| Internet-Draft | AID | March 2026 |
| Nemethi | Expires 17 September 2026 | [Page] |
Agent Identity and Discovery (AID) is a minimal, DNS-first discovery protocol for locating agent service endpoints. Given a domain name, an AID client queries a DNS TXT record at the well-known subdomain _agent.<domain> and learns the service endpoint URI, protocol token, authentication hint, and optional metadata for that agent.¶
This document defines the AID v1.2 record format, client discovery algorithm, exact-host lookup rules, security requirements, and IANA registrations for the `_agent` DNS node name and the `agent` service name. AID is intentionally small. After discovery, protocol-specific mechanisms such as MCP or A2A handle communication and capability negotiation.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 17 September 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Applications that need to locate and connect to an agent often rely on out-of-band configuration, centralized directories, or protocol-specific discovery mechanisms. AID defines a single DNS-based bootstrap point that answers one question: given a domain, where is the agent and which protocol should a client speak?¶
AID uses a TXT record at the well-known DNS name _agent.<domain>. The record is small, versioned, and protocol-agnostic. It tells a client where the agent is located, which protocol token applies, what authentication hint to expect, and whether endpoint proof is required.¶
This document specifies the wire format and client behavior for AID v1.2 and requests two IANA registrations. The RFC 8552 registration covers the deployed TXT-based discovery label `_agent`, while the RFC 6335 service-name-only registration reserves `agent` for possible future SRV-based discovery under the same naming family.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A provider MUST advertise its agent service by publishing a single TXT record at `_agent.<domain>`. For AID v1.x, agents MUST use DNS TXT records for discovery. TXT is the deployed discovery record type because it is widely available across DNS providers and registrars. Future versions of AID may adopt a more structured record type, but the `_agent` label remains stable; see Section 7.1.¶
The record MUST be a single semicolon-delimited string of `key=value` pairs. Clients SHOULD `trim()` leading and trailing whitespace from keys and values. Clients MUST ignore unknown keys.¶
If a DNS server splits the TXT record into multiple 255-octet strings, the client MUST concatenate them in order before parsing. Providers SHOULD keep the full record under 255 octets when practical.¶
Key comparison is case-insensitive. Clients MUST recognize the single-letter lowercase alias for every defined key. A record MUST NOT include both a long key and its alias. Providers SHOULD emit the short-key form `v,u,p,a,s,d,e,k,i` for AID v1.x records.¶
_agent.example.com. 300 IN TXT ( "v=aid1;u=https://api.example.com/mcp;" "p=mcp;a=pat;s=Example AI Tools" )
_agent.grafana.com. 300 IN TXT ( "v=aid1;u=docker:grafana/mcp:latest;" "p=local;a=pat;s=Run Grafana agent locally" )
_agent.example.com. 300 IN TXT ( "v=aid1;p=mcp;u=https://api.example.com/mcp;" "k=z7rW8rTq8o4mM6vVf7w1k3m4uQn9p2YxCAbcDeFgHiJ;i=g1;" "d=https://docs.example.com/agent;" "e=2026-01-01T00:00:00Z;s=Secure AI Gateway" )
_agent.local.test. 300 IN TXT ( "v=aid1;p=zeroconf;" "u=zeroconf:_mcp._tcp;s=Local Dev Agent" )
When an AID client is given a domain, it MUST perform the following steps:¶
| Code | Name | Meaning |
|---|---|---|
| 1000 | ERR_NO_RECORD | No `_agent` TXT record was found for the domain. |
| 1001 | ERR_INVALID_TXT | A record was found but is malformed or missing required keys. |
| 1002 | ERR_UNSUPPORTED_PROTO | The record is valid, but the client does not support the selected protocol. |
| 1003 | ERR_SECURITY | Discovery failed due to a security policy or verification failure. |
| 1004 | ERR_DNS_LOOKUP_FAILED | The DNS query failed for a network-related reason. |
