Record mutations (create, update, delete) no longer require admin role.
Authorization rules:
- admin: full access (unchanged)
- system mcp-agent: create/delete any record
- system account α: create/delete records named α only
- human users: read-only (unchanged)
Zone mutations remain admin-only. Both REST and gRPC paths enforce the
same rules. Update checks authorization against both old and new names.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace the CoreDNS precursor with a purpose-built authoritative DNS
server. Zones and records (A, AAAA, CNAME) are stored in SQLite and
managed via synchronized gRPC + REST APIs authenticated through MCIAS.
Non-authoritative queries are forwarded to upstream resolvers with
in-memory caching.
Key components:
- DNS server (miekg/dns) with authoritative zone handling and forwarding
- gRPC + REST management APIs with MCIAS auth (mcdsl integration)
- SQLite storage with CNAME exclusivity enforcement and auto SOA serials
- 30 tests covering database CRUD, DNS resolution, and caching
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
