v0.30.0
Correctness + security release: fixes the zac.email / RDAP-only-TLD bug and lands all 8 high-severity findings from a full code review.
⚠️ Breaking changes
- DNSSEC status vocabulary (
DnssecReport.status):secure/insecure→signed/unsigned. The check verifies DS↔DNSKEY digest consistency only (no RRSIG/signature validation), so the verdict no longer implies cryptographic authentication. Consumers keying on the old strings must update. (partial/misconfiguredunchanged.) - Error sanitization: API/MCP/Python error messages now collapse transport/network errors to category-only strings (no upstream hostnames/URLs/paths/raw system errors leak). Full detail is still logged internally via
Display.
Fixed — registered domains on RDAP-only TLDs (#17)
seer lookup for domains on registries without port-43 WHOIS (Identity Digital: .email, .life, .ninja, …) returned nothing when RDAP was throttled or grace-truncated. It now reports REGISTERED from the DNS-delegation signal (method: dns_present) instead of an empty result.
Security & correctness (#18)
- SSRF: unified the reserved-IP blocklist on a single source of truth and added missing ranges (
0.0.0.0/8, class-E240/4, NAT64/6to4/IPv4-compatible/documentation); RDAP no longer follows redirects (IP-pin bypass); WHOIS connects to validated IPs (DNS-rebinding TOCTOU). - DoS: fixed a remotely-triggerable panic in the WHOIS status parser (Unicode-lowercasing slice underflow).
- Injection:
MdSafenow escapes the Markdown table delimiter|. - Availability: a WHOIS response carrying registration data is never reported "available".
- CLI:
--format jsonis honored on error paths (structured{"error": ...}). - Plus owner-only (0600) history/watchlist files, UTF-8-lossy WHOIS decode, char-width header rules, and bounded follow iterations.
Still open
~14 lower-priority review findings (Rust refactors + the seer-api Python layer) remain for a follow-up.
🤖 Generated with Claude Code