, OTEL export):\n\n```python\nfrom dns_aid.sdk import AgentClient, SDKConfig\n\nconfig = SDKConfig(\n otel_enabled=True, # Export to OpenTelemetry\n caller_id=\"my-app\",\n http_push_url=\"https://api.example.com/v1/telemetry/signals\",\n)\n\nasync with AgentClient(config=config) as client:\n resp = await client.invoke(agent, method=\"tools/call\", arguments={...})\n fqdns = [a.fqdn for a in agents]\n ranked = client.rank(fqdns) # Rank by local telemetry signals\n```\n\n## CLI Usage\n\n```bash\n# Publish an agent to DNS\ndns-aid publish \\\n --name my-agent \\\n --domain example.com \\\n --protocol mcp \\\n --endpoint agent.example.com \\\n --capability chat \\\n --capability code-review\n\n# Publish with transport and auth metadata (v0.10.0+)\ndns-aid publish \\\n --name billing \\\n --domain example.com \\\n --protocol mcp \\\n --endpoint mcp.example.com \\\n --capability billing --capability invoicing \\\n --transport streamable-http \\\n --auth-type bearer\n\n# Publish with DNS-AID custom SVCB parameters (v0.4.8+)\ndns-aid publish \\\n --name booking \\\n --domain example.com \\\n --protocol mcp \\\n --endpoint mcp.example.com \\\n --capability travel --capability booking \\\n --cap-uri https://mcp.example.com/.well-known/agent-cap.json \\\n --cap-sha256 dGVzdGhhc2g \\\n --bap \"mcp/1,a2a/1\" \\\n --policy-uri https://example.com/agent-policy \\\n --realm production\n\n# Discover agents at a domain (pure DNS - default)\ndns-aid discover example.com\n\n# Discover with filters\ndns-aid discover example.com --protocol mcp --name chat\n\n# Discover via HTTP index (ANS-compatible, richer metadata)\ndns-aid discover example.com --use-http-index\n\n# Output as JSON\ndns-aid discover example.com --json\n\n# Verify DNS records\ndns-aid verify _my-agent._mcp._agents.example.com\n\n# List DNS-AID records in a zone\ndns-aid list example.com\n\n# List available zones (Route 53)\ndns-aid zones\n\n# Delete an agent\ndns-aid delete --name my-agent --domain example.com --protocol mcp\n\n# Index Management (v0.3.0+)\n# List agents in a domain's index record\ndns-aid index list example.com\n\n# Sync index with actual DNS records (useful for repair)\ndns-aid index sync example.com\n\n# Publish without updating the index (for internal agents)\ndns-aid publish --name internal-bot --domain example.com --protocol mcp --no-update-index\n\n# Domain Submission to Agent Directory (v0.4.0+)\n# Submit your domain for crawling and indexing\ndns-aid submit example.com\n\n# Submit with company metadata\ndns-aid submit example.com \\\n --company-name \"Example Corp\" \\\n --company-website \"https://example.com\" \\\n --company-description \"We build AI agents\"\n```\n\n### Agent Index Records\n\nDNS-AID v0.3.0 automatically maintains an index record at `_index._agents.{domain}` for efficient discovery:\n\n```\n_index._agents.example.com. TXT \"agents=chat:mcp,billing:a2a,support:https\"\n```\n\n**Benefits:**\n- Single DNS query discovers all agents at a domain\n- Crawlers can efficiently index domains\n- Explicit list of published agents (no guessing)\n\nThe index is updated automatically when you `publish` or `delete` agents. Use `--no-update-index` to opt out for internal agents.\n\n### HTTP Index Discovery (ANS-Compatible)\n\nDNS-AID also supports HTTP-based agent discovery for compatibility with ANS-style systems. This provides richer metadata (descriptions, model cards, capabilities, costs) while still validating endpoints via DNS.\n\n**Endpoint patterns tried (in order):**\n1. `https://index.aiagents.{domain}/index-wellknown` (demo-friendly, no underscores)\n2. `https://_index._aiagents.{domain}/index-wellknown` (ANS-style)\n3. `https://{domain}/.well-known/agents-index.json` (well-known path)\n\n**Capability Document endpoint (v0.4.8+):**\n- `https://index.aiagents.