Internet-Draft DN-ANR July 2026
Cui Expires 7 January 2027 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-cui-dns-native-agent-naming-resolution-02
Published:
Intended Status:
Informational
Expires:
Author:
Y. Cui
Tsinghua University

DNS-Native AI Agent Naming and Resolution

Abstract

This document specifies DNS-Native Agent Naming and Resolution (DN-ANR) for AI agents. DN-ANR uses domain names (FQDNs) as stable Agent Identifiers and resolves a selected Agent Identifier to verifiable endpoints and supported protocol/version information with a cryptographic integrity chain, with DNSSEC preferred.

DN-ANR is a post-selection resolution profile. It does not define agent discovery, capability search, semantic matching, ranking, or routing decisions. Agent discovery, publication, or registry, including DNS-based mechanisms such as DNS-AID, may produce candidate Agent Identifiers; DN-ANR resolves and verifies the identifier selected by such mechanisms or by local policy. Within that scope, DN-ANR additionally defines DNS-based version distribution and deterministic version selection, canonicalized SVCB integrity cross-checking, and a signed HTTPS mirror for clients that cannot perform SVCB queries. While AI agents are the primary use case, the resolution and verification behavior defined here applies to any entity identified by an FQDN, such as services and workloads.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

The emergence of AI agents as autonomous software entities creates concrete requirements for naming, trusted resolution, and endpoint verification. Existing deployments often mix discovery, semantic matching, and resolution into one control plane, which increases coupling and weakens interoperability.

This document defines DN-ANR as a DNS-native resolution layer built on [RFC1035] and Service Binding (SVCB/HTTPS RRs, [RFC9460], [RFC9461]). The design objective is strict scope control: discovery systems produce candidate Agent Identifiers, while DN-ANR securely resolves a chosen Agent Identifier into connection material.

DN-ANR is a DNS-native post-selection resolution and integrity profile for a selected FQDN-based Agent Identifier.

Related IETF work on the discovery of agents, workloads, and other named entities (see, for example, [DAWN-PS] and [DAWN-TERM]) frames discovery as an end-to-end problem: learning what entities exist, what they offer, and whether they can be trusted. Within such an end-to-end discovery workflow, DN-ANR addresses the final stage. Discovery mechanisms answer "which entity"; DN-ANR answers "how to reach it, and whether the resolution answer itself is authentic". DN-ANR is therefore intended to serve as a reusable resolution and verification component within layered entity-discovery architectures, and to align with the requirements and information models produced by such efforts.

1.1. Goals

DN-ANR goals are:

  1. Identity naming: use domain names/FQDNs as administratively managed Agent Identifiers.

  2. Trusted resolution and connection guidance: resolve an Agent Identifier to endpoint(s), protocol/version declarations, and verifiable integrity material.

  3. Post-selection interoperability: provide stable DNS-based resolution semantics that can be consumed after an Agent Identifier has been selected by local policy, user input, a registry, a gateway, or an agent discovery mechanism.

  4. Deployment-flexible integrity: provide verifiable resolution integrity in both DNSSEC-enabled and DNSSEC-unavailable environments, via DNSSEC validation and/or application-layer TXT signatures with TLS certificate binding.

1.2. Non-Goals

DN-ANR non-goals are:

  • DN-ANR does not define agent discovery, publication, registry, or search.

  • DN-ANR does not define organization-wide agent indexes, DNS-SD enumeration, cross-domain search, or capability search.

  • DN-ANR does not provide semantic matching, capability ranking, reputation, governance, or task-routing decisions.

  • DN-ANR does not standardize agent capability models, OpenAPI-like schemas, model cards, policy bundles, trust registries, or behavioral attestations.

  • DN-ANR does not replace discovery specifications. It only specifies how to securely and deterministically resolve and verify an Agent Identifier after that identifier has been selected.

2. Relationship to Agent Discovery and Registry Specifications

DN-ANR is intended to interoperate with, but not replace, discovery, publication, registry, indexing, or search specifications for agents and other named entities. Such specifications may use DNS, HTTP, private registries, directories, agent gateways, semantic search systems, or other mechanisms to produce one or more candidate Agent Identifiers. Problem statements and terminology for this broader entity-discovery space are being developed in the IETF (see [DAWN-PS], [DAWN-TERM]); DN-ANR is positioned as the resolution and verification stage of such an architecture, and its requirements and information model are expected to align with the outputs of that work.

DN-ANR starts after the selection step. A DN-ANR client is given exactly one selected Agent Identifier and resolves it to endpoint connection material, protocol/version declarations, and integrity metadata.

For example, DNS-based discovery specifications such as [DNSAID] define mechanisms for publishing AI agents in DNS so that other agents can discover them. Such specifications may define organization-level indexes, capability descriptors, DNS-SD entry points, or other discovery metadata. DN-ANR does not define those mechanisms. DN-ANR defines only the resolution and verification behavior for a selected Agent Identifier.

Accordingly, DN-ANR does not define DNS-based enumeration, organization indexes, capability search, semantic matching, ranking, routing, reputation, or governance. These functions are expected to be handled by upper-layer discovery systems, private policy, registries, or operational frameworks.

