| Internet-Draft | ARP | April 2026 |
| Deforth | Expires 20 October 2026 | [Page] |
This document specifies the Agentic Reasoning Protocol (ARP), a lightweight mechanism for cryptographically binding machine-readable entity claims to domain ownership via DNS TXT records. ARP enables AI agents and Retrieval-Augmented Generation (RAG) pipelines to verify that structured data published on a domain was authorized by the domain owner, preventing narrative injection and entity spoofing in generative search systems.¶
ARP uses Ed25519 digital signatures [RFC8032], JSON Canonicalization Scheme (JCS) [RFC8785], and DNS TXT records to establish a chain of trust analogous to DomainKeys Identified Mail (DKIM) [RFC6376] but designed specifically for the verification of semantic entity data consumed by autonomous AI agents.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The proliferation of Large Language Models (LLMs) and Retrieval- Augmented Generation (RAG) systems has fundamentally altered how information is discovered, synthesized, and presented to users. Unlike traditional search engines, which return ranked lists of hyperlinks for human evaluation, generative search engines produce direct synthesized answers by extracting and compressing data from multiple web sources.¶
This architectural shift creates a critical trust gap: generative engines heavily weight structured data signals (JSON-LD, semantic HTML, Schema.org markup) when selecting sources for citation, but currently have no mechanism to verify that such structured data was actually authorized by the domain owner. Any actor can publish well-formed structured data on any domain they control, potentially poisoning the knowledge graph of AI systems with fabricated entity claims, false product information, or competitor sabotage.¶
The Agentic Reasoning Protocol (ARP) addresses this gap by providing a DNS-anchored cryptographic verification mechanism analogous to DKIM [RFC6376] for email. ARP enables any consuming system to verify the provenance and integrity of machine-readable entity claims before incorporating them into synthesized responses.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The ARP verification flow consists of four phases:¶
The DNS TXT record MUST be published at:¶
<selector>._arp.<domain>¶
where <selector> is a case-insensitive ASCII string matching the pattern [a-zA-Z0-9._-]+ and <domain> is the fully qualified domain name of the entity. The default selector value is "arp", yielding the record name:¶
arp._arp.example.com¶
The TXT record value MUST be a semicolon-delimited string of tag=value pairs. The following tags are defined:¶
| Tag | Required | Description |
|---|---|---|
| v | REQUIRED | Protocol version. MUST be "ARP1". |
| k | REQUIRED | Key algorithm. MUST be "ed25519". |
| p | REQUIRED | Base64-encoded raw Ed25519 public key (32 bytes, 44 characters encoded). |
| t | OPTIONAL | Unix timestamp of key publication. |
| x | OPTIONAL | Unix timestamp of key expiration. |
Example:¶
v=ARP1; k=ed25519; p=MCowBQYDK2VwAyEA...¶
A domain MAY publish multiple ARP TXT records using different selectors (e.g., "arp" and "arp2026q3"). This supports key rotation without service interruption.¶
Ed25519 public keys are 32 bytes (44 characters in Base64). This fits within the 255-byte DNS TXT record string limit defined in [RFC1035] Section 3.3.14.¶
When an authorized third party (e.g., a consultancy) signs a reasoning payload on behalf of a domain owner, the domain owner MUST delegate trust via a DNS CNAME record:¶
arp._arp.client.com. CNAME arp._arp.agency.com.¶
This maintains the absolute sovereignty of the DNS trust anchor: the domain owner explicitly authorizes the delegation, and the verifier always queries the retrieval domain's DNS namespace first. The verifier follows the CNAME transparently and retrieves the delegated public key.¶
This model mirrors DKIM's delegation approach and prevents attackers from pointing unsigned JSON fields at arbitrary DNS records.¶
The reasoning payload MUST be served at the well-known URL defined in [RFC8615]:¶
https://<domain>/.well-known/reasoning.json¶
Implementations MAY additionally serve the payload at alternative paths provided the well-known URL also exists. Alternative paths MAY be advertised via:¶
The file MUST be served with Content-Type: application/json.¶
Servers SHOULD include the HTTP header Access-Control-Allow-Origin: * when serving the reasoning payload, to enable verification by browser-based AI agents, extensions, and verifiable-credential wallets that operate under Cross-Origin Resource Sharing (CORS) restrictions.¶
The reasoning payload MUST contain the following top-level fields:¶
| Field | Type | Description |
|---|---|---|
| $schema | URI | MUST reference the ARP JSON Schema [ARP-SCHEMA]. |
| protocol | string | MUST be "Agentic Reasoning Protocol (ARP)". |
| version | string | Semver-compatible version string (e.g., "1.2"). |
| domain | string | REQUIRED. The fully qualified domain name that is authoritative for these entity claims. Verifiers MUST confirm this matches the retrieval domain (Section 8). |
| entity | string | Canonical name of the entity (max 200 chars). |
| entity_claims | object | MUST contain at minimum a "framing_context" string. |
The payload MAY include:¶
