feat: align with IETF draft-mozleywilliams-dnsop-dnsaid-01 (v0.8.0)

Align dns-aid-core with the renamed IETF draft (v01) and address
reviewer feedback on missing SVCB features and DANE coverage.

- Add SVCB AliasMode (priority 0) handling in discoverer
- Extract ipv4hint/ipv6hint from SVCB params (SvcParamKey 4, 6)
- Dynamic DANE verification notes with DNSSEC coupling warning
- Rename BANDAID → DNS-AID across all source, tests, docs, metadata
- Fix bap SvcParamKey from key65003 to key65010 per draft example
- Update draft reference from bandaid-02 to dnsaid-01
- Add DNSSEC/DANE security section to README
- Bump version to 0.8.0

BREAKING CHANGE: bap SvcParamKey changed from key65003 to key65010.
Existing DNS records using key65003 for bap must be re-published.
TXT record prefix changed from bandaid_ to dnsaid_.

Signed-off-by: Igor Racic <iracic82@gmail.com>

Author: iracic82

CHANGELOG.md

@@ -5,6 +5,18 @@ All notable changes to DNS-AID will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.0] - 2026-02-21
+
+### Added
+- **SVCB AliasMode handling** — Discoverer follows SVCB priority-0 (AliasMode) records to resolve the canonical ServiceMode target, per RFC 9460 and IETF draft Section 4.4.2
+- **SVCB ipv4hint/ipv6hint extraction** — Discoverer reads SvcParamKey 4 (ipv4hint) and 6 (ipv6hint) from SVCB records to reduce follow-up A/AAAA queries, per IETF draft Section 4.4.2
+- **DANE dynamic verification notes** — `verify()` now returns context-aware `dane_note` messages: advisory-only vs full certificate matching, with DNSSEC coupling warning when DANE is present but DNSSEC is not validated
+- **DANE/DNSSEC security documentation** — README now includes "Security: DNSSEC and DANE" section with TLSA 3 1 1 recommendation, security score table, and verification code examples
+
+### Changed
+- **BANDAID → DNS-AID rename** — All references to "BANDAID" and `bandaid_` updated to "DNS-AID" and `dnsaid_` across source, tests, docs, and metadata files. IETF draft reference updated from `draft-mozleywilliams-dnsop-bandaid-02` to `draft-mozleywilliams-dnsop-dnsaid-01`
+- **`bap` SvcParamKey number** — Changed from `key65003` to `key65010` to match IETF draft Section 4.4.3 example. **Breaking:** existing DNS records with `key65003` for bap will need re-publishing
+
 ## [0.7.3] - 2026-02-19
 
 ### Added
@@ -138,7 +150,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Experimental Models Documentation** — Marked `agent_metadata` and `capability_model` modules as experimental with status docstrings
 
 ### Fixed
-- **Route53 SVCB custom params** — Route53 rejects private-use SvcParamKeys (`key65001`–`key65006`). The Route53 backend now demotes custom BANDAID params to TXT records with `bandaid_` prefix, keeping the publish working without data loss
+- **Route53 SVCB custom params** — Route53 rejects private-use SvcParamKeys (`key65001`–`key65006`). The Route53 backend now demotes custom DNS-AID params to TXT records with `dnsaid_` prefix, keeping the publish working without data loss
 - **Cloudflare SVCB custom params** — Same demotion applied to the Cloudflare backend
 - **CLI `--backend` help text** — Now lists all five backends (route53, cloudflare, infoblox, ddns, mock) instead of just "route53, mock"
 - **SECURITY.md contact** — Updated from placeholder LF mailing list to interim maintainer email
@@ -217,7 +229,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.4.8] - 2026-01-27
 