2.1. Co-existence with DNS-Based Discovery Mechanisms

DN-ANR is designed so that a publisher can deploy it alongside a DNS-based discovery mechanism such as [DNSAID] without conflict. A discovery mechanism resolves "which agent," while DN-ANR resolves "how to connect to, and verify, that agent." An organization MAY use a discovery specification to publish and enumerate its agents, and use DN-ANR to publish the version distribution, deterministic endpoint selection, and integrity material for each individual agent once selected.

To keep this co-existence unambiguous, DN-ANR intentionally reuses the _agents underscored owner-name label ([RFC8552]) that other agent-related DNS specifications, including [DNSAID], also use, rather than requesting a separate label. DN-ANR's usage is scoped one level deeper than an organization-wide inventory label: DN-ANR's records are published under _agents.<Agent Identifier> (for example, _agents.translator.example.com), naming the specific already-selected agent, rather than under _agents.<organization domain> as an inventory or index entry point. See IANA Considerations for further discussion of this label.

Agent discovery, publication, registry, and indexing specifications may identify candidate agents. DNS-based discovery mechanisms such as [DNSAID] are one example of that class. DN-ANR begins after such a mechanism, or local policy, has selected one Agent Identifier. DN-ANR then resolves that identifier to endpoint, protocol/version, and integrity material.

3. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

The following terms are used throughout this document:

Agent:

An autonomous software entity capable of communicating with other agents or humans using defined protocols.

Agent Identifier:

A Fully Qualified Domain Name (FQDN) that uniquely identifies an agent.

Agent Protocol:

The application-layer protocol used for agent-to-agent communication (e.g., [A2A], [ANP]). Other DNS-based specifications may carry equivalent protocol identifiers in different DNS parameters; see Relationship to Agent Discovery and Registry Specifications.

Although this document uses AI agents as its primary use case, the resolution and verification behavior defined here applies to any entity identified by an FQDN, such as services or workloads. Where broader entity-discovery terminology (e.g., [DAWN-TERM]) is in use, "Agent" in this document may be read as an FQDN-named entity.

4. Design Principles

This specification follows five core principles:

Table 1
Principle Description
DNS-First DNS is the authoritative source for Agent Identifier resolution; HTTP serves only as a fallback mirror
Layered Scope Discovery and semantic selection are out of scope; DN-ANR resolves selected identifiers
Path-Independent Version and endpoint selection are controlled by DNS, not URL paths
Protocol Autonomy Agent interaction protocols are decoupled from transport
Default Availability A/AAAA records guarantee minimum connectivity; enhanced features are optional. Default version is provided when not specified

5. Architecture Overview

DN-ANR is a resolution-layer specification inside a three-layer architecture:

Table 2
Layer Examples Scope
Discovery Layer Web registry, agent gateway, search engine, semantic router, DNS-SD/mDNS OUT OF SCOPE
Resolution Layer Agent Identifier (FQDN) -> endpoint, protocol/version, integrity material DN-ANR scope
Connection Layer A2A, MCP, HTTPS, gRPC, other application protocols OUT OF SCOPE

Interface boundary:

6. Naming and Resource Location

6.1. Domain Name as Identity

Each agent is uniquely identified by a stable Fully Qualified Domain Name (FQDN). Domain ownership combined with TLS certificates forms the foundation of agent identity.

6.1.1. Naming Rules

  • Use domain names or subdomains owned by the organization

  • Agent version changes do not introduce new identities

  • No registration with any central authority is required

6.1.2. Naming Examples

# Recommended: dedicated subdomains
translator.agents.example.com
assistant.ai.example.org
agent123.agents.example.com

6.2. Resource Location via DNS

This specification does not use URL paths for version expression. All version and endpoint selection is controlled by DNS records:

  1. Obtain (from Discovery Layer or local policy) a candidate Agent Identifier (FQDN)

  2. Query DNS SVCB records -> obtain version, endpoint, and protocol information

  3. If SVCB is unavailable, use A/AAAA resolution of the Agent Identifier as the default Agent Endpoint

  4. Query DNS TXT records (if present) -> obtain optional application-layer security and resolution manifest metadata

  5. Apply local security policy (e.g., DNSSEC validation and/or TXT signature validation)

  6. Connect to the selected endpoint and interact according to the selected protocol specification

DN-ANR provides only deterministic resolution and verification for an already-selected identifier; it does not perform semantic discovery or ranking.

7. DNS Record Design

This specification keeps DNS payloads minimal and operationally stable. DNS data is classified as MUST/SHOULD/MAY to separate core resolution from optional optimization.

7.1. Mandatory DNS Data (MUST)

  • A/AAAA [RFC1035]: provide baseline reachability and interoperability for resolvers and clients.

Rationale: A/AAAA guarantees minimum connectability and provides a default Agent Endpoint when no SVCB policy is available.

7.3. Optional DNS Data (MAY)

  • TXT signature fields (alg, pk, sig): used when signature-based verification is enabled.

  • TXT SVCB integrity digest (svcb-digest): optional integrity cross-check material, especially for HTTPS fallback workflows.