{domain}/cap/{agent-name}` — returns a capability document JSON per agent\n\n```bash\n# Fetch HTTP index directly\ncurl https://index.aiagents.example.com/index-wellknown\n\n# Fetch capability document for a specific agent\ncurl https://index.aiagents.example.com/cap/booking-agent\n\n# CLI with HTTP index\ndns-aid discover example.com --use-http-index\n```\n\n```python\n# Python with HTTP index\nagents = await dns_aid.discover(\"example.com\", use_http_index=True)\n```\n\n| Discovery Method | When to Use |\n|-----------------|-------------|\n| **DNS (default)** | Maximum decentralization, offline caching, minimal round trips |\n| **HTTP Index** | Rich metadata upfront, ANS compatibility, model cards, capabilities, direct endpoints |\n\n**FQDN as Source of Truth (v0.4.7):** The HTTP index only needs to provide each agent's FQDN (e.g., `_booking._mcp._agents.example.com`). Agent name and protocol are extracted from the FQDN — no separate `protocols` field needed. DNS SVCB lookup then resolves the authoritative endpoint.\n\n**Discovery Transparency (v0.4.6+):** Each discovered agent includes source fields showing how data was resolved:\n\n| Field | Values | Description |\n|-------|--------|-------------|\n| `endpoint_source` | `dns_svcb`, `http_index_fallback`, `direct` | How the endpoint was resolved |\n| `capability_source` | `cap_uri`, `txt_fallback`, `none` | How capabilities were discovered (v0.4.8+) |\n\n**Capability Resolution (v0.4.8+):** Capabilities are resolved with the following priority:\n1. **SVCB `cap` URI** → fetch capability document (JSON with capabilities, version, description)\n2. **TXT record fallback** → `capabilities=chat,support` from DNS TXT record\n3. **HTTP Index inline** → capabilities embedded in the index JSON response\n\n## MCP Server\n\nDNS-AID includes an MCP (Model Context Protocol) server that allows AI agents like Claude to publish and discover other agents.\n\n### Running the MCP Server\n\n```bash\n# Run with stdio transport (default - for Claude Desktop, etc.)\ndns-aid-mcp\n\n# Run with HTTP transport\ndns-aid-mcp --transport http --port 8000\n```\n\n### Available MCP Tools\n\n| Tool | Description |\n|------|-------------|\n| `publish_agent_to_dns` | Publish an AI agent to DNS (auto-updates index) |\n| `discover_agents_via_dns` | Discover AI agents at a domain (supports `use_http_index` for ANS-compatible discovery) |\n| `list_agent_tools` | List available tools on a discovered MCP agent |\n| `call_agent_tool` | Call a tool on a discovered MCP agent (proxy requests) |\n| `verify_agent_dns` | Verify DNS-AID records and security |\n| `list_published_agents` | List all agents in a domain |\n| `delete_agent_from_dns` | Remove an agent from DNS (auto-updates index) |\n| `list_agent_index` | List agents in domain's index record |\n| `sync_agent_index` | Sync index with actual DNS records |\n| `diagnose_environment` | Run environment diagnostics (deps, DNS, backends) |\n\n### Claude Desktop Integration\n\nAdd to your Claude Desktop config (`~/Library/Application Support/Claude/claude_desktop_config.json`):\n\n```json\n{\n \"mcpServers\": {\n \"dns-aid\": {\n \"command\": \"dns-aid-mcp\"\n }\n }\n}\n```\n\nThen Claude can discover and connect to AI agents:\n\n\u003e \"Find available agents at example.com\"\n\u003e\n\u003e \"Publish my chat agent to DNS at mycompany.com\"\n\u003e\n\u003e \"Discover agents at example.com and search for flights from SFO to JFK\"\n\n#### Live Demo\n\nTry the live demo with Claude Desktop:\n\n```json\n{\n \"mcpServers\": {\n \"dns-aid\": {\n \"command\": \"python\",\n \"args\": [\"-m\", \"dns_aid.mcp.server\"]\n }\n }\n}\n```\n\nThen ask Claude to discover and use the booking agent:\n\n\u003e \"Discover agents at example.com using HTTP index, find a booking agent, and search for flights from SFO to JFK on March 15th 2026\"\n\nClaude will:\n1. Call `discover_agents_via_dns` → finds booking-agent at `https://booking.example.com/mcp`\n2. Call `list_agent_tools` → sees search_flights, get_flight_details, check_availability, create_reservation\n3. Call `call_agent_tool` → searches for flights and returns results\n\n## How It Works\n\nDNS-AID uses SVCB records (RFC 9460) to advertise AI agents:\n\n```\n_chat._a2a._agents.example.com. 3600 IN SVCB 1 chat.example.com. alpn=\"a2a\" port=443 mandatory=\"alpn,port\"\n_chat._a2a._agents.example.com. 3600 IN TXT \"capabilities=chat,assistant\" \"version=1.0.0\"\n```\n\n**DNS-AID Custom SVCB Parameters (v0.4.8+):** Per