 ### Added
-- **BANDAID Custom SVCB Parameters (IETF Draft Alignment)**
+- **DNS-AID Custom SVCB Parameters (IETF Draft Alignment)**
   - `cap` — URI to capability document (HTTPS endpoint for rich capability metadata)
   - `cap-sha256` — Base64url-encoded SHA-256 digest of capability descriptor for integrity checks
   - `bap` — Supported bulk agent protocols with versioning (e.g., `mcp/1,a2a/1`)
@@ -226,7 +238,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - New `AgentRecord` fields: `cap_uri`, `cap_sha256`, `bap`, `policy_uri`, `realm`
   - Updated `to_svcb_params()` to include custom params when present (backwards compatible)
   - CLI options: `--cap-uri`, `--cap-sha256`, `--bap`, `--policy-uri`, `--realm`
-  - MCP server: publish and discover tools support all BANDAID custom params
+  - MCP server: publish and discover tools support all DNS-AID custom params
   - Discovery priority: SVCB `cap` URI → fetch capability document → TXT fallback
 
 - **Capability Document Fetcher** (`src/dns_aid/core/cap_fetcher.py`)
@@ -270,7 +282,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Works with BIND9, Windows DNS, PowerDNS, Knot DNS, and any RFC 2136 compliant server
   - TSIG authentication support with multiple algorithms (hmac-sha256, sha384, sha512, sha224, md5)
   - Key file loading support (BIND key file format)
-  - Full BANDAID compliance with ServiceMode SVCB records
+  - Full DNS-AID compliance with ServiceMode SVCB records
   - Docker-based BIND9 integration tests
   - Documentation and examples for on-premise DNS deployments
 
@@ -324,7 +336,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Cloudflare DNS Backend**
   - New `CloudflareBackend` for Cloudflare DNS API v4
   - Free tier support - ideal for demos and workshops
-  - Full BANDAID compliance with ServiceMode SVCB records
+  - Full DNS-AID compliance with ServiceMode SVCB records
   - Zone auto-discovery from domain name
   - 32 unit tests with mocked API responses
 
@@ -336,7 +348,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.2.0] - 2026-01-13
 
 ### Added
-- **BANDAID Compliance**
+- **DNS-AID Compliance**
   - Added `mandatory="alpn,port"` parameter to SVCB records per IETF draft
   - Ensures proper agent discovery signaling
 
@@ -445,11 +457,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## References
 
-- [IETF draft-mozleywilliams-dnsop-bandaid-02](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-bandaid/)
+- [IETF draft-mozleywilliams-dnsop-dnsaid-01](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/)
 - [RFC 9460 - SVCB and HTTPS Resource Records](https://www.rfc-editor.org/rfc/rfc9460.html)
 - [RFC 4033-4035 - DNSSEC](https://www.rfc-editor.org/rfc/rfc4033.html)
 
-[Unreleased]: https://github.com/infobloxopen/dns-aid-core/compare/v0.7.3...HEAD
+[Unreleased]: https://github.com/infobloxopen/dns-aid-core/compare/v0.8.0...HEAD
+[0.8.0]: https://github.com/infobloxopen/dns-aid-core/compare/v0.7.3...v0.8.0
 [0.7.3]: https://github.com/infobloxopen/dns-aid-core/compare/v0.7.2...v0.7.3
 [0.7.2]: https://github.com/infobloxopen/dns-aid-core/compare/v0.7.1...v0.7.2
 [0.7.1]: https://github.com/infobloxopen/dns-aid-core/compare/v0.7.0...v0.7.1

CITATION.cff

@@ -8,34 +8,34 @@ repository-code: "https://github.com/infobloxopen/dns-aid-core"
 authors:
   - name: "The DNS-AID Authors"
 
-version: "0.7.3"
-date-released: "2026-02-19"
+version: "0.8.0"
+date-released: "2026-02-21"
 
 keywords:
   - dns
   - agent-discovery
   - ietf
   - svcb
-  - bandaid
+  - dnsaid
   - ai-agents
   - mcp
   - a2a
 
 references:
   - type: standard
-    title: "BANDAID: Best-practice Approaches for Naming and Discovery of AI-Driven services"
+    title: "DNS-AID: DNS-based Agent Identification and Discovery"
     authors:
       - family-names: Mozley
         given-names: Andrew
       - family-names: Williams
         given-names: Brandon
-    url: "https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-bandaid/"
+    url: "https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/"
     identifiers:
       - type: other
-        value: "draft-mozleywilliams-dnsop-bandaid-02"
+        value: "draft-mozleywilliams-dnsop-dnsaid-01"
         description: "IETF Internet-Draft"
     notes: >
-      This software implements the BANDAID specification (draft-02):
+      This software implements the DNS-AID specification (draft-01):
       SVCB/HTTPS record discovery, TXT capability records,
       underscored naming (_agent._protocol._agents.domain),
       custom SVCB parameters (cap, cap-sha256, bap, policy, realm),

