$ openssl s_client agentroot.io

DNS verification threshold and resolver architecture

AgentRoot uses DNS itself as the root of trust — the only way to publish records for <domain> is to set a TXT record at _agentroot.<domain>, which by DNS protocol can only be done by the domain administrator.

Resolver architecture: AgentRoot's verification queries a single recursive resolver in the indexing region (currently sin1 / iad1 Vercel functions, falling back to system DNS). We don't currently perform multi-resolver consensus — if your authoritative DNS returns a valid _agentroot TXT, the record is considered verified for that domain.

What "verified" means:

• DNS TXT record at _agentroot.<domain> parses successfully (per v=ar1 format)
• The manifest URL (if manifest=<url> mode) returns valid JSON with matching domain field
• Domain ownership is provable only via DNS — no email or token verification

Per-record verification re-runs every ~6 hours via the cron tick. If your DNS resolver returns NXDOMAIN or the record is malformed, the record is marked stale and de-indexed after the inactivity threshold (see registry lifecycle).

Agent-to-agent authentication and transport security

TLS / mTLS: AgentRoot itself does NOT enforce mutual TLS for A2A endpoints. We treat A2A endpoints as opaque — they're URLs published by the domain owner, and the protocol used at that endpoint (auth, mTLS, signed requests, JWT) is the responsibility of the endpoint operator.

What AgentRoot guarantees:

• Manifest URLs must be HTTPS (HTTP is rejected by the resolver, see packages/api/src/infrastructure/adapters/dns.adapter.ts SSRF protection)
• DNS TXT records prove the domain owner authorized the published endpoints
• The registry's own API is over HTTPS only; no plain HTTP

What AgentRoot does NOT guarantee:

• mTLS between agents — that's up to the A2A endpoint operator
• Payload signing — agents may sign requests/responses but AgentRoot doesn't verify
• Identity beyond domain ownership — there's no per-user or per-agent identity layer

If your use case requires mTLS, the recommended pattern is:

1. Publish your A2A endpoint at https://api.<your-domain>/a2a
2. Configure your endpoint to require client certs signed by your CA
3. Document the auth requirement in the record's auth field of your manifest

Consumers reading the manifest will see the auth requirement and provision client certs accordingly.

Signing key rotation and grace period

AgentRoot doesn't currently use signing keys for records — DNS itself is the root of trust. If you publish signed payloads (e.g., signed JSON Web Keys at your A2A endpoint), the key lifecycle is your responsibility.

Recommended rotation policy for publishers:

• Grace period: keep the old key valid for 7 days after rotating to the new key, so in-flight consumers can complete operations
• Publishing the new key: update your manifest's record (or the keys referenced by your manifest's URL) with the new key BEFORE rotating production traffic
• Revocation: for emergency revocation, update DNS TXT immediately and the AgentRoot resolver picks up the change within ~6 hours

Why 7 days? Long enough for downstream cache invalidation and consumer redeployment; short enough that compromised keys don't linger indefinitely. Adjust based on your threat model — finance/PII flows may want 24 hours; low-stakes content APIs may go 30 days.

Where to put your keys: at a stable URL on your domain (e.g., https://<domain>/.well-known/jwks.json) and reference it from your manifest. Don't embed keys directly in DNS TXT (255-byte limit, hard to rotate).

Manifest URL scheme constraints

AgentRoot enforces:

• HTTPS only (HTTP manifest URLs are rejected)
• Public hostnames only (loopback, private-IP, and link-local addresses are blocked by SSRF protection in the DNS adapter)
• Max manifest size: 1 MB
• Max records per manifest: ~100 (soft limit, see limits)

Contact

Security contact: [email protected] (also at https://agentroot.io/.well-known/security.txt per RFC 9116)

Public security policy: https://github.com/d3-inc/agentroot/security/policy