the IETF draft, SVCB records can carry additional custom parameters for richer agent metadata:\n\n```\n_booking._mcp._agents.example.com. SVCB 1 mcp.example.com. alpn=\"mcp\" port=443 \\\n cap=\"https://mcp.example.com/.well-known/agent-cap.json\" \\\n cap-sha256=\"dGVzdGhhc2g\" bap=\"mcp/1,a2a/1\" \\\n policy=\"https://example.com/agent-policy\" realm=\"production\"\n```\n\n| Parameter | Purpose |\n|-----------|---------|\n| `cap` | URI to capability document (rich JSON metadata) |\n| `cap-sha256` | SHA-256 digest of capability descriptor for integrity verification |\n| `bap` | Supported bulk agent protocols with versioning |\n| `policy` | URI to agent policy document |\n| `realm` | Multi-tenant scope identifier |\n\nThis allows any DNS client to discover agents without proprietary protocols or central registries.\n\n### Discovery Flow (DNS-AID Draft Aligned)\n\n```\n Agent A DNS Agent B\n │ │ │\n │ \"Find agents at │ │\n │ salesforce.com\" │ │\n │ │ │\n ┌──┴──────────────────────────────────────────────────────────────┐\n │ Step 1: Fetch HTTP Index (primary) │\n │ ────────────────────────────────── │\n │ GET https://index.aiagents.salesforce.com/index-wellknown │\n │ Response: [{\"fqdn\":\"_chat._a2a._agents.salesforce.com\",...}] │\n │ │\n │ Fallback: Query TXT Index via DNS │\n │ Query: _index._agents.salesforce.com TXT │\n │ Response: \"agents=chat:a2a,billing:mcp\" │\n └──┬──────────────────────────────────────────────────────────────┘\n │ │ │\n ┌──┴──────────────────────────────────────────────────────────────┐\n │ Step 2: Query SVCB per agent │\n │ ──────────────────────────── │\n │ Query: _chat._a2a._agents.salesforce.com SVCB │\n │ Response: SVCB 1 chat.salesforce.com. alpn=\"a2a\" port=443 │\n │ cap=\"https://chat.salesforce.com/.well-known/cap.json\"│\n │ (DNSSEC validated) │\n └──┬──────────────────────────────────────────────────────────────┘\n │ │ │\n ┌──┴──────────────────────────────────────────────────────────────┐\n │ Step 2b: Fetch Capability Document (if cap URI present) │\n │ ─────────────────────────────────────────────────── │\n │ GET https://chat.salesforce.com/.well-known/cap.json │\n │ Response: {\"capabilities\":[\"chat\",\"support\"],\"version\":\"1.0\"} │\n │ (cap_sha256 integrity verified) │\n └──┬──────────────────────────────────────────────────────────────┘\n │ │ │\n ┌──┴──────────────────────────────────────────────────────────────┐\n │ Step 3: TXT Capabilities (fallback if no cap document) │\n │ ────────────────────────────────────────────────── │\n │ Query: _chat._a2a._agents.salesforce.com TXT │\n │ Response: \"capabilities=chat,support\" \"version=1.0.0\" │\n └──┬──────────────────────────────────────────────────────────────┘\n │ │ │\n ├────────────────────────────────────────────────────────────►│\n │ Connect to https://chat.salesforce.com:443 │\n```\n\n**Index Resolution Priority:** HTTP index endpoint → TXT index record → common name probing.\n**Capability Resolution Priority:** SVCB `cap` URI → capability document → TXT record fallback.\nEach discovered agent includes `endpoint_source` and `capability_source` showing which path was used.\n\n## Agent Metadata Contract (v0.10.0+)\n\nDNS discovery tells you WHERE an agent is. The **Agent Metadata Contract** tells you HOW to connect, WHAT it can do, and WHETHER it's still active.\n\nEvery DNS-AID agent can serve a `.well-known/agent.json` endpoint:\n\n```\nGET https://mcp.example.com/.well-known/agent.json\n\n{\n \"aid_version\": \"1.0\",\n \"identity\": { \"name\": \"billing\", \"version\": \"2.1.0\", \"deprecated\": false },\n \"connection\": { \"protocol\": \"mcp\", \"transport\": \"streamable-http\" },\n \"auth\": { \"type\": \"bearer\", \"header_name\": \"Authorization\" },\n \"capabilities\": {\n \"supports_streaming\": true,\n \"actions\": [\n { \"name\": \"get_invoice\", \"intent\": \"query\", \"semantics\": \"read\" },\n { \"name\": \"process_payment\", \"intent\": \"transaction\", \"semantics\": \"write\" }\n ]\n }\n}\n```\n\n**Why this matters for orchestrators (LangGraph, CrewAI, etc.):**\n\n| Field | Orchestrator Decision |\n|-------|----------------------|\n| `intent: query` | Safe to call in parallel, cacheable |\n| `intent: transaction` | Needs atomic execution, rollback on failure |\n| `semantics: read` | Safe to retry on timeout |\n| `semantics: write` | NOT safe to retry — may duplicate side effects |\n| `auth.type: oauth2` | Needs token exchange before calling |\n| `deprecated: true` | Route to `successor_fqdn` instead |\n\n**A2A Compatibility:** Both DNS-AID and Google A2A use `/.well-known/agent.json`. The metadata fetcher auto-detects the format — DNS-AID native (has `aid_version` key) or A2A Agent Card — and normalizes both into the same metadata fields.