Skip to content

Comments

feat(dir): domain ownership verification#803

Merged
adamtagscherer merged 16 commits intomainfrom
feat/secure-domain
Jan 15, 2026
Merged

feat(dir): domain ownership verification#803
adamtagscherer merged 16 commits intomainfrom
feat/secure-domain

Conversation

@adamtagscherer
Copy link
Member

@adamtagscherer adamtagscherer commented Jan 12, 2026
edited
Loading

This PR adds domain ownership verification for OASF records. Publishers can prove they control the domain in their record's name field by publishing their signing public key via DNS TXT record or well-known file.

Features Implemented
Name verification via JWKS - Uses standard RFC 7517 /.well-known/jwks.json
Name verification via DNS TXT - Uses _oasf. TXT records
Protocol prefixes - dns:// or http:// or https:// to specify verification method
Automatic verification on sign - Best-effort verification after dirctl sign
New dirctl naming commands - verify and check subcommands
Persistent storage - Verification results stored as OCI referrers

Future Work

  • Implement ListVerifiedAgents (requires domain index in DB)
  • Re-verification based on TTL
  • Name resolution (dirctl pull name instead of cid)

@adamtagscherer adamtagscherer added this to the DIR v1.0.0 milestone Jan 12, 2026
@adamtagscherer adamtagscherer self-assigned this Jan 12, 2026
@adamtagscherer adamtagscherer added the go Pull requests that update go code label Jan 12, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 12, 2026
edited
Loading

The latest Buf updates on your PR. Results from workflow Buf CI / verify-proto (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed⏩ skipped⏩ skipped✅ passedJan 15, 2026, 12:30 PM

@github-actions github-actions bot added size/L Denotes a PR that changes 1000-1999 lines size/XL Denotes a PR that changes 2000+ lines and removed size/L Denotes a PR that changes 1000-1999 lines labels Jan 12, 2026
@adamtagscherer adamtagscherer changed the title feat(dir): secure domains feat(dir): domain ownership verification Jan 13, 2026
@adamtagscherer adamtagscherer marked this pull request as ready for review January 13, 2026 14:40
@adamtagscherer adamtagscherer requested a review from a team as a code owner January 13, 2026 14:40
@adamtagscherer adamtagscherer linked an issue Jan 14, 2026 that may be closed by this pull request
Secure URLs with HTTP challenges #795
Closed
ramizpolic
ramizpolic requested changes Jan 14, 2026
View reviewed changes
ramizpolic
ramizpolic reviewed Jan 14, 2026
View reviewed changes
@github-actions github-actions bot added size/L Denotes a PR that changes 1000-1999 lines size/XL Denotes a PR that changes 2000+ lines and removed size/XL Denotes a PR that changes 2000+ lines size/L Denotes a PR that changes 1000-1999 lines labels Jan 14, 2026
ramizpolic
ramizpolic requested changes Jan 15, 2026
View reviewed changes
@adamtagscherer
feat: secure domains initial commit
36bf9a4 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
feat: secure domains
e31a758 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
feat: secure domains
3103d8a 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
test: fix tests
172a7de 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: remove ListVerifiedAgents procedure
b9c1d08 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: add protocol prefix to name
f063038 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: rename DomainVerification to Verification referrer type
b4aa99f 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: generalize Name Verification info
ebea4d4 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: rename matched_key_id to key_id
c98badd 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: restructure package from verification to naming
639e5f0 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: adopt RFC7517 JWKS
7c6389c 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
fix: JWKS bug
a389351 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: change wellknown to http and https
d4c75bf 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: change wellknown to http and https
fc8a4ae 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer
refactor: change DNS TXT record format
858087a 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
ramizpolic
ramizpolic approved these changes Jan 15, 2026
View reviewed changes
Copy link
Member

@ramizpolic ramizpolic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@adamtagscherer
fix: linter
47c8b28 
Signed-off-by: Tagscherer Ádám <adam.tagscherer@gmail.com>
@adamtagscherer adamtagscherer merged commit e24fc4a into main Jan 15, 2026
27 checks passed
@adamtagscherer adamtagscherer deleted the feat/secure-domain branch January 15, 2026 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arpad-csepi arpad-csepi arpad-csepi approved these changes

@ramizpolic ramizpolic ramizpolic approved these changes

Assignees

@adamtagscherer adamtagscherer

Labels

go Pull requests that update go code size/XL Denotes a PR that changes 2000+ lines

Projects

None yet

Milestone

DIR v1.0.0

Development

Successfully merging this pull request may close these issues.

Secure URLs with HTTP challenges

3 participants

@adamtagscherer @arpad-csepi @ramizpolic