check_agent_discovery
ActiveTool of com.blackveilsecurity/dns
Assess the security posture of IETF BANDAID agent-discovery records (draft-mozleywilliams-dnsop-dnsaid). Detects SVCB agent records under _agents/_index._{protocol}._agents, reports whether the discovery zone is DNSSEC-anchored (unsigned = spoofable agent endpoints), evaluates DANE/TLSA binding trust (RFC 6698 §10.1), and checks capability-document integrity (cap / cap-sha256). Read-only; uses Private-Use SVCB param code points pending IANA assignment.
Parameters schema
{
"type": "object",
"required": [
"domain"
],
"properties": {
"name": {
"type": "string",
"maxLength": 63,
"minLength": 1,
"description": "Resolve a single named agent ({name}.{domain}) instead of enumerating the zone."
},
"domain": {
"type": "string",
"maxLength": 253,
"minLength": 1,
"description": "Domain to check for published agent-discovery records (e.g., example.com)."
},
"format": {
"enum": [
"full",
"compact"
],
"type": "string",
"description": "Output verbosity. Auto-detected if omitted."
},
"protocol": {
"enum": [
"a2a",
"mcp",
"https"
],
"type": "string",
"description": "Scope discovery to a single agent protocol index (_index._{protocol}._agents). Omit to sweep the zone."
},
"verify_cap": {
"type": "boolean",
"description": "Fetch each declared capability document (cap=) over HTTPS via safeFetch and verify it against the cap-sha256 integrity pin. Default false (declaration/existence check only)."
},
"force_refresh": {
"type": "boolean",
"description": "Bypass cache and run a fresh check. Useful after DNS changes."
}
}
}No endpoints wrapped at confidence ≥ 0.70.
Parent server
com.blackveilsecurity/dns
https://github.com/MadaBurns/bv-mcp
2/7 registries