feat: add DNS-AID integration for agent discovery via DNS

Adds google.adk.integrations.dns_aid as the decentralized counterpart to
integrations/agent_registry: instead of pulling agents from a centralized
cloud registry, agents are discovered (and published) via DNS SVCB records
under _<name>._<protocol>._agents.<domain>.

Public surface:

  from google.adk.integrations.dns_aid import (
      discover_agents,           # async; query DNS SVCB
      publish_agent,             # async; create SVCB+TXT records
      unpublish_agent,           # async; remove records
      get_dns_aid_tools,         # FunctionTool wrappers for an LlmAgent
      remote_a2a_agent_from_record,   # bridge to RemoteA2aAgent
      mcp_toolset_from_record,        # bridge to McpToolset
  )

Install:

  pip install "google-adk[dns-aid]"

The extra pulls dns-aid>=0.18,<1 and google-adk[a2a] (for the A2A bridge).

Implementation notes:

- Lives in integrations/, not tools/, per integrations/README.md and
  matching the PR #5094 SecretManagerClient move pattern. Old import paths
  (google.adk.tools.dns_aid_tool, .dns_aid_a2a_bridge) remain as
  re-export shims that emit DeprecationWarning, scheduled for removal in
  a future release.
- dns_aid imports are lazy-wrapped per integrations/README.md rule 4 so
  a missing extra produces "pip install google-adk[dns-aid]" rather than
  a raw ModuleNotFoundError.
- LLM-callable args use pydantic Field constraints (RFC 1035 pattern for
  agent_name, ge=1/le=65535 for port, ge=60 for ttl) and Literal types
  for protocol and backend_name so the FunctionTool schema constrains
  the model up front instead of relying on runtime ValueErrors.
- discover_agents returns the structured DiscoveryResult dict directly;
  the previous json.dumps() wrapper forced the LLM to parse JSON and
  silently stripped type info on datetimes/UUIDs.
- unpublish_agent translates dns_aid exceptions into a typed status
  payload (not_found / permission_denied / backend_unavailable /
  throttled / error) so the LLM can decide whether to retry rather than
  being told "not found" for every failure mode.
- get_dns_aid_tools binds backend_name via inspect.signature +
  functools.wraps so adding a parameter upstream (e.g. policy_uri in
  Phase 6) doesn't silently desync the FunctionTool schema. A parity
  test in tests/unittests/integrations/dns_aid/test_dns_aid.py guards
  this contract.
- a2a_bridge.remote_a2a_agent_from_record returns a real RemoteA2aAgent
  (not the prior dict[str, Any]); RemoteA2aAgent fetches the card
  lazily on first invocation, so the bridge is sync.
- mcp_bridge.mcp_toolset_from_record is the symmetric piece for
  protocol=mcp, mirroring how integrations/agent_registry uses
  StreamableHTTPConnectionParams.
- Logger uses the project's required form
  logging.getLogger("google_adk." + __name__) so the
  check-file-contents CI gate doesn't reject it.

Tests: 26 new tests under tests/unittests/integrations/dns_aid/ cover
each rule path (validation, error translation, signature parity, bridge
type assertions). All pass with -p asyncio (asyncio_mode=auto).

README.md: full setup, per-backend credential table (route53,
cloudflare, cloud-dns, ns1, infoblox/nios, ddns, mock), bridge
examples, and a Future section flagging where trust verification, cap
docs, and policy enforcement will plug in (kept out of v1 to keep this
PR focused).

Author: IngmarVG-IB

AGENTS.md

@@ -1,8 +1,8 @@
 # AI Coding Assistant Context
 
-This document provides context for AI coding assistants (Claude Code, Gemini
-CLI, GitHub Copilot, Cursor, etc.) to understand the ADK Python project and
-assist with development.
+This document provides context for AI coding assistants (Gemini CLI, GitHub
+Copilot, Cursor, etc.) to understand the ADK Python project and assist with
+development.
 
 ## Project Overview
 

pyproject.toml

@@ -96,6 +96,10 @@ optional-dependencies.dev = [
   "pyink>=25.12",
   "pylint>=2.6",
 ]
+optional-dependencies.dns-aid = [
+  "dns-aid>=0.18,<1",
+  "google-adk[a2a]",
+]
 optional-dependencies.docs = [
   "autodoc-pydantic",
   "furo",