Before signing, the payload MUST be canonicalized according to the JSON Canonicalization Scheme (JCS) as specified in [RFC8785].¶
Only the "signature" field within the _arp_signature block MUST be excluded from canonicalization. All other fields in _arp_signature (algorithm, dns_selector, canonicalization, signed_at, expires_at) are included in the signed data, cryptographically binding the signature metadata to the payload.¶
Implementations MUST:¶
This approach prevents "zombie payload" attacks where an attacker modifies unauthenticated metadata fields (e.g., extending expires_at) while keeping the original signature valid.¶
Given a complete reasoning payload and an Ed25519 private key (32 bytes), the signing procedure is:¶
The RECOMMENDED signature TTL is 90 days.¶
Before any cryptographic verification, the verifier MUST confirm that the "domain" field in the payload matches the domain from which the payload was originally requested (the retrieval domain). If the values do not match, verification MUST fail with FAIL_DOMAIN_MISMATCH.¶
When the verifier encounters HTTP redirects (301, 302, 307, 308) while retrieving the reasoning payload, the verifier MUST base the DNS query and domain-binding check on the original requested domain, NOT the final domain in the redirect chain. This prevents verification bypass via open redirect vulnerabilities.¶
The complete verification algorithm is:¶
| Code | Description |
|---|---|
| PASS | Domain matches, DNS key found, signature valid, not expired. |
| FAIL_NO_ARP | No _arp_signature block in payload. |
| FAIL_DOMAIN_MISMATCH | The "domain" field does not match the retrieval domain. |
| FAIL_NO_DNS | No DNS TXT record at selector._arp.domain. |
| FAIL_EXPIRED | Signature expired (expires_at < current time). |
| FAIL_INVALID | Ed25519 signature verification failed. |
| FAIL_UNSIGNED_POLICY | No _arp_signature present, but domain publishes p=reject policy. |
The _arp_signature block is a JSON object embedded in the reasoning payload with the following fields:¶
| Field | Required | Type | Description |
|---|---|---|---|
| algorithm | REQUIRED | string | MUST be "Ed25519". |
| dns_selector | REQUIRED | string | Selector label for DNS TXT lookup (max 50 chars). |
| canonicalization | REQUIRED | string | MUST be "jcs-rfc8785". |
| signed_at | REQUIRED | string | ISO 8601 UTC timestamp of signing. |
| expires_at | REQUIRED | string | ISO 8601 UTC expiration timestamp. RECOMMENDED TTL: 90 days. |
| signature | REQUIRED | string | Base64url-encoded Ed25519 signature (86 chars without padding). This is the ONLY field excluded from canonicalization. |
Note: The "dns_record" field present in draft-deforth-arp-00 has been removed. Verifiers MUST construct the DNS query name from the retrieval domain and dns_selector, never from untrusted JSON data.¶
To rotate keys without service disruption:¶
Verifiers SHOULD support checking multiple selectors. The RECOMMENDED rotation interval is 90 days, aligned with the default signature TTL.¶
| Standard | Relationship to ARP |
|---|---|
| DKIM [RFC6376] | ARP adapts the DNS-anchored key publication and CNAME delegation models from DKIM for entity claim verification rather than email authentication. |
| C2PA v2.2 [C2PA] | C2PA verifies media provenance via embedded manifests. ARP verifies textual entity claim provenance via DNS. Complementary, non-overlapping scope. |
| W3C Verifiable Credentials 2.0 [W3C-VC] | VCs require an Issuer-Holder-Verifier ecosystem. ARP provides a simpler two-party (Publisher-Verifier) model for public entity claims. |
| AIVS v1.0 [AIVS] (W3C Community Group) | AIVS verifies what an agent DID (session/action integrity). ARP verifies what an agent READS (content provenance). Complementary: AIVS audit logs plus ARP content verification form a full end-to-end trust chain for agentic systems. |
| IETF SCITT | ARP signed payloads could be registered as SCITT transparency statements for append-only auditability. |
| Schema.org | Schema.org describes entity attributes. ARP cryptographically binds those attributes to verified domain ownership. |
ARP's trust anchor is the DNS TXT record. Without DNSSEC, an attacker who can poison DNS responses can substitute a fraudulent public key. Implementations SHOULD use DNSSEC-validated resolvers where available. Implementations SHOULD also cache DNS responses according to the record's TTL to reduce lookup frequency.¶
If an Ed25519 private key is compromised, the attacker can sign arbitrary payloads that will validate against the DNS-published key. Domain owners MUST:¶
Verifiers SHOULD check the expires_at timestamp and reject expired signatures. The RECOMMENDED TTL is 90 days. Verifiers MAY also check the signed_at timestamp against the HTTP Last-Modified header to detect stale payloads served from cache.¶
ARP verifies PROVENANCE (who authorized the data), not TRUTH (whether the data is factually correct). A domain owner can sign factually incorrect claims that will pass ARP verification. AI systems consuming ARP-verified payloads SHOULD still cross-reference entity claims against independent sources. The epistemic_scope field in entity claims is designed to help AI systems distinguish between publicly verifiable facts and proprietary internal claims.¶