| 1005 | ERR_FALLBACK_FAILED | The `.well-known` fallback failed or returned invalid data. |
Discovery is exact-host by default. If the application asks for `app.team.example.com`, the canonical AID query name is `_agent.app.team.example.com`.¶
Clients MUST NOT walk up the DNS hierarchy looking for `_agent.team.example.com` or `_agent.example.com`. If an operator wants a child host to inherit a shared record, that inheritance MUST be expressed in DNS for the exact queried name, for example by using a `CNAME` at the child host's `_agent` label.¶
_agent.app.team.example.com. 300 IN TXT ( "v=aid1;p=mcp;" "u=https://app.team.example.com/mcp" ) _agent.app.team.example.com. 300 IN CNAME ( _agent.shared.team.example.com. ) _agent.shared.team.example.com. 300 IN TXT ( "v=aid1;p=mcp;" "u=https://gateway.team.example.com/mcp" )
Protocol-specific lookups follow the same exact-host rule. If an application explicitly asks for a given protocol token, a client MAY query `_agent._<proto>.<exact-host>` before the base `_agent.<exact-host>` name, but it MUST NOT query parent hosts implicitly.¶
The canonical location for discovery is the base record `_agent.<domain>`. Providers MAY additionally expose distinct agent services on protocol-specific subdomains of the form `_agent._<proto>.<domain>`.¶
_agent._mcp.example.com. 300 IN TXT ( "v=aid1;p=mcp;" "u=https://api.example.com/mcp" ) _agent._a2a.example.com. 300 IN TXT ( "v=aid1;p=a2a;" "u=https://api.example.com/a2a" )
By default, clients query the base record. When a specific protocol token is explicitly requested by the calling application, clients MAY first query the corresponding protocol-specific name and then fall back to the base record for the same exact host.¶
AID publishes public discovery metadata. The TXT record MUST NOT contain secrets. The protocol depends on DNS integrity, TLS for remote endpoints, and explicit client safeguards for local execution.¶
Clients that support `proto=local` MUST implement the following safeguards:¶
If an initial request to the discovered `uri` returns an HTTP redirect (`301`, `302`, `307`, or `308`) to a different origin, clients SHOULD treat this as a potential security risk. Clients MUST NOT follow such cross-origin redirects automatically. Implementations MAY either terminate with `ERR_SECURITY` or require explicit user confirmation before proceeding.¶
AID addresses DNS spoofing and cache poisoning with optional DNSSEC validation, endpoint impersonation with optional public-key attestation, downgrade detection with remembered key state, command injection risks for local execution, and cross-origin redirect abuse for remote endpoints.¶
Compromised authoritative DNS servers, active network attackers beyond the protections of TLS, and revocation beyond DNS record update remain outside the direct scope of AID v1.2.¶
Clients that expose enterprise controls SHOULD provide policy presets and MAY expose the underlying policy knobs directly.¶
| Preset | PKA | DNSSEC | Well-known | Downgrade |
|---|---|---|---|---|
| balanced | if-present | prefer | auto | warn |
| strict | require | require | disable | fail |
The underlying policy knobs are:¶
Policy semantics are as follows:¶
If discovery succeeds only through `.well-known`, that result cannot satisfy a policy that requires DNSSEC validation.¶
Providers are RECOMMENDED to publish `_agent` TXT records with a TTL between 300 and 900 seconds. Clients MUST respect the received TTL and MUST NOT cache the record longer than that.¶
AID v2 or later may adopt a more structured DNS record type such as SRV [RFC2782] or SVCB [RFC9460], depending on operational deployment support. TXT remains the canonical mechanism for AID v1.x.¶
Formal requests are expected for the `_agent` underscored DNS node name under [RFC8552] and the `agent` service name under [RFC6335].¶
The stable DNS label for AID is `_agent`. Record types may evolve, but the discovery label remains `_agent` across versions and the record version field identifies the wire-format expectations. This is the main reason the RFC 8552 registration is valuable even if later AID versions use a different DNS RR type.¶
