DNS-Anchored Identity for Autonomous Agents
Every agent that transacts needs an owner. Groundmark anchors that ownership in the Domain Name System — the infrastructure already governing every corner of the internet.
Verification chain
The Problem
Protocols like x402 have solved the payment mechanics for autonomous agents — an agent can hit an endpoint, receive an HTTP 402, pay in stablecoins, and get access. But these transactions carry no identity. There is no standard way for an agent to prove who operates it, what it is authorised to do, or whether its operator is accountable. As agent commerce scales, this gap becomes critical.
No accountable principal. No verifiable link between an autonomous agent and the organisation that deployed it.
No delegation record. No way for a relying party to know whether the agent is permitted to perform the action it is requesting.
No contextual attestation. Age-gating, licensing, jurisdiction compliance — none of this can be verified without a trust framework.
No revocation signal. If an agent is compromised or decommissioned, there is no standard mechanism to inform the ecosystem in real time.
Graduated Trust
Four levels of trust, from permissionless to regulatory-grade. Most agent transactions need nothing at all. A smaller set require verification proportional to what is at stake.
Architecture
Every component of Groundmark either already exists or extends something that does. The contribution is recognising that DNS registration, subdomain delegation, RDAP, DNSSEC, and registrar verification — recombined — solve the agent identity problem that agentic commerce requires.
An agent's identity chains to a registered domain, verified through registrar processes and governed by ICANN policy. The domain holder controls which agents exist and can revoke them at will. The semantics of the string are irrelevant — only the verifiable chain of delegation matters.
agent47.anthropic.comTXT records on the agent subdomain serve as pointers to attestations held by trusted third parties. DNS tells you what claims exist and where to verify them — it does not try to be the claims database itself. This mirrors DNS's original design: it does not host your content, it locates it.
_agentid · _agentclaimIDSPs verify specific facts about an operator, disclose the methods they used, and stake their reputation on the attestation. They are auditors, not gatekeepers — and not live observers of every transaction. No single IDSP is authoritative for everything; pluralism is deliberate.
Per-subdomain TTLs as short as 60 seconds make every DNS lookup an implicit liveness check. A compromised or decommissioned agent is effectively dead within a minute of revocation — no additional revocation infrastructure required.
Specification
Groundmark is being built as a proper internet standard. A working Internet-Draft defines the DNS record formats, verification flow, HTTP header convention, and trust framework — positioned standards-track from day one, and designed to compose with adjacent work in the agentic commerce space.
DNS-Anchored Identity for Autonomous Agents · Noss · April 2026
Contact
Groundmark is being developed openly. If you are working on agentic protocols, identity infrastructure, registrar policy, or DNS standards, we welcome the conversation.
Reach us directly at
[email protected]