Without ARP verification, any actor can publish reasoning payloads containing arbitrary entity claims on any domain they control. Regulatory frameworks such as the EU AI Act [EU-AI-ACT] Article 19 require audit trails for high-risk AI systems but do not prescribe verification formats for ingested content. Empirical research has demonstrated that RAG systems will cite well-structured entity claims from previously unknown domains as primary sources within 24 hours, regardless of domain history, traffic, or backlinks. ARP provides the verification layer that allows consuming systems to differentiate between authorized and unauthorized entity claims.¶
Cross-domain signing MUST use the DNS CNAME delegation model described in Section 4.5. The verifier always queries the retrieval domain's DNS namespace and follows CNAME records transparently. This maintains the absolute sovereignty of the DNS trust anchor and prevents attacks where unsigned JSON fields are used to redirect trust to attacker-controlled DNS.¶
Consuming systems MAY choose to treat CNAME-delegated signatures with lower confidence than direct (same-domain) signatures.¶
When ARP is deployed alongside other verification systems that also use Ed25519 (e.g., AIVS [AIVS] for agent session integrity), implementations MUST NOT reuse the same Ed25519 keypair across different verification functions. Sharing a single keypair between content signing (ARP) and session signing (AIVS) creates a single point of failure: compromise of one key compromises both trust domains.¶
Implementations SHOULD use separate Ed25519 keypairs for each trust function. Where a unified identity anchor is desired, implementations MAY use a DID Document (e.g., did:web) to bind multiple function-specific public keys to a single domain identity:¶
This approach preserves key isolation while enabling cross-protocol identity resolution. The DID Document itself can be anchored to the domain via the did:web method, which resolves to /.well-known/did.json on the entity's domain.¶
To protect against downgrade attacks — where an attacker strips the _arp_signature block from a signed file and modifies the content — domain owners MAY publish a Domain Signing Policy via DNS TXT record at the bare _arp node:¶
_arp.example.com. IN TXT "v=ARP1; p=reject"¶
The following policy values are defined:¶
| Policy | Value | Meaning |
|---|---|---|
| none | Default | No enforcement; unsigned files are treated normally. |
| warn | Advisory | Verifiers SHOULD log a warning if the payload is unsigned. |
| reject | Strict | Verifiers MUST treat unsigned payloads as FAIL_UNSIGNED_POLICY. |
Verification flow for unsigned payloads:¶
This follows the same progressive enforcement model as DMARC (p=reject) [RFC6376] and HTTP Strict Transport Security (HSTS).¶
This specification defines a custom _arp_signature block for simplicity and clarity. Future versions MAY consider adopting JSON Web Signature (JWS) [RFC7515] with the Unencoded Payload Option [RFC7797] as an alternative envelope format. This would provide cryptographic agility and enable use of battle-tested standard libraries, while preserving the human-readable cleartext JSON payload that JCS canonicalization achieves. The dns_selector, expires_at, and signed_at fields would map to the JWS Protected Header.¶
This document requests IANA to register the following well-known URI suffix in the "Well-Known URIs" registry established by [RFC8615]:¶
This document requests IANA to register the following entry in the "Underscored and Globally Scoped DNS Node Names" registry established by [RFC8552]:¶
arp._arp.example.com. 3600 IN TXT ( "v=ARP1; k=ed25519; " "p=MCowBQYDK2VwAyEA5d7jb7bkTVk5" "YQ4nFmYY7ClpCddGdSRJkGb3ELWuos=")¶
{
"$schema": "https://arp-protocol.org/schema/v1.2.json",
"protocol": "Agentic Reasoning Protocol (ARP)",
"version": "1.2",
"domain": "example.com",
"entity": "Example Corp",
"entity_claims": {
"framing_context": "Example Corp is a technology ..."
},
"content_policy": {
"ai_training": "allowed-with-attribution",
"citation_required": true
},
"_arp_signature": {
"algorithm": "Ed25519",
"dns_selector": "arp",
"canonicalization": "jcs-rfc8785",
"signed_at": "2026-04-06T14:00:00Z",
"expires_at": "2026-07-05T14:00:00Z",
"signature": "P1lCPaHn_WLXdidBfxLXqBBid1G..."
}
}
¶
The normative JSON Schema for ARP v1.2 payloads is published at:¶
https://arp-protocol.org/schema/v1.2.json¶
The schema defines validation rules for all required and optional fields, including type constraints, maximum lengths, enumerated values, and format requirements. Implementations SHOULD validate payloads against the schema before signing and before processing entity claims.¶
The author thanks the W3C Agentic Integrity Verification Specification Community Group for their complementary work on agent session integrity, and the broader Generative Engine Optimization (GEO) community for empirical validation of the content provenance gap that ARP addresses.¶
The security improvements in this revision were informed by detailed technical review highlighting the signature metadata exclusion flaw and cross-domain replay vulnerability in the initial draft.¶
The keypair separation guidance was informed by feedback from Ben Stone (SwarmSync.AI) during AIVS interoperability discussions, highlighting the single-point-of-failure risk of shared Ed25519 keypairs across verification protocols.¶