blog — darknetian — darknetian

blog • dns-aid • 28 min read

Agent Identity Without a New Authority — Digital Wallets and the SAN

Republic of Korea's OpenDID and France's mDL ship a TPM-anchored credential flow. DNS-AID and ANS can ride that substrate without inventing a new registry, central root, or hardware-wallet assumption with some tinkering.

read →

Three-pane diagram contrasting trust roots — centralized registry / sovereign issuer + hardware wallet / DNS + DNSSEC + DANE + x509_san_dns — with the third pane labelled "the substrate that already exists"

blog • infoblox • 15 min read

Over-Engineering Homelab Syslog Receiving With DNSTAP

Changing per-query DNS telemetry from syslog forwarding to a DNSTAP pipeline, and what the syslog path actually does on the appliance.

read →

ASCII-art pipeline diagram showing NIOS grid members emitting dnstap protobuf frames over tcp/6000 to dnscollector, which pipes JSON on stdout to bridge.py, which posts GELF to a dedicated Graylog index set

blog • dns-aid • 15 min read

Auditing the Agent Internet — Agents Grading Agents

A read-only auditor for the open agent web. It walks any domain's substrate — DNS-AID, AgentFinder, AI-Catalog, DID Web, TLSA, DNSSEC — and provides a grade based on ease of other agents finding and interacting with it.

read →

Matrix-styled ASCII-art hero — two pill capsules side-by-side over outstretched cupped palms, with the red pill on the left labelled "score_detail() · after DCV verify · full findings + fix copy" and the blue pill on the right labelled "score() · anyone, free · summary + presence chips"; top text reads "choose your detail level —"; bottom carries the Morpheus quote "what if I told you your right to be discovered on the internet shouldn't depend on your relationship with a third-party host?"

blog • dns-aid • 7 min read

Bookings Goes Real — Cloudflare Workers, Claude Managed Agents, and DNS-AID Glue

The first of the five fake agents now answers real requests. Three protocol surfaces, one Anthropic-managed Claude underneath, and DNS-AID + ANS attesting to all of it end-to-end.

read →

Terminal screenshot of `npx wrangler secret put ANTHROPIC_API_KEY` uploading the API key for the darknetian-bookings worker — wrangler 3.114.17, secret created successfully on Cloudflare

blog • dns-aid • 5 min read

AgentFinder — Federation, Semantic Search, and the DNS Gesture

AgentFinder adds representativeQueries and a /search federation API on top of ai-catalog. Its DNS-SVCB gesture is exactly what DNS-AID specifies. They should know about each other.

read →

Diagram of an AgentFinder federated query — a natural-language query box at the top fans out via parallel /search calls to three domains (darknetian.com matches with score 0.92, example.com returns no match, other.org returns a low-score alternative), and the winning candidate resolves through a DNS-AID SVCB record at bookings._agents.darknetian.com to bookings.darknetian.com

blog • easm • 7 min read

Wiring the CTEM Spiderweb

A pipeline that unifies Infoblox CTEM, lookalike-domain monitoring, brand protection, and open-source attack-surface signals into one Graylog dashboard — keyed by finding name, deduped across sources, and tagged with bug-bounty eligibility.

read →

Three figures in Guy Fawkes masks seated at a curved console of triple monitors lit by green hacker-style UI, framed by an industrial geodesic ceiling structure and red rim lighting (photo by Tima Miroshnichenko on Pexels)

blog • dns-aid • 4 min read

ai-catalog — One URL, Many Protocols

A single /.well-known/ai-catalog.json enumerates every protocol surface an agent exposes — A2A, MCP, HTTPS — under one endpoint. The wrapping is the load-bearing idea.

read →

Header of the AI Catalog Unofficial Draft (30 April 2026) at agent-card.github.io/ai-catalog/, showing the spec title, draft date, latest editor's draft URL, and Creative Commons Attribution 4.0 licensing footer

blog • dns • 15 min read

The Thing the Index Points To

DNS-AID's path-2 index leaf names a registry the draft explicitly leaves out of scope. Wiring ANS — a registration authority plus transparency log — to be that registry.

read →

Terminal screenshot showing a signed C2SP checkpoint emitted by the live ans-tl deployment at ans.darknetian.com, alongside the SVCB record at _index._agents.darknetian.com pointing back at it

blog • dns • 14 min read

Five Fake Agents on a Real Cloudflare Zone

Publishing 5 DNS-AID agent records to darknetian.com — flat primary plus walkable AliasMode, DANE TLSA from throwaway self-signed certs, all DNSSEC-signed end-to-end. No agents actually exist behind any of them.

read →

Terminal screenshot of dig output showing SVCB ServiceMode, AliasMode, TLSA, and TXT records resolving with DNSSEC AD flag set

blog • dns-aid • 4 min read

Agent Cards — The Well-Known JSON

agent-card.github.io standardizes how an agent describes itself at /.well-known/. DNS-AID resolves names; agent cards describe what answers at those names.

read →

Rendering of a /.well-known/agent-card/bookings.json document in neon-on-dark monospace, showing the load-bearing fields — id, provider, description, an interfaces[] array of three protocol entries (a2a, mcp, https), capabilities, securitySchemes, version — laid out like an ASCII-art card

blog • dns • 11 min read

EDNS(0) for Agent Discovery — Letting the Client Tell the Resolver What It's Looking For

An experimental EDNS(0) option for DNS-AID that lets a client signal selector filters on the query so any hint-aware hop can narrow the answer or short-circuit with a cached match.

read →

Cover page of RFC 6891 — "Extension Mechanisms for DNS (EDNS(0))" by Damas, Graff, and Vixie, April 2013 — the foundational standards-track document the agent-hint work builds on

project • dns • 7 min read

REEF — When the Agent Holds the Pen

An agent loop that reads, reasons, and (with your permission) edits Infoblox Threat Defense policy. Runs against any LLM you point it at — including a 4GB GPU in your homelab.

read →