Ship mcns.service, mcns-backup.service, mcns-backup.timer, and
deploy/scripts/install.sh adapted from MCR's deployment files.
Includes full security hardening block per engineering standards
and AmbientCapabilities=CAP_NET_BIND_SERVICE for DNS port 53.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the CoreDNS precursor with a purpose-built authoritative DNS
server. Zones and records (A, AAAA, CNAME) are stored in SQLite and
managed via synchronized gRPC + REST APIs authenticated through MCIAS.
Non-authoritative queries are forwarded to upstream resolvers with
in-memory caching.
Key components:
- DNS server (miekg/dns) with authoritative zone handling and forwarding
- gRPC + REST management APIs with MCIAS auth (mcdsl integration)
- SQLite storage with CNAME exclusivity enforcement and auto SOA serials
- 30 tests covering database CRUD, DNS resolution, and caching
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Port 53 on loopback is used by systemd-resolved on rift. Bind to
192.168.88.181 (LAN) and 100.95.252.120 (Tailscale) specifically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Serves two internal zones for the Metacircular platform:
- svc.mcp.metacircular.net (service addresses)
- mcp.metacircular.net (node addresses)
Forwards all other queries to 1.1.1.1 and 8.8.8.8. Includes rift
deployment compose with CoreDNS 1.12.1 and zone files mapping
metacrypt and rift to their LAN and Tailscale addresses.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