To support interoperability, token registries and community resources are maintained publicly.¶
This document requests registration in two IANA registries. The registrations serve different purposes. The RFC 8552 request covers AID v1.x TXT discovery at `_agent.<domain>`. The RFC 6335 request reserves the service name `agent` for potential future DNS service discovery usage under `_agent._tcp.<domain>`.¶
IANA is requested to register the following entry in the "Underscored and Globally Scoped DNS Node Names" registry established by [RFC8552].¶
| RR Type | TXT |
| Node Name | _agent |
| Reference | This document |
The `_agent` node name is used exclusively for Agent Identity and Discovery. A single TXT record published at `_agent.<domain>` contains semicolon-delimited key/value pairs that identify an agent endpoint, protocol token, and optional metadata as defined in Section 3 and Section 4.¶
The requested node name is specific to AID and does not reserve the broader concept of agents or agent-related discovery generally. Protocol-specific labels of the form `_agent._<proto>.<domain>` are subordinate names beneath the registered `_agent` node and do not require separate global registration.¶
IANA is requested to register the following service-name-only entry in the "Service Name and Transport Protocol Port Number" registry defined by [RFC6335].¶
| Service Name | agent |
| Transport Protocol(s) | tcp |
| Description | Agent Identity and Discovery (AID): DNS-based discovery of agent service endpoints |
| Port Number | N/A |
| Assignment Notes | No port number is requested. This is a service-name-only registration intended to establish `agent` for possible future SRV-based discovery under `_agent._tcp.<domain>` while preserving the stable `_agent` label. |
| Reference | This document |
All authentication tokens are case-sensitive and use lowercase ASCII.¶
All protocol tokens are case-sensitive and use lowercase ASCII.¶
| Token | Meaning | Allowed `uri` scheme(s) |
|---|---|---|
| mcp | Model Context Protocol | https:// |
| a2a | Agent-to-Agent Protocol | https:// |
| openapi | OpenAPI specification document | https:// |
| grpc | gRPC over HTTP/2 or HTTP/3 | https:// |
| graphql | GraphQL over HTTP | https:// |
| websocket | WebSocket transport | wss:// |
| local | The agent runs locally on the client machine | docker:, npx:, pip: |
| zeroconf | mDNS or DNS-SD service discovery | zeroconf:<service_type> |
| ucp | Universal Commerce Protocol | https:// |
For cross-language SDK consistency, clients SHOULD use the following numeric constants.¶
| Constant | Value |
|---|---|
| ERR_NO_RECORD | 1000 |
| ERR_INVALID_TXT | 1001 |
| ERR_UNSUPPORTED_PROTO | 1002 |
| ERR_SECURITY | 1003 |
| ERR_DNS_LOOKUP_FAILED | 1004 |
| ERR_FALLBACK_FAILED | 1005 |
When `pka` is present, the client MUST verify control of the corresponding private key using HTTP Message Signatures with Ed25519 as specified in [RFC9421].¶
function performPKAHandshake(uri, pka, kid):
nonce = generateRandomBytes(32)
challenge = base64urlEncode(nonce)
headers = {
"AID-Challenge": challenge,
"Date": currentUTCTime()
}
response = sendGET(uri, headers)
if response.status != 200:
failWith(ERR_SECURITY)
sigInput = response.headers["Signature-Input"]
signature = response.headers["Signature"]
created = parseCreated(sigInput)
if |currentTime() - created| > 300 seconds:
failWith(ERR_SECURITY)
pubKey = multibaseDecode(pka)
if not verifyEd25519(signature, sigInput.coveredFields, pubKey):
failWith(ERR_SECURITY)
Providers MUST include `kid` whenever `pka` is present. Clients SHOULD warn on downgrade if a previously observed `pka` disappears.¶
AID is a DNS-based discovery protocol. The fallback defined here is a non-normative convenience for environments where publishing DNS TXT records is difficult. It does not change the RFC 8552 scope of `_agent`.¶
The `.well-known` URI convention itself is described in [RFC8615].¶