README.md

@@ -11,7 +11,7 @@
 
 **DNS-based Agent Identification and Discovery**
 
-Reference implementation for [IETF draft-mozleywilliams-dnsop-bandaid-02](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-bandaid/).
+Reference implementation for [IETF draft-mozleywilliams-dnsop-dnsaid-01](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/).
 
 DNS-AID enables AI agents to discover each other via DNS, using the internet's existing naming infrastructure instead of centralized registries or hardcoded URLs.
 
@@ -131,7 +131,7 @@ dns-aid publish \
     --capability chat \
     --capability code-review
 
-# Publish with BANDAID custom SVCB parameters
+# Publish with DNS-AID custom SVCB parameters
 dns-aid publish \
     --name booking \
     --domain example.com \
@@ -326,7 +326,7 @@ _chat._a2a._agents.example.com. 3600 IN SVCB 1 chat.example.com. alpn="a2a" port
 _chat._a2a._agents.example.com. 3600 IN TXT "capabilities=chat,assistant" "version=1.0.0"
 ```
 
-**BANDAID Custom SVCB Parameters:** Per the IETF draft, SVCB records can carry additional custom parameters for richer agent metadata:
+**DNS-AID Custom SVCB Parameters:** Per the IETF draft, SVCB records can carry additional custom parameters for richer agent metadata:
 
 ```
 _booking._mcp._agents.example.com. SVCB 1 mcp.example.com. alpn="mcp" port=443 \
@@ -344,13 +344,13 @@ _booking._mcp._agents.example.com. SVCB 1 mcp.example.com. alpn="mcp" port=443 \
 | `realm` | Multi-tenant scope identifier |
 
 > **Note:** Route 53 and Cloudflare do not support private-use SVCB SvcParamKeys (`key65001`–`key65006`).
-> DNS-AID automatically demotes these parameters to TXT records with a `bandaid_` prefix (e.g.,
-> `bandaid_realm=production`), preserving all metadata without data loss. BIND/DDNS (RFC 2136)
+> DNS-AID automatically demotes these parameters to TXT records with a `dnsaid_` prefix (e.g.,
+> `dnsaid_realm=production`), preserving all metadata without data loss. BIND/DDNS (RFC 2136)
 > backends natively support custom SVCB params — no demotion needed.
 
 This allows any DNS client to discover agents without proprietary protocols or central registries.
 