  • TXT resolution manifest pointer fields (resolution-manifest, resolution-manifest-sha256): pointer + digest for heavy external metadata.

Rationale: Heavy metadata evolves quickly and can grow large; keeping it out of DNS preserves DNS efficiency while retaining verifiable linkage.

7.4. TXT Record: Identity Anchor (Conditional Metadata)

TXT records [RFC1035] provide optional application-layer metadata. They are not a fallback encoding of service connectivity data: endpoint and connection parameters are carried exclusively in SVCB (or, as a baseline default, A/AAAA). Their responsibilities are strictly limited to:

  1. Declare identity metadata (e.g., v, kid)

  2. Optionally publish key/signature material (alg, pk, sig) for signature-based security

  3. Optionally publish SVCB digest (svcb-digest) for integrity cross-check, especially with HTTPS fallback

  4. Optionally publish external resolution manifest pointer metadata (resolution-manifest, resolution-manifest-sha256)

7.4.1. TXT Record Format

_agents.translator.example.com. IN TXT (
  "v=1;"
  "kid=key-2025-01;"
  "alg=Ed25519;"                                       ; OPTIONAL
  "pk=base64-encoded-public-key;"                      ; OPTIONAL
  "sig=base64-encoded-signature;"                      ; OPTIONAL
  "svcb-digest=base64-encoded-sha256-digest;"          ; OPTIONAL
  "resolution-manifest=https://translator.example.com/
                   .well-known/resolution-manifest.json;" ; OPTIONAL
  "resolution-manifest-sha256=x48E9qOokqqrv="          ; OPTIONAL
)

7.4.2. TXT Field Descriptions

Table 3
Field Description
v Version identifier, fixed as 1
kid Key identifier, used for key rotation
alg Signature algorithm: Ed25519 (RECOMMENDED) or ES256 (OPTIONAL; REQUIRED when sig is present)
pk Base64-encoded public key (OPTIONAL; REQUIRED when sig is present)
sig Signature over selected TXT content (OPTIONAL; used in signature-based security mode)
svcb-digest Base64-encoded SHA-256 digest of canonicalized SVCB records (OPTIONAL; useful for HTTPS fallback integrity cross-check)
resolution-manifest Resolution manifest URI for external heavy metadata (OPTIONAL)
resolution-manifest-sha256 Base64-encoded SHA-256 digest of resolution manifest content (OPTIONAL; RECOMMENDED when resolution-manifest is present)

7.5. SVCB Record: Version Distribution and Protocol Negotiation

SVCB (Service Binding) records [RFC9460] are the core resolution mechanism, serving the following responsibilities:

Table 4
Level SVCB Role
Service Location TargetName + port specify the service endpoint
Version Distribution Private SvcParam declares agent version
Connection Compatibility Private parameters declare a post-selection connection-profile hint (supported agent protocols)
Performance Optimization ipv4hint / ipv6hint reduce additional address lookups

7.5.1. SVCB Record Example

# Complete SVCB record example
_agents.translator.example.com. IN SVCB 1 agent-v3.example.com. (
  alpn=h2
  port=443
  ipv4hint=203.0.113.50
  ipv6hint=2001:db8::50
  key65480="v3"              ; Agent version
  key65481="a2a,anp"         ; Connection profile (post-selection)
)

# v2 version (lower priority)
_agents.translator.example.com. IN SVCB 2 agent-v2.example.com. (
  alpn=h2
  port=443
  ipv4hint=203.0.113.51
  key65480="v2"
  key65481="a2a"
)

7.6. Version and Protocol Resolution

7.6.1. SVCB Private Parameters

This specification introduces private SVCB parameters (SvcParam) as defined in [RFC9460]:

Table 5
Parameter Semantics Example
key65480 Agent version "v3", "v2.1.0"
key65481 Connection profile (post-selection connection compatibility hint) "a2a", "a2a,anp"
7.6.1.1. Version Selection Behavior

Clients can:

  • Default selection: When version is not specified, the highest priority version based on SVCB priority is used

  • Specific selection: Specify key65480 value to select a particular version

  • Connection compatibility selection: After an Agent Identifier has already been selected, clients MAY prefer SVCB alternatives whose key65481 (connection-profile) value matches a locally supported connection profile or agent protocol. This is not a discovery or ranking mechanism across different Agent Identifiers.

7.6.1.2. Scope of Private SvcParamKeys

The private SvcParamKeys defined in this document are post-selection connection hints. They are scoped to one selected Agent Identifier and MUST NOT be used as a DNS-based mechanism to enumerate, search, rank, or advertise agents across an organization or across domains.

7.6.2. ALPN Usage

DN-ANR treats ALPN as a transport-layer negotiation signal only (e.g., h2, h3). Agent interaction protocols ([A2A], [ANP]) are declared via SVCB private parameters (key65481, connection-profile), not ALPN values, and are consumed only after an Agent Identifier has been selected. This keeps DN-ANR compatible with existing TLS ecosystems and reserves ALPN identifier space for transport-layer use.

7.6.3. Relationship Between Version and Protocol

This specification clearly distinguishes two layers:

Table 6
Layer Declaration Location Example
Agent Version key65480 v3, v2.1.0
Connection Profile key65481 a2a, anp

7.6.4. External Resolution Manifest Locator and Digest in TXT (Optional)

DN-ANR supports optional linkage to heavy external metadata while keeping DNS payloads minimal:

  • resolution-manifest in TXT contains an absolute URI that identifies a resolution manifest resource.

  • resolution-manifest-sha256 in TXT contains the SHA-256 digest of the resolution manifest in Base64 encoding.

DN-ANR standardizes only:

  • URI syntax and transport locator semantics.

  • Digest algorithm (SHA-256) and digest encoding.

  • Client verification flow (fetch resolution manifest -> compute digest -> compare -> consume).

DN-ANR does not standardize resolution manifest content schema (capability model, OpenAPI, model card, I/O schema, etc.).

The resolution-manifest field is not a DNS-based discovery mechanism. It is a locator for external metadata associated with an already-selected Agent Identifier. DN-ANR does not define how clients search, rank, compare, or select agents based on resolution manifest contents.

The presence of resolution-manifest MUST NOT be interpreted as an organization index, a capability registry, a ranking signal, or a statement that the agent is trusted for any particular task. Resolution manifest semantics, if any, are defined by upper-layer protocols or external specifications.

Resolution manifest digest computation rules:

  1. Fetch resolution manifest bytes from the URI in resolution-manifest.

  2. If the resolution manifest media type is JSON, canonicalize using JCS [RFC8785] before hashing.

  3. For non-JSON media types, hash the raw octet stream as retrieved.

  4. Compute SHA-256 and Base64-encode the result.

  5. Compare with resolution-manifest-sha256; mismatch MUST be treated as verification failure.

7.6.5. Interoperability Gating for Resolution-Manifest-Dependent Clients

  • A client that depends on resolution manifest data MUST require resolution-manifest; otherwise it MUST treat resolution-manifest-based logic as unavailable.

  • A client that requires resolution manifest integrity verification MUST require both resolution-manifest and resolution-manifest-sha256.

  • A publisher that wants interoperable resolution manifest verification SHOULD publish both TXT fields together.

8. Performance and Determinism

8.1. Why Address Hints

SVCB ipv4hint and ipv6hint improve resolution behavior by:

  • reducing extra A/AAAA lookup round-trips;

  • improving first-connection determinism;

  • reducing resolver-path jitter under recursive caching variance.

8.3. TTL Guidance

  • Identity anchors (TXT) SHOULD use relatively longer TTL values.

  • Endpoint/control-plane records (SVCB) SHOULD use relatively shorter TTL values to support endpoint migration and rapid rollback.

9. HTTPS Fallback Mechanism

To ensure "works by default" behavior, this specification introduces an optional but strongly recommended fallback mechanism.

9.1. agent-dns.json

For clients that do not support SVCB queries, agents can publish a JSON mirror of DNS records at an HTTPS endpoint:

https://{agent-id}/.well-known/agent-dns.json

The HTTPS fallback is a signed mirror for one selected Agent Identifier. It MUST NOT contain an organization-wide list of agents, search results, capability rankings, or registry data that is not part of the DNS resolution data for that Agent Identifier.

9.1.1. Media Type

The agent-dns.json file MUST be served with the following HTTP headers:

Content-Type: application/json; charset=utf-8
Cache-Control: max-age=300

Servers SHOULD set an appropriate Cache-Control header. A value between 300 seconds (5 minutes) and 3600 seconds (1 hour) is RECOMMENDED.

9.1.2. JSON Signature

The JSON file MUST include a signature for integrity protection. Unlike the TXT record signature which covers only TXT fields, the JSON signature covers the complete service binding information.

The signature is computed over the canonical JSON representation of the document (excluding the sig field) as defined in [RFC8785] (JSON Canonicalization Scheme).

9.1.3. JSON Schema Definition

The agent-dns.json file MUST conform to the following JSON Schema:

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://example.com/agent-dns.schema.json",
  "title": "Agent DNS JSON",
  "description": "Mirror of DNS records for agent resolution",
  "type": "object",
  "required": ["agentId", "txt", "sig"],
  "properties": {
    "agentId": {
      "type": "string",
      "description": "The FQDN identifying the agent",
      "pattern": "^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?
                  (\\.[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?)*$"
    },
    "txt": {
      "type": "object",
      "description": "Core identity fields from DNS TXT record",
      "required": ["v", "kid"],
      "properties": {
        "v": {
          "type": "string",
          "const": "1"
        },
        "kid": {
          "type": "string",
          "description": "Key identifier"
        },
        "alg": {
          "type": "string",
          "enum": ["ES256", "Ed25519"],
          "description": "Signature algorithm"
        },
        "pk": {
          "type": "string",
          "description": "Base64-encoded TLS certificate public key"
        }
      }
    },
    "svcb": {
      "type": "array",
      "description": "Mirror of DNS SVCB records",
      "items": {
        "type": "object",
        "required": ["priority", "target", "port"],
        "properties": {
          "priority": {
            "type": "integer",
            "minimum": 1,
            "maximum": 65535
          },
          "target": {
            "type": "string",
            "description": "Target hostname"
          },
          "port": {
            "type": "integer",
            "minimum": 1,
            "maximum": 65535
          },
          "alpn": {
            "type": "array",
            "items": {
              "type": "string"
            }
          },
          "agentVersion": {
            "type": "string",
            "description": "Agent version (mirrors key65480)"
          },
          "connectionProfile": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "description": "Post-selection connection
                                    profile (mirrors key65481)"
          }
        }
      }
    },
    "sig": {
      "type": "string",
      "description": "Base64-encoded signature over canonical JSON
                                           (excluding sig field)"
    }
  }
}

