Module org_bind 

RFC-001 §2 / amendment-sso §A — DNS-TXT org binding (the domain-rooted trust floor).

An org proves control of a domain by publishing _wire-org.<domain> TXT "did=did:wire:org:<id>; v=1". A receiver who runs wire org bind <domain> resolves that record, extracts the org_did, and records a per-org pairing policy (org_policies.json). From then on, a peer presenting a verified member_cert for that org reaches ORG_VERIFIED under the receiver’s chosen inbound mode — the org identity is now rooted in a domain the org demonstrably controls, not just a bare keypair.

This is policy-setup-time resolution, not a per-pairing dependency: the pairing hot path stays fully offline (org_membership::evaluate_card_membership verifies the inline cert chain). DNS is consulted once, here, to translate a human domain into the org_did the offline chain already verifies against.

Resolution is DNS-over-HTTPS (no extra DNS crate; works behind the TLS-terminating proxies and split-horizon resolvers wire already tolerates for federation). The resolver is a trait so the resolve→pin logic is unit-testable without a network.

Structs

DohResolver

DNS-over-HTTPS resolver. No extra crate — reuses the reqwest::blocking client wire already depends on.

Constants

DEFAULT_DOH_URL

Default DNS-over-HTTPS endpoint. Cloudflare’s resolver speaks the application/dns-json shape this module parses. Override with WIRE_DOH_URL (e.g. an internal resolver, or Google’s https://dns.google/resolve).

DOH_URL_ENV

Traits

TxtResolver

Resolver seam: return every TXT string at fqdn (already unquoted + chunk- joined). Implemented over DoH in production, faked in tests.

Functions

bind_org

Resolve a domain’s org_did and pin a per-org inbound policy for it (RFC-001 §2 floor). Returns the bound org_did + the resolved record.

org_record_for_domain

Resolve _wire-org.<domain> and return the first TXT record that parses as a valid wire-org binding. Errors if none resolve or none parse.