Agent Name Services (ANS)

• Agent Name Services (ANS) are a protocol-agnostic directory that maps human-readable agent identifiers to verifiable metadata, endpoints, and capabilities.
• ANS generalizes DNS by enabling dynamic, capability-aware discovery and secure communication among autonomous agents through layered registries, protocol adapters, and resolution engines.
• The framework ensures robust lifecycle management and security through PKI-based trust, formal naming syntaxes, and adaptive resolution mechanisms that optimize registration and query performance.

An Agent Name Service (ANS) is a foundational infrastructure for multi-agent ecosystems, providing a secure, scalable, and interoperable directory that enables robust, verifiable discovery and communication among autonomous AI agents. The ANS paradigm generalizes and extends the Domain Name System (DNS), moving beyond static network addresses to support dynamic, protocol-agnostic, capability-aware, and cryptographically secured agent resolution. Modern ANS architectures coordinate structured registries, cryptography (PKI and verifiable credentials), modular protocol adaptation, formal naming syntaxes, and advanced policies for lifecycle, access control, and interoperability (Huang et al., 15 May 2025, Wang et al., 5 Aug 2025, Raskar et al., 18 Jul 2025, Cui et al., 28 May 2025, Zinky et al., 5 Aug 2025, Muscariello et al., 23 Sep 2025).

1. Formal Definition and Structural Principles

An Agent Name Service constitutes a protocol-agnostic directory mapping structured, human-readable agent identifiers to signed and verifiable metadata, endpoints, and capabilities. The canonical ANSName syntax, inspired by DNS URIs and extended with explicit capability and versioning fields, is:

$$\text{ANSName} ::= \text{Protocol} "://" \text{AgentID} "." \text{Capability} "." \text{Provider} ".v" \text{Version} "." \text{Extension}$$

with each component validating against explicit formats, e.g., version as

$\text{Version\_regex} = \texttt{^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?$}$

(Huang et al., 15 May 2025).

Table: Core ANSName Components

Field	Description	Example Value
Protocol	Protocol identifier (a2a, mcp, acp, ...)	mcp
AgentID	Unique agent identifier	sentimentAnalyzer
Capability	Primary agent capability	textAnalysis
Provider	Agent/service provider	ExampleCorp
Version	Semantic versioning	1.0.0
Extension	Optional extension for customization	custom

The formal structure and schema establish the unambiguous, composable, and extensible addressing required for scalable agent ecosystems.

2. Layered Architecture: Registry, Protocol Adapters, and Resolution Engine

The ANS is realized via a multilayered architecture (Huang et al., 15 May 2025):

• Registry Layer: Centralizes all agent records, each entry comprising protocol info, identifiers, capabilities, version, PKI certificate (X.509), protocol-specific metadata (as JSON), metadata timestamps, and status. Registration Authority (RA) and Certificate Authority (CA) enforce identity vetting and certificate issuance, ensuring integrity and binding of agent identity and trust anchors.
• Protocol Adapter Layer: Supplies modular plugins for each supported agent protocol (A2A, MCP, ACP, etc.), parsing and mapping protocol-specific metadata on registration and serving protocol-compliant records during query. This architectural motif is mirrored in frameworks like NANDA, where protocol translation modules adapt between modalities (e.g., MCP↔A2A, NLWeb) (Wang et al., 5 Aug 2025).
• Resolution Engine: Consumes resolve requests (ANSName + constraints) and executes a deterministic algorithm: parsing, searching for matches, semantic version negotiation, retrieving and verifying endpoint records, and returning signed responses. The endpoints may be static or dynamically selected via adaptive mechanisms (Raskar et al., 18 Jul 2025, Zinky et al., 5 Aug 2025).

The ANS architecture, including representative microservice interactions and call graphs, generalizes the client→resolver→registry→intermediate→authoritative path familiar from DNS but is tightly integrated with dynamic trust, access, and capability logic.

3. Registration, Lifecycle, and Security Protocols

Agent lifecycle is governed by an explicit state machine (Huang et al., 15 May 2025):

• Registration: Agents submit metadata and certificate signing requests; the RA authenticates, CA issues the certificate, and the record is stored and returned with all cryptographic material. All payloads adhere to defined JSON Schema formats.
• Renewal: Uses existing certificates for authentication; follows similar validation and issuance.
• Revocation: Triggers certificate revocation in CA, registry updates, and CRL/OCSP dissemination following RFC 6960.

PKI-based trust is core: X.509 certificate chains, signature fields, and extended key usages (digitalSignature, nonRepudiation, clientAuth) are strictly enforced. Cryptographic operations for endpoint record validation follow standard proofs of authenticity, integrity, and non-repudiation, with semantic version negotiation correctness reducible to satisfiability checking.

NANDA and AGNTCY extend this with Verifiable Credential (VC) structures, allowing complex, multi-party trust endorsement of capabilities and agent facts, supporting mechanisms such as VC-Status-List anchoring, federated trust, and endorsement hash chains (Wang et al., 5 Aug 2025, Raskar et al., 18 Jul 2025, Muscariello et al., 23 Sep 2025).

Security threat models are rigorously analyzed:

Threat Vector	Mitigation Mechanism
Agent Impersonation	Mandatory PKI, certificate validation
Registry Poisoning	RA validation, signed responses, ACLs
Man-in-the-Middle	mTLS, payload signatures
DoS/DDoS	Distributed registries, rate limiting
Sybil Attacks	Governance fees, identity vetting
Privacy Leakage	Private lookup (PIR, anonymized relays)

Formal correctness for signature verification and certificate chains is established via standard cryptographic models (e.g., EF-CMA resistance, RFC 5280) (Huang et al., 15 May 2025, Raskar et al., 18 Jul 2025).