-### Discovery Flow (BANDAID Draft Aligned)
+### Discovery Flow (DNS-AID Draft Aligned)
 
 ```
   Agent A                        DNS                           Agent B
@@ -401,6 +401,66 @@ This allows any DNS client to discover agents without proprietary protocols or c
 **Capability Resolution Priority:** SVCB `cap` URI → capability document → TXT record fallback.
 Each discovered agent includes `endpoint_source` and `capability_source` showing which path was used.
 
+## Security: DNSSEC and DANE
+
+DNS-AID relies on DNSSEC and DANE for end-to-end trust, as specified in the [IETF draft](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/) Section 4.4.1.
+
+### DNSSEC (Mandatory for Public Zones)
+
+All DNS-AID discovery records **MUST** be signed with DNSSEC. Resolvers consuming DNS-AID data must treat unsigned or DNSSEC-bogus responses as failures.
+
+```bash
+# Verify DNSSEC and security posture for an agent
+dns-aid verify _chat._a2a._agents.example.com
+```
+
+### DANE/TLSA (Recommended)
+
+Where DNS-AID endpoints rely on TLS, DANE TLSA records **SHOULD** be used to bind endpoint certificates to DNSSEC-validated names. This removes reliance on external PKI (certificate authorities) and provides cryptographic proof that the TLS certificate belongs to the intended agent endpoint.
+
+**Recommended TLSA profile** (per IETF draft Section 5.2.3):
+
+```
+_443._tcp.agent-svc.example.com. 1800 IN TLSA 3 1 1 (
+    <SHA-256 hash of endpoint certificate SPKI>
+)
+```
+
+| Field | Value | Meaning |
+|-------|-------|---------|
+| Usage | 3 | DANE-EE (end entity, no CA chain needed) |
+| Selector | 1 | SubjectPublicKeyInfo (public key only) |
+| Matching Type | 1 | SHA-256 digest |
+
+**Full DANE certificate verification:**
+
+```python
+# Advisory check (TLSA record exists?)
+result = await dns_aid.verify("_chat._a2a._agents.example.com")
+print(result.dane_valid)  # True/False/None
+
+# Full certificate matching (connect + compare cert against TLSA)
+result = await dns_aid.verify(
+    "_chat._a2a._agents.example.com",
+    verify_dane_cert=True
+)
+print(result.dane_note)   # Detailed verification status
+```
+
+> **Note:** DANE is only meaningful when DNSSEC is also validated. Without DNSSEC, an attacker could spoof both the TLSA record and the endpoint certificate.
+
+### Security Score
+
+The `verify` command returns a security score (0–100) based on:
+
+| Check | Points | Requirement Level |
+|-------|--------|-------------------|
+| DNS record exists | 20 | Required |
+| SVCB record valid | 20 | Required |
+| DNSSEC validated | 30 | MUST (public zones) |
+| DANE/TLSA verified | 15 | SHOULD |
+| Endpoint reachable | 15 | Operational |
+
 ## Architecture
 
 ```
@@ -635,26 +695,26 @@ Infoblox UDDI (Universal DDI) is Infoblox's cloud-native DDI platform. DNS-AID s
    )
    ```
 
-#### Infoblox UDDI Limitations & BANDAID Compliance
+#### Infoblox UDDI Limitations & DNS-AID Compliance
 
 > **⚠️ Important**: Infoblox UDDI SVCB records only support "alias mode" (priority 0) and do not
 > support SVC parameters (`alpn`, `port`, `mandatory`). This means **Infoblox UDDI is not fully
-> compliant with the [BANDAID draft](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-bandaid/)**.
+> compliant with the [DNS-AID draft](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/)**.
 >
 > The draft requires ServiceMode SVCB records (priority > 0) with mandatory `alpn` and `port`
 > parameters. Infoblox UDDI's limitation is a platform constraint, not a DNS-AID limitation.
 
-| BANDAID Requirement | Route 53 | Cloudflare | DDNS (BIND) | Infoblox NIOS | Infoblox UDDI |
+| DNS-AID Requirement | Route 53 | Cloudflare | DDNS (BIND) | Infoblox NIOS | Infoblox UDDI |
 |---------------------|----------|------------|-------------|---------------|---------------|
 | ServiceMode (priority > 0) | ✅ | ✅ | ✅ | ✅ | ❌ |
 | `alpn` parameter | ✅ | ✅ | ✅ | ✅ | ❌ |
 | `port` parameter | ✅ | ✅ | ✅ | ✅ | ❌ |
 | `mandatory` key | ✅ | ✅ | ✅ | ✅ | ❌ |
 | Custom SVCB params (`cap`, `realm`, etc.) | ⚠️ TXT | ⚠️ TXT | ✅ Native | ✅ Native | ❌ |
 
-**⚠️ TXT** = Custom BANDAID params auto-demoted to TXT records with `bandaid_` prefix (no data loss).
+**⚠️ TXT** = Custom DNS-AID params auto-demoted to TXT records with `dnsaid_` prefix (no data loss).
 