\n\n## Architecture\n\n### Client-Side: Toolkit\n\n```\n┌─────────────────┐ ┌─────────────────┐ ┌─────────────────────────┐\n│ AI Agents │ │ Developers │ │ Infrastructure Ops │\n│ (Claude, etc.) │ │ │ │ │\n└────────┬────────┘ └────────┬────────┘ └────────────┬────────────┘\n │ │ │\n │ MCP Protocol │ CLI │ CLI / API\n ▼ ▼ ▼\n┌─────────────────────────────────────────────────────────────────────────┐\n│ DNS-AID TOOLKIT │\n│ │\n│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────────────┐ │\n│ │ MCP Server │ │ CLI │ │ Python Library │ │\n│ │ │ │ │ │ │ │\n│ │ • publish_agent │ │ • dns-aid │ │ • dns_aid.publish() │ │\n│ │ • discover_ │ │ publish │ │ • dns_aid.discover() │ │\n│ │ agents │ │ • dns-aid │ │ • dns_aid.verify() │ │\n│ │ • verify_agent │ │ discover │ │ • dns_aid.invoke() ◄── Tier 1 SDK\n│ │ • list_agents │ │ • dns-aid │ │ • dns_aid.rank() │ │\n│ │ • call_agent │ │ verify │ │ │ │\n│ └────────┬────────┘ └────────┬────────┘ └────────────┬────────────┘ │\n│ │ │ │ │\n│ └────────────────────┴────────────────────────┘ │\n│ │ │\n│ ▼ │\n│ ┌─────────────────────────────────────────────────────────────────┐ │\n│ │ CORE ENGINE │ │\n│ │ │ │\n│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │ │\n│ │ │ Publisher │ │ Discoverer │ │ Validator │ │ │\n│ │ │ │ │ │ │ │ │ │\n│ │ │ Create SVCB │ │ Query DNS │ │ • DNSSEC validation │ │ │\n│ │ │ Create TXT │ │ Parse SVCB │ │ • DANE/TLSA check │ │ │\n│ │ │ │ │ Return │ │ • Endpoint health │ │ │\n│ │ │ │ │ endpoints │ │ │ │ │\n│ │ └──────┬──────┘ └──────┬──────┘ └────────────┬────────────┘ │ │\n│ │ │ │ │ │ │\n│ └─────────┴────────────────┴──────────────────────┴──────────────┘ │\n│ │ │\n└─────────────────────────────┼────────────────────────────────────────┘\n │\n ▼\n┌───────────────────────────────────────────────────────────────────────────────────┐\n│ DNS BACKEND ABSTRACTION │\n│ │\n│ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │\n│ │ Route53 │ │ Infoblox │ │ DDNS │ │Cloudflare │ │ Mock │ │\n│ │ (AWS) │ │ UDDI │ │ (RFC2136) │ │ │ │ (Testing) │ │\n│ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ │\n│ │ │ │ │ │ │\n└────────┴──────────────┴──────────────┴──────────────┴──────────────┴─────────────┘\n │\n ▼\n┌─────────────────────────────────────────────────────────────────────────┐\n│ DNS INFRASTRUCTURE │\n│ │\n│ Authoritative DNS servers hosting _agents.{domain} zones │\n│ with SVCB, TXT, and TLSA records secured by DNSSEC │\n└─────────────────────────────────────────────────────────────────────────┘\n```\n\n### Server-Side: Agent Directory Pipeline\n\n```\n┌──────────────────────────────────────────────────────────────────────────┐\n│ AGENT DIRECTORY PIPELINE │\n│ │\n│ ┌──────────┐ ┌───────────────┐ ┌──────────────┐ ┌────────────┐ │\n│ │ CRAWLING │──▶│ CURATION │──▶│ INDEXING │──▶│ SERVING │ │\n│ │ │ │ │ │ │ │ │ │\n│ │ DNS SVCB │ │ trust_score │ │ TSVECTOR │ │ REST API │ │\n│ │ HTTP Idx │ │ security_score│ │ full-text │ │ Search │ │\n│ │ .well- │ │ telemetry │ │ search │ │ Rankings │ │\n│ │ known/ │ │ scoring │ │ │ │ │ │\n│ │ agent.json │ │ │ │ │ │ │\n│ └──────────┘ └───────────────┘ └──────────────┘ └────────────┘ │\n│ │ │\n│ ▼ │\n│ ┌──────────────────────────────────────────────────────────────────┐ │\n│ │ METADATA ENRICHMENT (Phase 5.5) │ │\n│ │ │ │\n│ │ GET /.well-known/agent.json │ │\n│ │ ├─ \"aid_version\" present? → Parse as DNS-AID AgentMetadata │ │\n│ │ └─ No? → Try A2A Agent Card → Transform to metadata fields │ │\n│ │ │ │\n│ │ Extracts: transport, auth, capabilities (intent/semantics), │ │\n│ │ lifecycle (deprecated, sunset_date, successor) │ │\n│ └──────────────────────────────────────────────────────────────────┘ │\n│ │\n└──────────────────────────────────────────────────────────────────────────┘\n```\n\n## Choosing the Right Interface\n\nDNS-AID provides three interfaces. Choose based on your use case:\n\n### Python Library\n\n**Best for:** Application developers building agent discovery into their code.