Skip to content

feat: v0.6.0 — DNSSEC enforcement, SVCB param demotion, quality gates#4

Merged
iracic82 merged 3 commits intomainfrom
sync-v0.6.0
Feb 12, 2026
Merged

feat: v0.6.0 — DNSSEC enforcement, SVCB param demotion, quality gates#4
iracic82 merged 3 commits intomainfrom
sync-v0.6.0

Conversation

@iracic82
Copy link
Collaborator

@iracic82 iracic82 commented Feb 12, 2026

Summary

Sync dns-aid-core with upstream development. This release brings security enforcement, DNS backend fixes, and code quality improvements to meet LF contribution standards.

DNSSEC & Security Hardening

  • Wire require_dnssec into discover() — raises DNSSECError when AD flag absent
  • DANE full certificate matching with SPKI support (verify_dane_cert flag)
  • Sigstore cosign keyless signing in release workflow (wheel, tarball, SBOM)
  • SSRF protection for cap_fetcher and a2a_card (HTTPS-only, private IP blocking)
  • JWS application-layer signatures as DNSSEC alternative

SVCB Custom Param Demotion

  • Route53 and Cloudflare reject private-use SvcParamKeys (key65001–key65006)
  • Both backends now split standard SVCB params from custom BANDAID params (cap, cap-sha256, bap, policy, realm, sig), demoting custom params to TXT records with bandaid_ prefix
  • No data loss — discovery reads both record types

Code Quality (SonarQube Gate)

  • Refactor 5 functions exceeding C901 cognitive complexity 10 → all under threshold
  • Boost test coverage from 72% to 80% with 87 new tests
  • 664 tests passing, 0 C901 violations, ruff/bandit/mypy clean

Additional

  • BANDAID custom SVCB params (cap, cap-sha256, bap, policy, realm, sig) with keyNNNNN encoding
  • Experimental metadata models (agent_metadata, capability_model) documented as Phase 5.5
  • MAINTAINERS.md with open roles and recruitment plan
  • Backend list_records and get_record support for all providers
  • Bandit config migrated to pyproject.toml for newer versions

Test Plan

  • 664 unit tests passing (pytest tests/ -m "not live")
  • 0 C901 complexity violations (ruff check --select C901 src/)
  • Ruff lint + format clean
  • Bandit security scan clean
  • Coverage ≥ 80%
  • All commits DCO signed-off

@iracic82
feat: LF readiness — DNSSEC enforcement, DANE cert matching, Sigstore…
c40f125 
… signing, security hardening

Wire require_dnssec into discover(): raises DNSSECError when AD flag absent.
Add DANE full certificate matching with SPKI support. Add Sigstore cosign
keyless signing to release workflow (wheel, tarball, SBOM).

- DNSSEC enforcement with DNSSECError exception on validation failure
- DANE/TLSA full certificate and SPKI matching (verify_dane_cert flag)
- Sigstore cosign keyless signing in release workflow
- SSRF protection for cap_fetcher and a2a_card (HTTPS-only, private IP blocking)
- BANDAID custom SVCB params (cap, cap-sha256, bap, policy, realm, sig)
- JWS application-layer signatures as DNSSEC alternative
- Backend list_records and get_record support for all providers
- MCP server transport options and new tools
- Experimental metadata models (agent_metadata, capability_model) documented
- MAINTAINERS.md with open roles and recruitment plan
- Bandit config migrated to pyproject.toml for newer versions
- 577 tests passing, ruff clean, mypy clean, bandit clean

Signed-off-by: Igor Racic <iracic82@gmail.com>
@iracic82
fix: Route53/Cloudflare SVCB custom param demotion to TXT records
c282133 
Route53 and Cloudflare reject private-use SvcParamKeys (key65001–key65006).
Both backends now split standard SVCB params from custom BANDAID params
(cap, cap-sha256, bap, policy, realm, sig), keeping standard params in SVCB
and demoting custom params to TXT records with bandaid_ prefix.

- Route53 backend: publish_agent() override with param demotion
- Cloudflare backend: same demotion pattern applied
- Correct version labels across docs (remove non-existent v0.7.0 refs)
- Mark Kubernetes Controller as Planned in all documentation
- 577 tests passing, 3 new param demotion tests for Route53

Signed-off-by: Igor Racic <iracic82@gmail.com>
@iracic82
fix: reduce C901 complexity and boost test coverage from 72% to 80%
151462c 
Refactor 5 functions exceeding cognitive complexity threshold of 10 by
extracting private helpers with no public API changes. Add 87 new tests
covering CLI commands, publisher, SDK client, validator, indexer,
Cloudflare backend, OTEL telemetry, and discoverer edge cases.

Complexity refactoring:
- discoverer.py: extract 7 helpers from discover/zone/http functions
- cap_fetcher.py: extract _verify_cap_digest, _extract_string_list
- otel.py: extract _parse_signal_fqdn, _build_span_attributes

Test coverage additions:
- CLI: publish, delete, list, zones, index list/sync, verify commands
- Publisher: default backend, sign validation, exception handling
- SDK client: async context, rankings fetch, HTTP sync push
- Validator: DANE cert match/mismatch, DNSSEC TXT fallback
- Indexer: DNS reads, delete/sync exceptions, equality checks
- Cloudflare: param demotion, get_record SVCB/TXT/not-found
- OTEL: span attributes, FQDN parsing, shutdown idempotency

Result: 664 tests passing, 0 C901 violations, 80% coverage, ruff/bandit clean
Signed-off-by: Igor Racic <iracic82@gmail.com>
@iracic82 iracic82 merged commit fd24b21 into main Feb 12, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iracic82