check_agent_discovery
Assesses security of DNS agent-discovery records by detecting SVCB agent records, verifying DNSSEC anchoring, DANE/TLSA trust, and capability-document integrity.
Instructions
Assess the security posture of IETF BANDAID agent-discovery records (draft-mozleywilliams-dnsop-dnsaid). Detects SVCB agent records under _agents/index.{protocol}._agents, reports whether the discovery zone is DNSSEC-anchored (unsigned = spoofable agent endpoints), evaluates DANE/TLSA binding trust (RFC 6698 §10.1), and checks capability-document integrity (cap / cap-sha256). Read-only; uses Private-Use SVCB param code points pending IANA assignment.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| name | No | Resolve a single named agent ({name}.{domain}) instead of enumerating the zone. | |
| domain | Yes | Domain to check for published agent-discovery records (e.g., example.com). | |
| format | No | Output verbosity. Auto-detected if omitted. | |
| protocol | No | Scope discovery to a single agent protocol index (_index._{protocol}._agents). Omit to sweep the zone. | |
| verify_cap | No | Fetch each declared capability document (cap=) over HTTPS via safeFetch and verify it against the cap-sha256 integrity pin. Default false (declaration/existence check only). | |
| force_refresh | No | Bypass cache and run a fresh check. Useful after DNS changes. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| score | Yes | ||
| passed | Yes | ||
| category | Yes | ||
| findings | Yes |