\n\n```python\nimport dns_aid\n\n# Integrate directly into your Python application\nagents = await dns_aid.discover(\"example.com\", protocol=\"mcp\")\n```\n\n| Use Case | Example |\n|----------|---------|\n| Building an AI agent that discovers other agents | Agent mesh applications |\n| Embedding discovery into existing Python apps | Adding DNS-AID to a Flask/FastAPI service |\n| Automated pipelines and scripts | CI/CD, scheduled publishing |\n| Unit testing with mock backend | Testing without real DNS |\n\n### CLI Tool\n\n**Best for:** Operators, DevOps, and quick manual operations.\n\n```bash\ndns-aid discover example.com --protocol mcp\n```\n\n| Use Case | Example |\n|----------|---------|\n| Manual publishing/discovery | Testing a new agent deployment |\n| Shell scripts and automation | `cron` jobs, deployment scripts |\n| Debugging and troubleshooting | Checking DNS records exist |\n| Zone management | Listing agents, bulk operations |\n\n### MCP Server\n\n**Best for:** AI assistants (Claude, etc.) that need DNS-AID capabilities.\n\n```bash\ndns-aid-mcp # Claude can now use DNS-AID tools\n```\n\n| Use Case | Example |\n|----------|---------|\n| Claude Desktop integration | \"Find agents at salesforce.com\" |\n| AI-driven infrastructure | Agent self-registration and discovery |\n| Natural language DNS management | \"Publish my chat agent to DNS\" |\n| Building agentic workflows | Multi-agent orchestration |\n\n### Decision Matrix\n\n| You want to... | Use |\n|----------------|-----|\n| Build discovery into your Python app | **Python Library** |\n| Run ad-hoc commands from terminal | **CLI** |\n| Automate with shell scripts | **CLI** |\n| Enable Claude/AI to manage DNS-AID | **MCP Server** |\n| Test without real DNS | **Python Library** (with MockBackend) |\n| Debug DNS record issues | **CLI** (`dns-aid verify`) |\n\n## DNS Backends\n\nFor per-provider environment configuration, see the [Getting Started Guide](docs/getting-started.md) backend sections.\n\nDNS-AID supports multiple DNS backends:\n\n| Backend | Description | Install Extra | Status |\n|---------|-------------|---------------|--------|\n| Route 53 | AWS Route 53 | `dns-aid[route53]` | ✅ Production |\n| Cloudflare | Cloudflare DNS | `dns-aid[cloudflare]` | ✅ Production |\n| NS1 | NS1 (now IBM) Managed DNS | `dns-aid[ns1]` | ✅ Production |\n| Google Cloud DNS | GCP Cloud DNS | `dns-aid[cloud-dns]` | ✅ Production |\n| Infoblox NIOS | Infoblox NIOS (on-prem WAPI) | `dns-aid[nios]` | ✅ Production |\n| Infoblox UDDI | Infoblox Universal DDI (cloud) | `dns-aid[infoblox]` | ✅ Production |\n| DDNS | RFC 2136 Dynamic DNS (BIND, etc.) | `dns-aid[ddns]` | ✅ Production |\n| Mock | In-memory (testing only) | (built-in) | ✅ Production |\n\n### Route 53 Setup\n\n1. Configure AWS credentials:\n ```bash\n export AWS_ACCESS_KEY_ID=\"your-access-key\"\n export AWS_SECRET_ACCESS_KEY=\"your-secret-key\"\n export AWS_DEFAULT_REGION=\"us-east-1\" # Optional\n ```\n\n Or use AWS CLI profiles:\n ```bash\n aws configure\n # Or use a named profile\n export AWS_PROFILE=\"my-profile\"\n ```\n\n2. Verify zone access:\n ```bash\n dns-aid zones\n ```\n\n3. Publish your agent:\n ```bash\n dns-aid publish -n my-agent -d myzone.com -p mcp -e mcp.myzone.com\n ```\n\n### Infoblox UDDI Setup\n\nInfoblox UDDI (Universal DDI) is Infoblox's cloud-native DDI platform. DNS-AID supports creating SVCB and TXT records via the Infoblox API.