-**For full BANDAID compliance with native custom SVCB params, use DDNS (BIND/RFC 2136) or Infoblox NIOS. Route 53 and Cloudflare support all standard SVCB params with automatic TXT demotion for custom params.**
+**For full DNS-AID compliance with native custom SVCB params, use DDNS (BIND/RFC 2136) or Infoblox NIOS. Route 53 and Cloudflare support all standard SVCB params with automatic TXT demotion for custom params.**
 
 DNS-AID stores `alpn` and `port` in TXT records as a fallback for Infoblox UDDI, but this is
 a workaround and not standard-compliant for agent discovery.
@@ -671,7 +731,7 @@ async with InfobloxBloxOneBackend() as backend:
 
 ### Infoblox NIOS Setup (On-Prem)
 
-Infoblox NIOS is the on-premise DDI platform with WAPI (Web API). DNS-AID creates SVCB and TXT records via WAPI v2.13.7+, with full ServiceMode SVCB support including custom BANDAID parameters.
+Infoblox NIOS is the on-premise DDI platform with WAPI (Web API). DNS-AID creates SVCB and TXT records via WAPI v2.13.7+, with full ServiceMode SVCB support including custom DNS-AID parameters.
 
 #### Environment Variables
 
@@ -731,9 +791,9 @@ Infoblox NIOS is the on-premise DDI platform with WAPI (Web API). DNS-AID create
    )
    ```
 
-#### NIOS BANDAID Compliance
+#### NIOS DNS-AID Compliance
 
-NIOS WAPI supports ServiceMode SVCB records (priority > 0) with full SVC parameters, including custom BANDAID keys natively via `key65001`–`key65006`.
+NIOS WAPI supports ServiceMode SVCB records (priority > 0) with full SVC parameters, including custom DNS-AID keys natively via `key65001`–`key65006`.
 
 ### DDNS Setup (RFC 2136)
 
@@ -800,7 +860,7 @@ DDNS (Dynamic DNS) is a universal backend that works with any DNS server support
 - **Universal**: Works with BIND, Windows DNS, PowerDNS, Knot, and any RFC 2136 server
 - **No vendor lock-in**: Standard protocol, no proprietary APIs
 - **On-premise friendly**: Perfect for enterprise internal DNS
-- **Full BANDAID compliance**: Supports ServiceMode SVCB with all standard parameters (custom BANDAID params auto-demoted to TXT)
+- **Full DNS-AID compliance**: Supports ServiceMode SVCB with all standard parameters (custom DNS-AID params auto-demoted to TXT)
 
 ### Cloudflare Setup
 
@@ -868,7 +928,7 @@ Cloudflare DNS is ideal for demos, workshops, and quick prototyping thanks to it
 - **SVCB support**: Full RFC 9460 compliance with SVCB Type 64 records
 - **Global anycast**: Fast DNS resolution worldwide
 - **Simple API**: Well-documented REST API v4
-- **Full BANDAID compliance**: Supports ServiceMode SVCB with all standard parameters (custom BANDAID params auto-demoted to TXT)
+- **Full DNS-AID compliance**: Supports ServiceMode SVCB with all standard parameters (custom DNS-AID params auto-demoted to TXT)
 
 ## Why DNS-AID?
 

SECURITY.md

@@ -81,7 +81,7 @@ DNS-AID uses SVCB SvcParamKeys in the **private-use range** (65001–65534) as d
 | ------- | -------- | -------------------------------- |
 | cap     | key65001 | Capability document URI          |
 | cap-sha256 | key65002 | Capability document SHA-256 hash |
-| bap     | key65003 | BANDAID Agent Profile URI        |
+| bap     | key65010 | DNS-AID Agent Profile URI        |
 | policy  | key65004 | Policy document URI              |
 | realm   | key65005 | Administrative realm             |
 | sig     | key65006 | JWS signature                    |

SUPPORT.md

@@ -7,7 +7,7 @@
 - [API Reference](docs/api-reference.md) — Python library, CLI, and MCP server reference
 - [Framework Integrations](docs/integrations.md) — LangChain, AutoGen, Google ADK, OpenAI Agents
 - [Demo Guide](docs/demo-guide.md) — runnable demos with Route 53, DDNS, Cloudflare
-- [IETF Draft](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-bandaid/) — the BANDAID specification
+- [IETF Draft](https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/) — the DNS-AID specification
 
 ## Asking Questions