dns-aid/dns-aid-core v0.17.0

v0.17.0: Phase 7 — Policy-to-RPZ Compiler, Infoblox TD Enforcement

on GitHub

Full discovery → policy → Threat Defense enforcement pipeline.

Policy Compiler & Zone Writers

• PolicyCompiler transforms PolicyDocument JSON into RPZ + bind-aid directives
• Standard RPZ zone writer (RFC 8010 CNAME records)
• bind-aid zone writer (TXT ACTION + SvcParam ops per Ingmar's BIND 9 fork)
• SvcParam operations: strip, require, validate, enforce, whitelist, blacklist
• RPZ deduplication with warnings

Infoblox BloxOne Threat Defense

• Named list push + security policy binding
• TD actions: action_block, action_log, action_allow, action_redirect
• In-place action switching without duplicate rules

Infoblox NIOS RPZ (On-Prem)

• record:rpz:cname CRUD + zone_rp management via WAPI

CLI

• dns-aid policy compile|show — generate zones + compilation report
• dns-aid enforce — discover → compile → push to TD (shadow/monitor/enforce)
• --auto-policy — fetch policies from agents' SVCB policy_uri

MCP Tools (4 new, 15 total)

• compile_policy_to_rpz, publish_rpz_zone, list_rpz_rules, list_td_security_policies

CEL Compilation

• Domain-based CEL compiles to DNS zone entries (Layer 0)
• Complex CEL enforced at runtime by Rust evaluator ~2µs (Layer 1/2)

Docs

• Nordstrom POC guide with dual MCP server architecture
• Updated README, CHANGELOG, getting-started

1191 tests | Python 3.11/3.12/3.13 | Live-verified against BloxOne TD