\n\n#### Environment Variables\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `INFOBLOX_API_KEY` | Yes | - | Infoblox UDDI API key from Cloud Portal |\n| `INFOBLOX_DNS_VIEW` | No | `default` | DNS view name (zones exist within views) |\n| `INFOBLOX_BASE_URL` | No | `https://csp.infoblox.com` | API base URL |\n\n#### Step-by-Step Setup\n\n1. **Get your API key** from [Infoblox Cloud Portal](https://csp.infoblox.com):\n - Navigate to **Administration** → **API Keys**\n - Create a new API key with DNS permissions\n - Copy the key (shown only once)\n\n2. **Configure environment variables**:\n ```bash\n export INFOBLOX_API_KEY=\"your-api-key\"\n export INFOBLOX_DNS_VIEW=\"default\" # Or your specific view name\n ```\n\n3. **Identify your zone and view**:\n - In Infoblox Portal, go to **DNS** → **Authoritative Zones**\n - Note the zone name (e.g., `example.com`) and which view it belongs to\n\n4. **Use in Python**:\n ```python\n from dns_aid.backends.infoblox import InfobloxBloxOneBackend\n from dns_aid.core.publisher import set_default_backend\n from dns_aid import publish\n\n # Initialize backend (reads from environment variables)\n backend = InfobloxBloxOneBackend()\n\n # Or with explicit configuration\n backend = InfobloxBloxOneBackend(\n api_key=\"your-api-key\",\n dns_view=\"default\", # Your DNS view name\n )\n\n set_default_backend(backend)\n\n await publish(\n name=\"my-agent\",\n domain=\"example.com\",\n protocol=\"mcp\",\n endpoint=\"agent.example.com\",\n capabilities=[\"chat\", \"code-review\"]\n )\n ```\n\n#### Infoblox UDDI Limitations \u0026 DNS-AID Compliance\n\n\u003e **⚠️ Important**: Infoblox UDDI SVCB records only support \"alias mode\" (priority 0) and do not\n\u003e support SVC parameters (`alpn`, `port`, `mandatory`). This means **Infoblox UDDI is not fully\n\u003e compliant with the [DNS-AID draft](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/)**.\n\u003e\n\u003e The draft requires ServiceMode SVCB records (priority \u003e 0) with mandatory `alpn` and `port`\n\u003e parameters. Infoblox UDDI's limitation is a platform constraint, not a DNS-AID limitation.\n\n| DNS-AID Requirement | Route 53 | Infoblox UDDI |\n|---------------------|----------|---------------|\n| ServiceMode (priority \u003e 0) | ✅ | ❌ |\n| `alpn` parameter | ✅ | ❌ |\n| `port` parameter | ✅ | ❌ |\n| `mandatory` key | ✅ | ❌ |\n\n**For full DNS-AID compliance, use Route 53 or another RFC 9460-compliant DNS provider.**\n\nDNS-AID stores `alpn` and `port` in TXT records as a fallback for Infoblox UDDI, but this is\na workaround and not standard-compliant for agent discovery.\n\n#### Verify Records via API\n\nSince Infoblox UDDI zones may not be publicly resolvable, verify records via the API:\n\n```python\nasync with InfobloxBloxOneBackend() as backend:\n async for record in backend.list_records(\"example.com\", name_pattern=\"my-agent\"):\n print(f\"{record['type']}: {record['fqdn']}\")\n```\n\n### DDNS Setup (RFC 2136)\n\nDDNS (Dynamic DNS) is a universal backend that works with any DNS server supporting RFC 2136, including BIND9, Windows DNS, PowerDNS, and Knot DNS. This is ideal for on-premise DNS infrastructure without vendor-specific APIs.\n\n#### Environment Variables\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `DDNS_SERVER` | Yes | - | DNS server hostname or IP |\n| `DDNS_KEY_NAME` | Yes | - | TSIG key name |\n| `DDNS_KEY_SECRET` | Yes | - | TSIG key secret (base64) |\n| `DDNS_KEY_ALGORITHM` | No | `hmac-sha256` | TSIG algorithm |\n| `DDNS_PORT` | No | `53` | DNS server port |\n\n#### Step-by-Step Setup\n\n1. **Create a TSIG key** on your DNS server (BIND example):\n ```bash\n tsig-keygen -a hmac-sha256 dns-aid-key \u003e /etc/bind/dns-aid-key.conf\n ```\n\n2. **Configure your zone** to allow updates with the key:\n ```\n zone \"example.com\" {\n type master;\n file \"/var/lib/bind/example.com.zone\";\n allow-update { key \"dns-aid-key\"; };\n };\n ```\n\n3. **Configure DNS-AID**:\n ```bash\n export DDNS_SERVER=\"ns1.example.com\"\n export DDNS_KEY_NAME=\"dns-aid-key\"\n export DDNS_KEY_SECRET=\"your-base64-secret\"\n ```\n\n4. **Use in Python**:\n ```python\n from dns_aid.backends.ddns import DDNSBackend\n from dns_aid import publish\n\n backend = DDNSBackend()\n # Or with explicit configuration\n backend = DDNSBackend(\n server=\"ns1.example.com\",\n key_name=\"dns-aid-key\",\n key_secret=\"base64secret==\",\n key_algorithm=\"hmac-sha256\"\n )\n\n await publish(\n name=\"my-agent\",\n