WAB DNS Discovery

Announce your AI-readiness at the infrastructure level. Add a single DNS TXT record at _wab.yourdomain.com and any compatible AI agent will instantly find your wab.json capabilities — no HTTP probe required.

What & Why Record Format Live Verifier Setup Guides Troubleshooting Repo & Docs

What is WAB DNS Discovery?

WAB DNS Discovery is a lightweight protocol that lets AI agents instantly know whether a domain supports WAB and where to fetch its capabilities document. It works exactly like SPF, DKIM, or DMARC for email — a single TXT record at a well-known subdomain advertises your protocol support.

Why use it?

MIT-licensed open protocol

How it works (under the hood)

  1. The AI agent resolves a TXT query on _wab.example.com.
  2. Your authoritative DNS returns: v=wab1; endpoint=https://example.com/.well-known/wab.json
  3. The agent parses the v= and endpoint= parameters, validates the version, then fetches the capabilities document directly.
  4. Optional fields can be added later: feat=, sig=, ttl=, etc.

The TXT Record Format

FieldValueDescription
TypeTXTPlain text record
Name / Host_wabSubdomain prefix → _wab.yourdomain.com
Valuev=wab1; endpoint=https://yourdomain.com/.well-known/wab.jsonProtocol version + capabilities URL
TTL3600 / AutoStandard cache lifetime
_wab.yourdomain.com.   3600   IN   TXT   "v=wab1; endpoint=https://yourdomain.com/.well-known/wab.json"

DNS Records for webagentbridge.com (canonical)

The exact records the WAB site itself publishes. Each row is verified live against Cloudflare DoH (1.1.1.1) when this page loads.

Querying live DNS…
LiveName / HostTypeValueTTL
_wab TXT "v=wab1; endpoint=https://www.webagentbridge.com/.well-known/wab.json" 3600
_wab-agent TXT "v=wab1; mcp=https://www.webagentbridge.com/api/v1/protocol; gateway=https://www.webagentbridge.com/api/v1" 3600
_wab-trust TXT "v=wab1; trust=https://www.webagentbridge.com/.well-known/wab.json; security=https://www.webagentbridge.com/.well-known/security.txt" 3600
_dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@webagentbridge.com; ruf=mailto:dmarc@webagentbridge.com; adkim=s; aspf=s; pct=100" 3600
@ (apex) TXT "v=spf1 -all" 3600
@ (apex) CAA 0 issue "letsencrypt.org" 3600
@ (apex) CAA 0 iodef "mailto:security@webagentbridge.com" 3600

Verify after propagation: open the live verifier above dig _wab.webagentbridge.com TXT +short

Live Verifier (DNS over HTTPS)

Enter any domain to query its _wab TXT record live from a public DoH resolver. This runs entirely in your browser — no data is sent to our servers.

{}

DNS Privacy Model — what DoH does and does not protect

WAB Discovery never uses plain UDP DNS. Every lookup of _wab.example.com uses DNS over HTTPS (DoH), so the query is encrypted between the agent and the resolver.

ThreatPlain DNSWAB DoH
ISP / network observer sees lookup✗ visible cleartext✓ encrypted (TLS 1.3)
DoH provider sees lookup— (not used)⚠ visible to chosen resolver
Reply tampered in transit✗ trivial on-path✓ TLS prevents on-path tamper
Authoritative record forged at zone✗ no signature⚠ DNSSEC recommended
Provider link leaks via certificate✓ certificate pinning roadmap

Bottom line: DoH moves the trust point from your ISP to your DoH resolver — a strict improvement, but you still pick whom to trust. Combine DoH with DNSSEC and certificate pinning for the strongest posture.

DNSSEC live status for webagentbridge.com:

Silent Handshake — agent-aware sites, zero cookie banners

When a WAB-aware site advertises _wab and _wab-trust over DNS, the agent and site negotiate intent in the background — no privacy popup, no cookie banner, no consent click-fest.

  1. Agent resolves _wab.{site} over DoH → discovers wab.json endpoint.
  2. Agent resolves _wab-trust.{site} → reads contract: data scope, rate limits, complaint channel.
  3. Agent fetches wab.json, signs request with its key, site responds with structured commands.
  4. Both sides record outcome to their audit ledger. No human pixels harmed.

SEO upside: WAB-discoverable sites get prioritized by agent traffic, return data faster (less scraping overhead), and reduce server load. Opt-in sites surface first in agent search results — the opposite of the cookie-wall tax.

1. Cloudflare

  1. Open Cloudflare dashboard and select your domain.
  2. Go to DNS → Records → Add record.
  3. Type: TXT, Name: _wab
  4. Content: v=wab1; endpoint=https://yourdomain.com/.well-known/wab.json
  5. Leave TTL on Auto and Save.

2. cPanel (Shared Hosting)

  1. cPanel → Domains → Zone Editor → Manage.
  2. Add Record → Add "TXT" Record.
  3. Name: _wab (cPanel appends your domain automatically).
  4. Record: v=wab1; endpoint=https://yourdomain.com/.well-known/wab.json
  5. Click Save Record.

3. GoDaddy

  1. Domain Portfolio → click your domain.
  2. DNS tab → DNS Records → Add New Record.
  3. Type: TXT, Name: _wab
  4. Value: v=wab1; endpoint=https://yourdomain.com/.well-known/wab.json
  5. Save (TTL default = 1 Hour is fine).

4. Namecheap

  1. Domain List → Manage → Advanced DNS.
  2. Host Records → Add New Record → TXT Record.
  3. Host: _wab
  4. Value: v=wab1; endpoint=https://yourdomain.com/.well-known/wab.json
  5. Save with the green checkmark.

5. AWS Route 53

  1. Route 53 → Hosted zones → your domain → Create record.
  2. Record name: _wab — Record type: TXT
  3. Value (with quotes): "v=wab1; endpoint=https://yourdomain.com/.well-known/wab.json"
  4. TTL: 3003600
  5. Click Create records.

6. Google Domains / Squarespace, OVH, etc.

The pattern is identical across all providers: create a TXT record with host _wab and the v=wab1; endpoint=… value. If your provider asks for the FQDN, use _wab.yourdomain.com. Some panels strip the trailing dot — that is OK.

Verify from the command line

DNS propagation can take a few minutes up to 48 hours. Verify with:

# macOS / Linux
dig TXT _wab.yourdomain.com +short

# Windows
nslookup -type=TXT _wab.yourdomain.com

# Anywhere (DoH via curl)
curl -s -H 'accept: application/dns-json' \
  'https://cloudflare-dns.com/dns-query?name=_wab.yourdomain.com&type=TXT'

Expected output:

"v=wab1; endpoint=https://yourdomain.com/.well-known/wab.json"

Troubleshooting