4. Capability Discovery, Semantic Search, and Adaptive Resolution

Capability-awareness is fundamental to ANS. Queries may specify not only agent identity but also desired skills (capability fields), semantic filters, and access tokens (JWT/OAuth2) embedding policy scopes (Huang et al., 15 May 2025).

AgentDNS introduces a hybrid discovery model: natural-language search is supported via combined keyword matching (BM25) and embedding-based retrieval, returning the top-k most relevant services semantically (Cui et al., 28 May 2025).

Resolution mechanisms in modern implementations (e.g., NANDA Adaptive Resolver) are context-aware and dynamic (Zinky et al., 5 Aug 2025):

• AgentFact schema: Includes core capabilities, geolocation, resource profiles, communication requirements (bandwidth, latency, trust level), and deployment options—all formally modeled in JSON Schema and signed.
• Recursive resolution: Iterative delegation traverses discovery registry, intermediate, and authoritative servers, each node contributing referrals, resource telemetry, or negotiation responses.
• Negotiation and optimization: Multi-round, protocol-driven negotiation establishes session/channel properties. Endpoints are selected by optimizing a utility function over geographic distance, load, capability match, and security risk:

$$U(g, l, c, s) = w_{g} \exp(-\alpha\,g) + w_{l}(1 - \frac{l}{100}) + w_{c} c - w_{s} s$$

with session setup returning tailored, ephemeral endpoint URLs and tokens.

5. Interoperability and Federation Across Protocols and Registries

The protocol-agnostic character of ANS is maintained through layered adapters and schema-driven extensibility (Huang et al., 15 May 2025, Wang et al., 5 Aug 2025, Raskar et al., 18 Jul 2025, Muscariello et al., 23 Sep 2025):

• A2A (Agent-to-Agent): Adapters ingest and emit agent cards mapping capability and role fields.
• MCP (Model Context Protocol): Stores and translates tool schemas (input/output); agents call discovered endpoints with protocol-specific headers and signed payloads.
• ACP (Agent Communication Protocol): Manages access control, returns AC-aware agent URIs and associated JWT scope tokens.
• Cross-protocol translation: Field mapping, translation, and mediation across ecosystem standards are handled by registry adapters (MCP↔A2A↔NLWeb, etc.).

Federation enables quilt-like global indices: registries cooperate via pointer fields, DID chains, and interoperable metadata, and decentralized models incorporate Kademlia-based DHTs, Merkle proofs, or CRDT-driven convergence for global state (Raskar et al., 18 Jul 2025, Wang et al., 5 Aug 2025, Muscariello et al., 23 Sep 2025).

6. Scalability, Performance, and Compliance Properties

Empirical and projected performance metrics demonstrate ANS viability for global, high-velocity agent populations (Huang et al., 15 May 2025, Zinky et al., 5 Aug 2025, Muscariello et al., 23 Sep 2025):

Metric	Value / Mode
Registration Latency	≈150 ms (incl. RA validation + CA signing)
Resolution Latency (cache/no-cache)	~20 ms / ~120 ms
Registry Throughput (centralized)	~10,000 registrations/sec
Query Throughput (centralized/DHT)	~5,000–100,000 queries/sec
DHT Lookup (AGNTCY)	80 ms cold / 8 ms warm (median)
End-to-End Adaptive Resolution (NANDA)	< 100 ms target (~120 ms incl. negotiation)
Record Size (Index Entry)	≤120 B (NANDA) / 3–10 KB (AGNTCY)

Scalability is achieved via distributed registries, horizontal DHT scaling, cached posting lists, and microservice sharding. Protocol designs are amenable to region/organization-level sharding and cross-region data residency (to support regulatory requirements, e.g., GDPR, OFAC filtering, deletion/audit APIs) (Wang et al., 5 Aug 2025).

7. Extensibility, Compliance, and Policy Enforcement

Schema-driven extensibility is ensured through Open Agentic Schema Framework (OASF) and JSON-LD schema evolution (Muscariello et al., 23 Sep 2025). Agent records can flexibly incorporate, for example, LLM prompt bundles, MCP descriptors, or novel resource and policy extensions.

Enterprise features (Agent Visibility and Control, AVC) provide operational levers for access, suspension, dynamic policy updates, and audit logging (Wang et al., 5 Aug 2025). Zero Trust Agentic Access (ZTAA) extends conventional ZTNA with posture checks, multi-factor verification, and reputation filtering for agent interactions, underpinning safe operation in adversarial environments.

Registry governance and compliance controls (e.g., sharding for GDPR residency, right-to-forget APIs, immutable audit logs) are natively supported in both centralized and distributed architectures.

---

Agent Name Services are transforming the infrastructure of autonomous AI by supplying composable, secure, and semantically rich agent discovery and resolution. They integrate strong identity binding, dynamic trust negotiation, protocol-agnostic registry, composable schemas, and horizontal scalability, establishing the backbone for interoperable and policy-driven agent ecosystems (Huang et al., 15 May 2025, Wang et al., 5 Aug 2025, Raskar et al., 18 Jul 2025, Cui et al., 28 May 2025, Muscariello et al., 23 Sep 2025, Zinky et al., 5 Aug 2025).