9.1.4. File Structure Example

{
  "agentId": "translator.example.com",
  "txt": {
    "v": "1",
    "kid": "key-2025-01",
    "alg": "ES256",
    "pk": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE..."
  },
  "svcb": [
    {
      "priority": 1,
      "target": "agent-v3.example.com",
      "port": 443,
      "alpn": ["h2"],
      "agentVersion": "v3",
      "connectionProfile": ["a2a", "anp"]
    },
    {
      "priority": 2,
      "target": "agent-v2.example.com",
      "port": 443,
      "alpn": ["h2"],
      "agentVersion": "v2",
      "connectionProfile": ["a2a"]
    }
  ],
  "sig": "MEUCIQC7..."
}

9.1.5. JSON Signature Computation

The signature over the JSON file is computed as follows:

  1. Construct the JSON object without the sig field.

  2. Serialize using JSON Canonicalization Scheme (JCS) as defined in [RFC8785].

  3. Compute the signature using the TLS private key.

  4. Encode the signature using Base64.

json_without_sig = { agentId, txt, svcb }
canonical_json = JCS(json_without_sig)
signature = Sign(TLS_private_key, UTF-8(canonical_json))
sig = Base64Encode(signature)

9.1.6. JSON Signature Verification

Clients MUST verify the JSON signature:

  1. Fetch the JSON file over HTTPS.

  2. Extract the sig field and remove it from the object.

  3. Serialize the remaining object using JCS.

  4. Obtain the public key from the txt.pk field in the JSON.

  5. Verify the signature.

  6. (RECOMMENDED for TLS-based signing) Verify that txt.pk matches the TLS certificate's public key.

If verification fails, the client MUST reject the JSON file.

Note: When agent providers use separate key pairs (not TLS-based), the verification in step 6 is not applicable. In such cases, the integrity of the JSON file depends on the authenticity of the public key in txt.pk, which has the same trust anchor limitations as described in the Security Model Overview.

9.2. Design Principles

  • Mirror, not addition: JSON only mirrors information already in DNS; it does not introduce content absent from DNS

  • Single-identifier scope: the mirror reflects resolution data for exactly one selected Agent Identifier; it MUST NOT be extended into a multi-agent directory or index

  • DNS remains authoritative: HTTPS JSON is only a "readable mirror", not a new authoritative source

  • Signature required: JSON files MUST be signed for integrity protection

  • Schema validated: Clients SHOULD validate JSON against the defined schema

9.3. Applicable Scenarios

  • Clients that do not support SVCB queries

  • Browsers / debugging tools

  • Early ecosystem transition period

  • Environments where DNS resolution is limited

10. Security

This section defines the security mechanisms for ensuring the integrity and authenticity of agent resolution data.

10.1. Security Model Overview

This specification provides two complementary mechanisms for ensuring integrity and authenticity of agent resolution data:

  1. DNSSEC (RECOMMENDED for Internet-facing deployments): Protocol-level cryptographic authentication of DNS data

  2. Signature-based Security (OPTIONAL): TXT key/signature validation (pk, sig) with optional digest cross-checks (svcb-digest); if HTTPS fallback JSON is used, fallback signature validation is REQUIRED

Table 7
Mechanism Protection Scope Trust Anchor
DNSSEC All DNS records (TXT, SVCB, A/AAAA) DNS root zone
Signature-based Security TXT signed fields, optional SVCB digest consistency, JSON fallback signature (when fallback is used) Web PKI (when using TLS keys) or self-declared (when using separate keys)

10.1.2. DNSSEC Deployment Recommendations

  • For publicly reachable agents, the authoritative zone SHOULD deploy DNSSEC.

  • When DNSSEC validation is available and the SVCB RRSet (or TXT RRSet, when used) validates as bogus, clients MUST treat resolution as failure (fail-closed) and MUST NOT use that endpoint.

  • Clients SHOULD apply stricter fail-closed behavior at least to SVCB and TXT (when TXT is part of the selected trust path).

  • In enterprise/private networks where DNSSEC is not deployed, operators MAY rely on TXT signatures and TLS certificate binding as a minimum trust baseline.

When DNSSEC is enabled:

  • All DNS records are signed by the zone's DNSSEC keys.

  • Clients with DNSSEC validation can verify record authenticity.

  • Application-layer signatures remain useful for defense in depth and for JSON fallback integrity.

