DNS TXT Records, DUADP, and the Path to Agents as First-Class Web Citizens

OWASP's Agentic Naming System (ANS) predicts that AI agents could represent 50% of internet traffic by 2030 and 80% by 2035. That is not a distant hypothetical. That is four years from now.

Yet agents have no native identity on the web. No DNS presence. No discoverable metadata. No verifiable trust chain. They are ghosts — powerful, autonomous ghosts consuming half the internet's bandwidth with zero accountability infrastructure.

This has to change, and the path forward is clear because we have done this before.

---

The Website Precedent

Every website on the internet went through the same journey to become a "first-class citizen":

1. Content — HTML gave structure to information
2. Identity — DNS gave every site a resolvable name
3. Trust — SSL/TLS gave every site verifiable identity
4. Discovery — Search indexing made every site findable
5. Analytics — Tracking and measurement made every site accountable

It took the web roughly 15 years to build this stack. Agents need it in 3. The good news: we do not have to invent the patterns. We just have to apply them.

---

The Agent Identity Stack

Here is the flow we are building with OSSA and DUADP:

Step 1: DNS TXT Records

Just as SPF, DKIM, and DMARC use DNS TXT records to establish email sender identity, agents use DNS TXT records to declare their existence and point to their identity documents.

_ossa.example.com TXT "v=ossa1; manifest=https://example.com/.well-known/ossa/manifest.json; gaid=ossa:example.com:billing-agent:v2"

This is lightweight. It requires no new infrastructure. Every domain registrar, every DNS provider, every CDN already supports TXT records. The agent's identity is rooted in the same trust chain as the organization's domain.

Step 2: DUADP Registration

The Universal Agent Discovery Protocol provides a federated registry where agents register their capabilities, governance constraints, and trust attestations. Think of it as the agent equivalent of a certificate authority combined with a service registry.

When an agent registers with DUADP, it gets:

• A Global Agent Identifier (GAID) — a universally resolvable identity
• A capability profile — what the agent can do, verified by the registrar
• A trust score — based on attestations, audit history, and operational track record

Step 3: OSSA A2A Card + YAML

The OSSA manifest serves as the agent's "business card" for agent-to-agent communication. It is a structured, machine-readable contract that tells other agents:

• Who this agent is (identity + GAID)
• What it can do (capabilities + tools)
• What it is allowed to do (governance + constraints)
• How to communicate with it (protocols + endpoints)
• Who vouches for it (trust chain + attestations)

Step 4: Discovery

With DNS declaring existence, DUADP providing registration, and OSSA manifests providing contracts, agents become discoverable. Other agents can find them. Orchestrators can recruit them. Governance systems can audit them.

Step 5: Trust Verification

The final layer. Before any agent-to-agent interaction, the calling agent can:

1. Resolve the target agent's GAID via DUADP
2. Verify the DNS TXT record matches the domain's ownership
3. Validate the OSSA manifest against the specification schema
4. Check trust attestations and compliance status
5. Establish a verified communication channel

---

Why DNS Matters More Than You Think

There is a reason we start with DNS and not with a proprietary registry. DNS is the internet's root of trust for naming. It is decentralized, battle-tested, and universally supported.

Alternatives — proprietary agent marketplaces, centralized registries, blockchain-based identity — all introduce dependencies that fragment the ecosystem. DNS TXT records require nothing new. If you own a domain, you can register an agent. Today. Right now.

Just as every website needs a domain, every agent needs a GAID. This is not a nice-to-have. When agents represent half of internet traffic, unidentified agents will be treated like unidentified network traffic — blocked, throttled, and quarantined.

NIST recognizes this. Their CAISI initiative (Docket NIST-2025-0035) explicitly calls for agent identity standards. The NCCoE AI Agent Identity program (responses due April 2, 2026) is building reference architectures for exactly this problem. We are aligned with both efforts because the architecture is converging on the same answer: agents need identity infrastructure rooted in existing web trust chains.

---

The Tracking, Training, and Analytics Layer

Once agents are first-class web citizens with resolvable identities, entirely new capabilities emerge:

Tracking: Every agent interaction can be attributed to a specific, verified identity. Audit trails become trivial. Compliance becomes automated. The question "which agent did this?" always has an answer.

Training: Agent performance data — success rates, error patterns, cost efficiency — can be aggregated across deployments. Agents improve not just from their own experience but from the federated experience of all agents in the DUADP network.

Analytics: Organizations can measure agent ROI with the same rigor they apply to websites. Traffic, conversion, cost-per-action, error rates — all tied to verified agent identities.

This is the next evolution. Not just agents that work, but agents that are measurable, accountable, and improvable as first-class participants in the web ecosystem.

---

The Timeline

Four years. The web did it in fifteen. We have the benefit of knowing where we are going.

Read the full DUADP specification, explore our NIST CAISI submission, or dive into the OSSA specification to see how the pieces fit together.