domain=\"example.com\",\n protocol=\"mcp\",\n endpoint=\"agent.example.com\",\n backend=backend\n )\n ```\n\n#### DDNS Advantages\n\n- **Universal**: Works with BIND, Windows DNS, PowerDNS, Knot, and any RFC 2136 server\n- **No vendor lock-in**: Standard protocol, no proprietary APIs\n- **On-premise friendly**: Perfect for enterprise internal DNS\n- **Full DNS-AID compliance**: Supports ServiceMode SVCB with all parameters\n\n### Cloudflare Setup\n\nCloudflare DNS is ideal for demos, workshops, and quick prototyping thanks to its free tier and excellent API support. DNS-AID fully supports Cloudflare's SVCB record implementation.\n\n#### Environment Variables\n\n| Variable | Required | Default | Description |\n|----------|----------|---------|-------------|\n| `CLOUDFLARE_API_TOKEN` | Yes | - | API token with DNS edit permissions |\n| `CLOUDFLARE_ZONE_ID` | No | - | Zone ID (auto-discovered if not set) |\n\n#### Step-by-Step Setup\n\n1. **Create an API token** in Cloudflare Dashboard:\n - Go to **My Profile** → **API Tokens** → **Create Token**\n - Use the \"Edit zone DNS\" template or create custom with:\n - **Permissions**: Zone → DNS → Edit\n - **Zone Resources**: Include → Specific zone → your-domain.com\n - Copy the token (shown only once)\n\n2. **Configure environment variables**:\n ```bash\n export CLOUDFLARE_API_TOKEN=\"your-api-token\"\n # Optional: specify zone ID (otherwise auto-discovered from domain)\n export CLOUDFLARE_ZONE_ID=\"your-zone-id\"\n ```\n\n3. **Publish your first agent**:\n ```bash\n dns-aid publish \\\n --name my-agent \\\n --domain your-domain.com \\\n --protocol mcp \\\n --endpoint agent.your-domain.com \\\n --backend cloudflare\n ```\n\n4. **Use in Python**:\n ```python\n from dns_aid.backends.cloudflare import CloudflareBackend\n from dns_aid import publish\n\n # Initialize backend (reads from environment variables)\n backend = CloudflareBackend()\n\n # Or with explicit configuration\n backend = CloudflareBackend(\n api_token=\"your-api-token\",\n zone_id=\"optional-zone-id\", # Auto-discovered if not provided\n )\n\n await publish(\n name=\"my-agent\",\n domain=\"your-domain.com\",\n protocol=\"mcp\",\n endpoint=\"agent.your-domain.com\",\n backend=backend\n )\n ```\n\n#### Cloudflare Advantages\n\n- **Free tier**: DNS hosting is free for unlimited domains\n- **SVCB support**: Full RFC 9460 compliance with SVCB Type 64 records\n- **Global anycast**: Fast DNS resolution worldwide\n- **Simple API**: Well-documented REST API v4\n- **Full DNS-AID compliance**: Supports ServiceMode SVCB with all parameters\n\n## Why DNS-AID?\n\n### vs Competing Proposals\n\n| Approach | Problem | DNS-AID Advantage |\n|----------|---------|-------------------|\n| **ANS (GoDaddy)** | Centralized registry, KYC required, single gatekeeper | Federated — you control your domain, publish instantly |\n| **Google (A2A + UCP)** | Discovery via Gemini/Search, payments via UCP | Neutral discovery — no platform lock-in or transaction fees |\n| **.agent gTLD** | Requires ICANN approval, ongoing domain fees | Works NOW with domains you already own |\n| **AgentDNS (China Telecom)** | Requires 6G infrastructure, carrier control | Works NOW on existing DNS infrastructure |\n| **NANDA (MIT)** | New P2P overlay network, new ops paradigm | Uses infrastructure your DNS team already operates |\n| **Web3 (ERC-8004)** | Gas fees, crypto wallets, enterprise-hostile | Free DNS queries, no blockchain complexity |\n| **ai.txt / llms.txt** | No integrity verification, free-form JSON | DNSSEC cryptographic verification, structured SVCB |\n\n### Feature Comparison\n\n| Feature | DNS-AID | Central Registry | ai.txt |\n|---------|---------|------------------|--------|\n| **Decentralized** | ✅ | ❌ | ✅ |\n| **Secure (DNSSEC)** | ✅ | Varies | ❌ |\n| **Sovereign** | ✅ | ❌ | ✅ |\n| **Standards-based** | ✅ (IETF) | ❌ | ❌ |\n| **Works with existing infra** | ✅ | ❌ | ✅ |\n\n### The Sovereignty Question\n\n\u003e **Who controls agent discovery?