Implement MCNS v1: custom Go DNS server replacing CoreDNS

Replace the CoreDNS precursor with a purpose-built authoritative DNS
server. Zones and records (A, AAAA, CNAME) are stored in SQLite and
managed via synchronized gRPC + REST APIs authenticated through MCIAS.
Non-authoritative queries are forwarded to upstream resolvers with
in-memory caching.

Key components:
- DNS server (miekg/dns) with authoritative zone handling and forwarding
- gRPC + REST management APIs with MCIAS auth (mcdsl integration)
- SQLite storage with CNAME exclusivity enforcement and auto SOA serials
- 30 tests covering database CRUD, DNS resolution, and caching

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/docker/docker-compose-rift.yml

@@ -1,25 +1,18 @@
-# CoreDNS on rift — MCNS precursor.
-#
-# Serves the svc.mcp.metacircular.net and mcp.metacircular.net zones.
-# Forwards everything else to 1.1.1.1 and 8.8.8.8.
+# MCNS on rift — authoritative DNS + management API.
 #
 # Usage:
 #   docker compose -f deploy/docker/docker-compose-rift.yml up -d
-#
-# To use as the network's DNS server, point clients or the router at
-# rift's IP (192.168.88.181) on port 53.
 
 services:
-  coredns:
-    image: coredns/coredns:1.12.1
-    container_name: mcns-coredns
+  mcns:
+    image: mcr.svc.mcp.metacircular.net:8443/mcns:latest
+    container_name: mcns
     restart: unless-stopped
-    command: -conf /etc/coredns/Corefile
+    command: ["server", "--config", "/srv/mcns/mcns.toml"]
     ports:
       - "192.168.88.181:53:53/udp"
       - "192.168.88.181:53:53/tcp"
       - "100.95.252.120:53:53/udp"
       - "100.95.252.120:53:53/tcp"
     volumes:
-      - ../../Corefile:/etc/coredns/Corefile:ro
-      - ../../zones:/etc/coredns/zones:ro
+      - /srv/mcns:/srv/mcns