10.1.4. Choosing a Security Mechanism

Table 8
Scenario Recommended Approach
DNSSEC fully deployed DNSSEC alone is sufficient
DNSSEC not available Use TLS-based signing (Option 1)
High security requirements Use both DNSSEC and signing (defense-in-depth)
HTTPS fallback required JSON signing and/or svcb-digest consistency checks are recommended
Separate keys without DNSSEC Limited trust; consider additional verification mechanisms

10.2. SVCB Integrity Digest (Optional)

When svcb-digest is present in TXT, SVCB records can be cross-checked for integrity (for example, during HTTPS fallback reconciliation). This section defines the canonicalization and digest computation procedures.

10.2.1. SVCB Canonicalization

To compute the svcb-digest, SVCB records MUST be canonicalized as follows:

10.2.1.1. Step 1: Collect and Sort
  1. Collect all SVCB records for the agent's _agents prefix.

  2. Exclude AliasMode records (priority = 0).

  3. Sort records by priority in ascending order (lowest first).

  4. If priorities are equal, sort by TargetName lexicographically.

10.2.1.2. Step 2: Normalize Each Record

For each SVCB record, construct a canonical string in the following format:

<priority> <target> <params>

Where: - priority: Decimal integer with no leading zeros - target: Fully qualified domain name in lowercase, with trailing dot removed - params: SvcParams in sorted order by key number, formatted as key=value

10.2.1.3. Step 3: SvcParam Normalization

SvcParams MUST be normalized as follows:

  1. Sort by SvcParamKey number (ascending).

  2. Format each parameter as: key<number>=<value>

  3. String values are enclosed in double quotes.

  4. List values (e.g., alpn) use comma separation with no spaces.

  5. Separate parameters with a single space.

10.2.1.4. Canonical Format Example
# Original SVCB records:
_agents.translator.example.com. IN SVCB 2 agent-v2.example.com. (
  alpn=h2 port=443 key65480="v2" key65481="a2a"
)
_agents.translator.example.com. IN SVCB 1 agent-v3.example.com. (
  alpn=h2 port=443 key65480="v3" key65481="a2a,anp"
)

# Canonical representation (sorted by priority):
1 agent-v3.example.com key1=h2 key3=443 key65480="v3" \
  key65481="a2a,anp"
2 agent-v2.example.com key1=h2 key3=443 key65480="v2" key65481="a2a"

Note: alpn is SvcParamKey 1, port is SvcParamKey 3 as defined in [RFC9460]. The trailing backslash and line break after key65480="v3" above are wrapping for document display only; the actual canonical string for that record contains no line break at that position.

10.2.2. Digest Computation

canonical_svcb = <line1> + "\n" + <line2> + "\n" + ...
digest_bytes = SHA-256(UTF-8(canonical_svcb))
svcb-digest = Base64Encode(digest_bytes)

The resulting svcb-digest is approximately 44 characters (32 bytes encoded in Base64).

10.3. Signature Specification

This section defines the signature mechanism when signature-based security is used.

10.3.1. Public Key Requirements

The pk field contains the public key used for signature verification. There are two options:

10.3.1.2. When Using Separate Key Pair

The pk field contains the agent provider's self-managed public key:

  1. Generate a key pair using a supported algorithm.

  2. Extract the public key in SubjectPublicKeyInfo format.

  3. Encode using Base64 [RFC4648].

Note: When using separate keys, the public key is self-declared and lacks an independent trust anchor. See Security Model Overview for implications.

10.3.1.3. Supported Key Types
  • EC P-256 (for ES256 algorithm) - RECOMMENDED

  • Ed25519 (for Ed25519 algorithm)

10.3.2. Signature Input Construction

When signature-based TXT validation is used, the signature input MUST be constructed from TXT fields as follows:

  1. Include required fields in this exact order: v, kid, alg, pk.

  2. If present, append optional fields in this exact order: svcb-digest, resolution-manifest, resolution-manifest-sha256.

  3. Use key=value pairs separated by semicolons, with no trailing semicolon.

signing_input = "v=" + v + ";kid=" + kid
                 + ";alg=" + alg + ";pk=" + pk
if svcb-digest present:
  signing_input += ";svcb-digest=" + svcb-digest
if resolution-manifest present:
  signing_input += ";resolution-manifest="
                    + resolution-manifest
if resolution-manifest-sha256 present:
  signing_input += ";resolution-manifest-sha256="
                    + resolution-manifest-sha256

Example (line-wrapped for display only; the actual signing input contains no line break):

v=1;kid=key-2025-01;alg=ES256;pk=MFkwEwYHKoZI...;
resolution-manifest=https://translator.example.com/
.well-known/resolution-manifest.json

10.3.3. Signature Generation

signature_bytes = Sign(private_key, UTF-8(signing_input))
sig = Base64Encode(signature_bytes)

Where private_key is either: - The TLS certificate's private key (Option 1, RECOMMENDED), or - The agent provider's separately managed private key (Option 2)

For ES256: signature is 64 bytes (r || s format), resulting in 88 Base64 characters. For Ed25519: signature is 64 bytes, resulting in 88 Base64 characters.

10.3.4. Signature Verification Procedure

Clients MUST perform the following steps:

  1. Parse TXT record and extract v, kid, alg, pk, sig, and any optional signed fields present.

  2. Reconstruct signing_input using the required/optional field ordering defined above.

  3. Decode pk from Base64 to obtain the public key.

  4. Decode sig from Base64 to obtain the signature bytes.

  5. Verify the signature using the specified algorithm.

  6. (RECOMMENDED for Option 1) Verify that pk matches the TLS certificate presented during connection.

If verification fails, the client MUST reject the TXT record.

When using Option 2 (separate key pair), clients should be aware that the signature only proves consistency between the TXT record content and the private key holder. Without DNSSEC or TLS binding, there is no external trust anchor to verify the key's authenticity.

10.3.5. TLS Certificate Binding Verification (Option 1 Only)

When TLS certificate keys are used (Option 1), clients SHOULD verify that the pk in the TXT record matches the server's TLS certificate:

  1. Establish TLS connection to the agent's domain.

  2. Extract the public key from the server's certificate.

  3. Compare with the pk field in the TXT record.

  4. If mismatch, treat as verification failure.

This binding ensures that the entity controlling the TLS private key is the same entity that published the DNS records.

Note: This verification is not applicable when separate key pairs are used (Option 2), as the pk in the TXT record will not match the TLS certificate.

11. Implementation Checklist

11.1. For Agent Publishers

  1. Prepare domain name, configure HTTPS and TLS certificate

  2. Configure DNS A/AAAA records (basic connectivity)

  3. (OPTIONAL) Configure DNS TXT record (_agents.xxx) for signature metadata (alg/pk/sig), svcb-digest, and/or resolution manifest pointer fields

  4. Configure DNS SVCB records with endpoint, protocol/version, and (SHOULD) address hints

  5. (OPTIONAL) Publish resolution manifest URI + digest in TXT (resolution-manifest, resolution-manifest-sha256) for heavy metadata externalization

  6. (RECOMMENDED) Publish /.well-known/agent-dns.json fallback file

  7. (RECOMMENDED for public deployments) Enable DNSSEC

11.2. For Client Developers

  1. Query SVCB records, parse version and endpoint information

  2. If SVCB is unavailable, use A/AAAA of the Agent Identifier as the default endpoint

  3. Query TXT records (if present), parse optional fields (pk, sig, svcb-digest, resolution-manifest, resolution-manifest-sha256)

  4. If resolution manifest fields are present and required by local policy, fetch the resolution manifest and verify digest before use

  5. (Fallback) If SVCB unavailable, fetch agent-dns.json when needed

  6. Connect to endpoint per the selected connection-profile (key65481) value

  7. Validate DNSSEC when present, and fail closed for bogus SVCB/TXT results that are part of the selected trust path

11.3. DNS Record Configuration Example

; Basic connectivity
translator.example.com.    IN A     203.0.113.50
translator.example.com.    IN AAAA  2001:db8::50

; Optional TXT identity/security/resolution-manifest metadata
_agents.translator.example.com. IN TXT "v=1;kid=key-2025-01;
            alg=Ed25519;pk=...;sig=...;
            svcb-digest=...;
            resolution-manifest=https://translator.example.com/
            .well-known/resolution-manifest.json;
            resolution-manifest-sha256=x48E9qOokqqr7kbu9DBPE="

; Version resolution (SVCB)
_agents.translator.example.com. IN SVCB 1 agent-v3.example.com. (
  alpn=h2 port=443
  ipv4hint=203.0.113.50 ipv6hint=2001:db8::50
  key65480="v3" key65481="a2a,anp"
)
_agents.translator.example.com. IN SVCB 2 agent-v2.example.com. (
  alpn=h2 port=443 ipv4hint=203.0.113.51 key65480="v2" key65481="a2a"
)

12. Security Considerations

This specification uses DNS as the authoritative source for agent resolution and identity information. Its security objectives are to ensure the authenticity, integrity, and verifiability of resolution results, rather than evaluating agent service quality or behavioral trustworthiness.

12.1. Threat Model

This specification primarily considers the following threats:

  • DNS poisoning or cache pollution leading to incorrect endpoint resolution

  • Tampering with resolution results to redirect clients to unintended endpoints

  • Downgrade attacks inducing clients to use older versions or weaker protocols

  • Trust violations caused by expired or replaced identity declarations

12.2. Mandatory Security Requirements

To address the above threats, this specification mandates:

  • Clients MUST establish at least one validated integrity path before endpoint use: DNSSEC validation, or TXT signature verification when TXT signing fields are used

  • Clients MUST perform TXT-SVCB consistency checks when svcb-digest is present and selected by local policy

  • Clients MUST use TLS [RFC8446] and verify server certificates [RFC9525]

  • Clients MUST NOT use endpoints that fail verification

  • Agents that publish svcb-digest or TXT signatures over endpoint-related metadata MUST synchronously update TXT and SVCB information when versions or endpoints change

12.3. Deployment Recommendations

  • For Internet-facing agent domains, authoritative operators SHOULD enable DNSSEC [RFC4033].

  • If DNSSEC data is present and validates as bogus for SVCB (or TXT, when TXT is part of the selected trust path), clients MUST fail closed for that endpoint.