src/google/adk/integrations/dns_aid/README.md

@@ -0,0 +1,172 @@
+# DNS-AID
+
+Decentralized agent discovery for Google ADK via DNS SVCB records — the
+counterpart to [`agent_registry`](../agent_registry/), which uses Google
+Cloud's centralized agent registry.
+
+## What is DNS-AID?
+
+DNS-AID encodes agent metadata into DNS SVCB records (RFC 9460) under the
+naming convention `_<name>._<protocol>._agents.<domain>` (for example
+`_chat._mcp._agents.example.com`). The
+[`dns-aid`](https://pypi.org/project/dns-aid/) Python SDK (`dns-aid-core`)
+handles SVCB encoding/decoding, backend zone updates, and discovery
+queries; this integration is a thin ADK-shaped wrapper over it.
+
+Discovery is decentralized by design: each operator publishes to whatever
+DNS provider they already own (Route 53, Cloud DNS, Cloudflare, NS1,
+Infoblox NIOS, on-prem BIND/Knot via RFC 2136). There is no single trust
+root and no shared registry — which makes DNS-AID a natural fit for
+multi-cloud, federated, and air-gapped deployments where a centralized
+service is undesirable or unavailable.
+
+## Install
+
+```bash
+pip install "google-adk[dns-aid]"
+```
+
+This pulls in `dns_aid>=0.18,<1` and the `[a2a]` extra (needed for the
+A2A bridge).
+
+## Quickstart — discover agents
+
+```python
+import asyncio
+from google.adk.integrations.dns_aid import discover_agents
+
+
+async def main():
+    result = await discover_agents(domain='agents.example.com')
+    for record in result['agents']:
+        print(record['name'], record['protocol'], record['endpoint'])
+
+
+asyncio.run(main())
+```
+
+Filter by protocol or by name with `protocol='a2a'` / `name='chat'`. Pass
+`require_dnssec=True` to reject any result where end-to-end DNSSEC
+validation fails.
+
+## Quickstart — publish an agent
+
+```python
+from google.adk.integrations.dns_aid import publish_agent
+
+await publish_agent(
+    agent_name='chat',
+    domain='agents.example.com',
+    protocol='mcp',
+    endpoint='chat.internal.example.com',
+    port=443,
+    backend_name='route53',
+)
+```
+
+Omit `backend_name` to use whatever default the host resolver / `dns_aid`
+configuration provides. See [Backend credentials](#backend-credentials)
+for the supported values.
+
+## Quickstart — bridge to RemoteA2aAgent
+
+```python
+from google.adk.integrations.dns_aid import discover_agents
+from google.adk.integrations.dns_aid import remote_a2a_agent_from_record
+
+result = await discover_agents(domain='agents.example.com', protocol='a2a')
+agents = [
+    remote_a2a_agent_from_record(record)
+    for record in result['agents']
+]
+```
+
+`remote_a2a_agent_from_record` is synchronous — it does no I/O.
+`RemoteA2aAgent` fetches its agent card lazily on first invocation.
+
+## Quickstart — bridge to McpToolset
+
+```python
+from google.adk.integrations.dns_aid import discover_agents
+from google.adk.integrations.dns_aid import mcp_toolset_from_record
+
+result = await discover_agents(domain='agents.example.com', protocol='mcp')
+toolsets = [
+    mcp_toolset_from_record(record)
+    for record in result['agents']
+]
+```
+
+Like its A2A counterpart, `mcp_toolset_from_record` is synchronous; the
+underlying `McpToolset` connects on first use.
+
+## Use as ADK FunctionTools
+
+```python
+from google.adk.agents import LlmAgent
+from google.adk.integrations.dns_aid import get_dns_aid_tools
+
+agent = LlmAgent(
+    model='gemini-2.5-flash',
+    tools=get_dns_aid_tools(backend_name='route53'),
+)
+```
+
+`get_dns_aid_tools(backend_name=None)` returns FunctionTool wrappers for
+`discover_agents`, `publish_agent`, and `unpublish_agent` with
+`backend_name` pre-bound (so the LLM-facing schema does not include it).
+Omit `backend_name` to fall back to the default `dns_aid` configuration.
+
+## Backend credentials
+
+`backend_name` must match the exact spelling that `dns_aid` expects
+(hyphens, not underscores). Credentials live wherever the underlying
+provider SDK looks for them:
+
+| `backend_name` | Auth source | Required env vars / config |
+|---|---|---|
+| `route53` | AWS SDK default chain | `AWS_PROFILE` or `AWS_ACCESS_KEY_ID` + `AWS_SECRET_ACCESS_KEY` (or instance profile) |
+| `cloudflare` | API token | `CLOUDFLARE_API_TOKEN` |
+| `cloud-dns` | Google ADC | `GOOGLE_APPLICATION_CREDENTIALS` (or `gcloud auth application-default login`) |
+| `ns1` | API key | `NS1_API_KEY` |
+| `infoblox` / `nios` | NIOS API user | `INFOBLOX_HOST`, `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD` |
+| `ddns` | RFC 2136 TSIG | `DDNS_TSIG_KEYFILE`, `DDNS_SERVER` |
+| `mock` | n/a — in-memory only | (no creds; for tests) |
+
+> Credentials are resolved by `dns_aid` itself, not by ADK. ADK does not
+> read these env vars directly — it just hands the `backend_name` string
+> to `dns_aid.backends.create_backend(...)`. If a publish or unpublish
+> call fails with a backend-specific authentication error, check the
+> `dns-aid-core` docs for that provider.
+
+## Programmatic API
+
+| Symbol | Description |
+|---|---|
+| `discover_agents` | Async; query DNS SVCB records under a domain. |
+| `publish_agent` | Async; create SVCB + TXT records via the named backend. |
+| `unpublish_agent` | Async; remove the records. Returns a structured status dict that distinguishes `not_found`, `permission_denied`, `backend_unavailable`, and `throttled`. |
+| `get_dns_aid_tools` | Build the FunctionTool list for an `LlmAgent`. |
+| `remote_a2a_agent_from_record` | Bridge to `RemoteA2aAgent` (protocol `a2a`). |
+| `mcp_toolset_from_record` | Bridge to `McpToolset` (protocol `mcp`). |
+
+## Future
+
+The current integration ships discovery, publish, unpublish, and the two
+bridges. Future revisions can layer:
+
+- **Cap-doc fetch and verify** — `dns-aid-core` exposes `cap_fetcher` for
+  pulling the SVCB-referenced capability document.
+- **Trust verification** — DNSSEC, DANE, and `cap-sha256` checks via
+  `dns_aid.core.validator`.
+- **Policy enforcement** — Phase 6 of `dns-aid-core` provides
+  `PolicyEvaluator` for evaluating policies referenced by `policy_uri`
+  in the SVCB record.
+
+## References
+
+- DNS-AID spec: `draft-mozleywilliams-dnsop-dnsaid` (IETF Internet-Draft)
+- `dns-aid-core`: the [`dns-aid`](https://pypi.org/project/dns-aid/)
+  PyPI package
+- A2A spec: [Agent-to-Agent protocol](https://google.github.io/A2A/)
+- ADK FunctionTool: [function tools documentation](https://google.github.io/adk-docs/tools/function-tools/)