**\n\u003e - ANS: GoDaddy (US company as gatekeeper)\n\u003e - AgentDNS: China Telecom (state-owned carrier)\n\u003e - Web3: Ethereum Foundation\n\u003e - **DNS-AID: You control your own domain**\n\u003e\n\u003e DNS-AID preserves sovereignty. Organizations and nations maintain control over their own agent namespaces with no central authority that can block, censor, or surveil agent discovery.\n\n### Google's Agent Ecosystem\n\nGoogle is building a full-stack agent platform: **A2A** (communication), **UCP** (payments), and **Gemini/Search** (discovery). While A2A is an open protocol, discovery through Google surfaces means:\n- Google controls visibility (pay-to-rank)\n- Transaction fees via [UCP](https://developers.google.com/merchant/ucp)\n- Platform dependency for reach\n\n**DNS-AID complements A2A** by providing neutral, decentralized discovery — find agents anywhere, not just through Google.\n\n### Understanding the .agent Domain Approach\n\nThe [Agent Community](https://agentcommunity.org/) is pursuing a `.agent` top-level domain through ICANN's [new gTLD program](https://newgtlds.icann.org/). Here's how the two approaches compare:\n\n**How .agent Domains Would Work:**\n1. Apply to ICANN for `.agent` gTLD (~$185,000 application fee)\n2. Wait 9-20 months for ICANN approval process\n3. Build registry infrastructure (Open Agent Registry, Inc.)\n4. Sell `.agent` domains through accredited registrars\n5. Users pay annual registration fees (~$15-50/year per domain)\n\n**How DNS-AID Works:**\n1. Use your existing domain (you already own `yourcompany.com`)\n2. Add DNS-AID records to your zone (`_myagent._mcp._agents.yourcompany.com`)\n3. Start discovering and being discovered immediately\n\n| Factor | .agent gTLD | DNS-AID |\n|--------|-------------|---------|\n| **Cost to publish** | ~$15-50/year domain fee | Free (use existing domain) |\n| **Time to start** | Months (gTLD launch + registration) | Minutes |\n| **Who controls discovery** | Registry operator | You (your domain) |\n| **Works today** | ❌ Pending ICANN approval | ✅ Works now |\n| **Requires new infrastructure** | ✅ Registry, registrars | ❌ Uses existing DNS |\n| **Memorable names** | ✅ `myagent.agent` | `_myagent._mcp._agents.example.com` |\n\n**The Friendly Take:**\n\nBoth approaches share the goal of making AI agents discoverable. The `.agent` gTLD creates a dedicated namespace that's easy to remember (`mycompany.agent`), while DNS-AID leverages existing infrastructure so you can start publishing agents today.\n\nDNS-AID doesn't require waiting for ICANN approval or paying for new domains—it works with the DNS infrastructure your organization already operates. If you own `example.com`, you can publish agents to `_myagent._mcp._agents.example.com` right now.\n\n*Fun fact: When `.agent` domains become available, DNS-AID records will work on them too! The approaches are complementary.*\n\n## Examples\n\nSee the `examples/` directory:\n\n- `demo_route53.py` - Basic Route 53 publish/discover\n- `demo_full.py` - Complete end-to-end demonstration\n\n```bash\n# Run the full demo\nexport DNS_AID_TEST_ZONE=\"your-zone.com\"\npython examples/demo_full.py\n```\n\n## Development\n\n```bash\n# Clone the repo\ngit clone https://github.com/infobloxopen/dns-aid-core.git\ncd DNS-AID\n\n# Install all workspace packages (requires uv)\nuv sync\n\n# Run all tests\nuv run pytest\n\n# Run tests for a specific package\nuv run pytest packages/dns-aid-directory/tests/\nuv run pytest packages/dns-aid-crawlers/tests/\nuv run pytest packages/dns-aid-k8s/tests/\n\n# Run with coverage\nuv run pytest --cov=dns_aid_directory --cov=dns_aid_crawlers --cov=dns_aid_k8s\n```\n\n## Related Standards\n\n- [RFC 9460](https://www.rfc-editor.org/rfc/rfc9460.html) - SVCB and HTTPS Resource Records\n- [RFC 4033-4035](https://www.rfc-editor.org/rfc/rfc4033.html) - DNSSEC\n- [RFC 6698](https://www.rfc-editor.org/rfc/rfc6698.html) - DANE TLSA\n\n## License\n\nApache 2.0\n\n## Contributing\n\nContributions welcome! This project is intended for contribution to the Linux Foundation Agent AI Foundation.\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfobloxopen%2Fdns-aid-core","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfobloxopen%2Fdns-aid-core","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfobloxopen%2Fdns-aid-core/lists"}