Skip to content

v0.17.0: Phase 7 — Policy-to-RPZ Compiler, Infoblox TD Enforcement

Choose a tag to compare

View all tags
@github-actions github-actions released this 29 Mar 14:42
· 93 commits to main since this release
v0.17.0
6b50219
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Full discovery → policy → Threat Defense enforcement pipeline.

Policy Compiler & Zone Writers

  • PolicyCompiler transforms PolicyDocument JSON into RPZ + bind-aid directives
  • Standard RPZ zone writer (RFC 8010 CNAME records)
  • bind-aid zone writer (TXT ACTION + SvcParam ops per Ingmar's BIND 9 fork)
  • SvcParam operations: strip, require, validate, enforce, whitelist, blacklist
  • RPZ deduplication with warnings

Infoblox BloxOne Threat Defense

  • Named list push + security policy binding
  • TD actions: action_block, action_log, action_allow, action_redirect
  • In-place action switching without duplicate rules

Infoblox NIOS RPZ (On-Prem)

  • record:rpz:cname CRUD + zone_rp management via WAPI

CLI

  • dns-aid policy compile|show — generate zones + compilation report
  • dns-aid enforce — discover → compile → push to TD (shadow/monitor/enforce)
  • --auto-policy — fetch policies from agents' SVCB policy_uri

MCP Tools (4 new, 15 total)

  • compile_policy_to_rpz, publish_rpz_zone, list_rpz_rules, list_td_security_policies

CEL Compilation

  • Domain-based CEL compiles to DNS zone entries (Layer 0)
  • Complex CEL enforced at runtime by Rust evaluator ~2µs (Layer 1/2)

Docs

  • Nordstrom POC guide with dual MCP server architecture
  • Updated README, CHANGELOG, getting-started

1191 tests | Python 3.11/3.12/3.13 | Live-verified against BloxOne TD

Assets 11
Loading