Skip to content

DNS-AID as discovery transport for AI Cards #25

Description

@iracic82

DNS-AID (IETF draft-mozleywilliams-dnsop-dnsaid, reference impl) could serve as the DNS-based discovery transport for AI Cards.

How it fits

Our SVCB records already carry a cap URI parameter that points to a capability document — this could point to an AI Card JSON:

_booking._mcp._agents.example.com. SVCB 1 mcp.example.com. alpn="mcp" port=443 \
    cap="https://mcp.example.com/.well-known/ai-card.json"

Discovery flow: DNS SVCB lookup → resolve endpoint + cap URI → fetch AI Card at cap URI → connect.

This gives AI Card DNS-native discovery with DNSSEC integrity verification, without requiring a centralized registry. Organizations control their own agent namespaces — no gatekeeper.

What DNS-AID provides

  • SVCB records (RFC 9460) for service discovery with protocol, port, and endpoint
  • DNSSEC mandatory for cryptographic verification
  • DANE/TLSA for certificate binding
  • Three-layer policy enforcement (DNS resolver → caller SDK → target middleware)
  • 7 DNS backends (Route 53, Cloudflare, BIND, Infoblox NIOS/UDDI, Cloud DNS)
  • 1065 unit tests, production-tested

Relationship to AI Card

Layer Standard Role
Discovery transport DNS-AID (SVCB + DNSSEC) Where is the agent?
Agent metadata AI Card What is the agent?
Communication A2A / MCP How to talk to the agent?

We'd welcome collaboration on ensuring AI Card and DNS-AID work together cleanly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions