WAB vs Other Agent Protocols — Honest Side-by-Side

Where each protocol sits

Capability	WAB v1.3 (DNS)	ANS (PKI)	MCP	sitemap.xml	llms.txt	ai.txt / robots.txt	ai-plugin.json
Trust root Where does identity come from?	DNS owner + DNSSEC + TLS 3 independent attestations, zero new infra	External PKI / CA New CA hierarchy required	Out-of-band trust Manual config per client	None	None	None	HTTPS only
Cryptographic signature Tamper-evident manifests	Ed25519 (signed wab.json)	RSA / ECDSA via PKI	No	No	No	No	No
DNSSEC verification Resolver-level integrity	Native — AD flag checked	Optional	N/A	No	No	No	No
Discovery latency Time to first byte	~30–80 ms (1 DNS query)	200–600 ms (CRL + cert chain)	Connection setup + handshake	HTTP fetch + XML parse	HTTP fetch	HTTP fetch	HTTP fetch
Site-owner setup time Install → live	≈ 60 seconds (1 TXT record)	Hours (cert request, CSR, PKI)	Per-server config	Few minutes	Few minutes	Seconds	15–30 minutes
One-click DNS providers Native integrations shipped	7 — Cloudflare · Route 53 · Azure · GCP · cPanel · Plesk · GoDaddy/Namecheap	None	N/A	N/A	N/A	N/A	N/A
Agent-readable actions Beyond static URLs	Yes — typed actions, params, auth	Service descriptors	Yes — full RPC	URLs only	Free-text hints	No	OpenAPI spec
Cross-vendor compatibility No vendor lock-in	100% — runs over plain DNS	CA-dependent	Anthropic ecosystem	Universal	Emerging	Universal	OpenAI-bound
Key rotation Without breaking clients	Atomic via DNS TTL Add new pk → wait TTL → remove old	CRL / OCSP refresh	Manual	N/A	N/A	N/A	Manifest refresh
Caching Internet-scale	Native DNS caching everywhere	CDN / OCSP staple	No	CDN	CDN	CDN	CDN
Open spec + reference impl Free to adopt	Open · MIT · published	Draft	Open	Open	Open	Open	Open
Live trust API Programmatic verification	/api/discovery/trust/:domain	No	No	No	No	No	No

Legend: ✓ first-class support · ~ partial / optional · ✗ not supported

Why DNS-rooted trust beats CA-rooted PKI for agent discovery

Universal infrastructure. Every domain already has DNS. Adding WAB is one TXT record, not a CA enrollment ceremony.
Single trust root. The agent already trusts example.com for TLS. WAB reuses the same identity — no new authorities to vouch for.
Tamper resistance. DNSSEC + TLS + Ed25519 = three independent layers. An attacker must break all three, not just one CA.
Fast revocation. Drop the TXT record → resolvers honour TTL → revoked globally in seconds. No CRL polling, no OCSP staple.
Zero new dependencies. No PKI vendor, no transparency log, no out-of-band registry. Agents that resolve DNS already have everything they need.

The bottom line: WAB v1.3 matches PKI-grade protocols on cryptographic guarantees while keeping the operational footprint of a single DNS record — and it's the only protocol that ships with one-click integrations across all 7 major DNS providers and a live public trust API.

Verify a Domain Enable WAB DNS Live Adoption Metrics Read the Spec

WAB vs every other agent-discovery protocol

Where each protocol sits

Why DNS-rooted trust beats CA-rooted PKI for agent discovery