src/google/adk/integrations/dns_aid/__init__.py

@@ -0,0 +1,39 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""DNS-AID integration for Google ADK.
+
+DNS-AID enables agents to discover and publish themselves via DNS SVCB
+records. This integration is the decentralized counterpart to
+``integrations/agent_registry`` (which uses Google Cloud's centralized
+agent registry).
+
+Install: ``pip install "google-adk[dns-aid]"``
+"""
+
+from .a2a_bridge import remote_a2a_agent_from_record
+from .dns_aid import discover_agents
+from .dns_aid import get_dns_aid_tools
+from .dns_aid import publish_agent
+from .dns_aid import unpublish_agent
+from .mcp_bridge import mcp_toolset_from_record
+
+__all__ = [
+    'discover_agents',
+    'get_dns_aid_tools',
+    'mcp_toolset_from_record',
+    'publish_agent',
+    'remote_a2a_agent_from_record',
+    'unpublish_agent',
+]

src/google/adk/integrations/dns_aid/a2a_bridge.py

@@ -0,0 +1,68 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Bridge from DNS-AID AgentRecord to ADK RemoteA2aAgent."""
+
+from __future__ import annotations
+
+try:
+  from dns_aid.core.models import AgentRecord
+  from dns_aid.core.models import Protocol
+except ImportError as e:
+  raise ImportError(
+      'dns_aid is not installed. Please install it with '
+      '`pip install "google-adk[dns-aid]"`.'
+  ) from e
+
+try:
+  from google.adk.agents.remote_a2a_agent import AGENT_CARD_WELL_KNOWN_PATH
+  from google.adk.agents.remote_a2a_agent import RemoteA2aAgent
+except ImportError as e:
+  raise ImportError(
+      'a2a-sdk is not installed. Please install it with '
+      '`pip install "google-adk[a2a]"`. The dns-aid extra pulls this in '
+      'transitively but a partial install can still hit this.'
+  ) from e
+
+
+def remote_a2a_agent_from_record(record: AgentRecord) -> RemoteA2aAgent:
+  """Convert a DNS-AID AgentRecord (protocol=a2a) into a RemoteA2aAgent.
+
+  RemoteA2aAgent fetches the agent card lazily on first invocation, so this
+  function performs no I/O and is intentionally synchronous.
+
+  Args:
+    record: An AgentRecord from dns_aid.discover() with protocol=a2a.
+
+  Returns:
+    A RemoteA2aAgent ready to be added to an ADK runner.
+
+  Raises:
+    ValueError: If the record's protocol is not A2A.
+  """
+  if record.protocol != Protocol.A2A:
+    raise ValueError(
+        f'Agent {record.name} uses protocol {record.protocol}, not A2A'
+    )
+  agent_card_url = (
+      f'{record.endpoint_url.rstrip("/")}{AGENT_CARD_WELL_KNOWN_PATH}'
+  )
+  return RemoteA2aAgent(
+      name=record.name,
+      agent_card=agent_card_url,
+      description=record.description or '',
+  )
+
+
+__all__ = ['remote_a2a_agent_from_record']