  • For private/enterprise deployments without DNSSEC, clients SHOULD require TXT signature verification and TLS certificate validation as minimum controls.

  • This specification does not require DNSSEC as the only trust mechanism; deployments MAY combine DNSSEC and signature-based protections.

12.4. Specification Scope

DN-ANR verifies the authenticity, integrity, and consistency of agent resolution data. It does not assert that the resolved agent is benign, competent, authorized for a task, compliant with policy, or reputable. Those judgments are made by upper-layer protocols, governance systems, trust registries, organizational policy, or other discovery and selection mechanisms.

This specification guarantees the following properties:

  • Verifiability of agent identity

  • Integrity and consistency of resolution results

  • Encryption and tamper-proofing of connections

This specification does NOT attempt to address:

  • Agent capability authenticity

  • Service quality (SLA) or behavioral compliance

  • Agent reputation or governance issues

These concerns should be handled by upper-layer protocols, operational frameworks, or governance mechanisms.

13. IANA Considerations

13.1. SVCB Service Parameter Keys

This revision uses Private Use SvcParamKeys only for experimentation. No permanent SvcParamKey codepoint is requested in this revision.

The following private-use keys are used in examples and experimental deployments:

Table 9
Private-use key Experimental name Meaning
key65480 agent-version Agent version or endpoint profile revision
key65481 connection-profile Post-selection connection compatibility hint (supported agent protocols for the selected identifier)

Note: The values 65480-65481 are in the private use range (65280-65534) as defined in [RFC9460].

Future revisions may request permanent SvcParamKey registrations for connection-profile (and, if warranted, agent-version) after coordination with related agent discovery, publication, registry, and connection-profile specifications, including possible alignment of protocol identifier values with registries proposed by such specifications.

13.2. Underscored DNS Node Names

This document uses the _agents underscored owner-name label ([RFC8552]) as a prefix for per-agent resolution records (for example, _agents.translator.example.com). This is the same label used by DNS-based agent discovery mechanisms, including [DNSAID]'s organization-level inventory mechanism; however, DN-ANR's usage is scoped one level deeper, under the specific already-selected Agent Identifier, rather than under an organization's root domain (see Relationship to Agent Discovery and Registry Specifications).

Because [DNSAID] has already requested registration of _agents in the "Underscored and Globally Scoped DNS Node Names" registry established by [RFC8552], this document does not request a separate or duplicate registration for that label in this revision. Should working-group review determine that the two usages require distinct registry entries, this section will be revisited in a future revision.

14. References

14.1. Normative References

[RFC1035]
Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, , <https://www.rfc-editor.org/rfc/rfc1035>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC4033]
Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements", RFC 4033, DOI 10.17487/RFC4033, , <https://www.rfc-editor.org/rfc/rfc4033>.
[RFC4648]
Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, , <https://www.rfc-editor.org/rfc/rfc4648>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8446]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/rfc/rfc8446>.
[RFC8552]
Crocker, D., "Scoped Interpretation of DNS Resource Records through "Underscored" Naming of Attribute Leaves", BCP 222, RFC 8552, DOI 10.17487/RFC8552, , <https://www.rfc-editor.org/rfc/rfc8552>.
[RFC8785]
Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalization Scheme (JCS)", RFC 8785, DOI 10.17487/RFC8785, , <https://www.rfc-editor.org/rfc/rfc8785>.
[RFC9460]
Schwartz, B., Bishop, M., and E. Nygren, "Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)", RFC 9460, DOI 10.17487/RFC9460, , <https://www.rfc-editor.org/rfc/rfc9460>.
[RFC9461]
Schwartz, B., "Service Binding Mapping for DNS Servers", RFC 9461, DOI 10.17487/RFC9461, , <https://www.rfc-editor.org/rfc/rfc9461>.
[RFC9525]
Saint-Andre, P. and R. Salz, "Service Identity in TLS", RFC 9525, DOI 10.17487/RFC9525, , <https://www.rfc-editor.org/rfc/rfc9525>.

14.2. Informative References

[A2A]
Google, "Agent2Agent Protocol (A2A)", , <https://google.github.io/A2A/>.
[ANP]
ANP Community, "Agent Network Protocol (ANP)", , <https://agent-network-protocol.com/>.
[DAWN-PS]
Akhavain, A. and H. Moussa, "Problem Statement for the Discovery of Agents, Workloads, and Named Entities", , <https://datatracker.ietf.org/doc/draft-akhavain-moussa-dawn-problem-statement/>.
[DAWN-TERM]
Farrel, A., "Terminology for the Discovery of Agents, Workloads, and Named Entities", , <https://datatracker.ietf.org/doc/draft-farrel-dawn-terminology/>.
[DNSAID]
Mozley, J., Williams, N., Sarikaya, B., Schott, R., and J. Damick, "DNS for AI Discovery", , <https://datatracker.ietf.org/doc/draft-mozleywilliams-dnsop-dnsaid/>.

Acknowledgments

The author thanks Chenguang Du for his valuable contributions to the design and text of this draft.

Author's Address

Yong Cui
Tsinghua University
Beijing, 100084
China