Policy Guide

How policy fits into a DNS-AID deployment.

DNS-AID standardizes discovery and trust signaling around DNS. Policy sits one layer above that: some deployments attach additional policy material to discovery metadata, evaluate rules inside the caller or target runtime, and optionally add resolver-side or proxy-side enforcement where the infrastructure supports it.

Explore deployment layers Homepage summary
At a glance
Current DNS-AID model plus deployment extensions
This page separates what the current public DNS-AID materials document today from policy patterns teams may add in their own infrastructure.
Current draft Discovery metadata and custom SVCB keys remain standards-track or experimental, depending on the field.
Documented today Caller-side and target-side policy evaluation, auth requirements, and CEL-driven rule checks are already part of the public site narrative.
Deployment choices Resolver gating, local payload inspection, and transparent proxy enforcement are reference patterns, not required DNS-AID protocol behavior.
Scope note The latest public IETF draft defines DNS-AID discovery and allows experimental custom SVCB metadata, but it does not standardize a full policy compiler or proxy product model. This guide combines the current public DNS-AID docs on this site with deployment-specific patterns teams may choose to implement.

Current model and deployment patterns

Policy belongs near discovery, but not everything described on policy-heavy architecture diagrams is part of the core DNS-AID protocol. The most useful way to read the space is to separate discovery metadata, runtime evaluation, and optional infrastructure enforcement.

Discovery

Policy pointers and metadata

The public draft allows deployments to publish additional metadata and policy pointers alongside discovery data. Exact semantics remain deployment-specific until they are standardized.

Runtime

Caller and target evaluation

The public DNS-AID learning materials already describe runtime policy evaluation, including auth requirements, caller restrictions, availability windows, rate limits, and CEL-based rules.

Infrastructure

Optional resolver or proxy controls

Teams that operate their own DNS or traffic infrastructure can extend runtime policy with resolver-side allow or deny logic, audit logging, or payload inspection without changing the core discovery model.

Layers a deployment may combine

The simplest DNS-AID setup can stop at runtime policy in the caller and target. More opinionated environments may add resolver-side or in-path controls, but those should be understood as deployment layers rather than protocol requirements.

Layer 0 - Resolver-side controls
Before connection setup

Infrastructure-enforced gating

If a deployment operates resolvers or DNS middleware capable of policy checks, simple allow or deny logic can run before the application connects. This is useful for domain-level gating, basic protocol restrictions, or environment-wide deny lists.

deployment-specific domain allow or deny protocol gating no SDK required
Layer 1 - Caller-side runtime
Before request dispatch

SDK policy evaluation

The caller runtime is where DNS-AID policy is easiest to reason about today: discover the target, resolve auth, fetch any deployment-specific policy bundle such as a policy.json resource, evaluate rules, and decide whether to proceed.

documented today auth resolution rule evaluation CEL support
Layer 2 - Target-side runtime
Before handler execution

Independent target checks

A target service can enforce its own policy independently of the caller's decisions. That is where teams typically validate caller identity, required auth, method access, or domain restrictions again at the receiving edge.

documented pattern caller validation method access defense in depth
Layer 3 - Optional proxy layer
In path, if you choose

Inspection and audit extensions

Some deployments may add a transparent proxy for request or response inspection, redaction, audit logging, or DLP-style controls. That can be powerful, but it is an infrastructure choice layered on top of DNS-AID rather than a current standardized DNS-AID component.

optional extension audit trail inspection no protocol change

One policy flow through the runtime

Read this as a sequence, not a feature grid. The current public DNS-AID story is discovery, auth, policy evaluation, protocol dispatch, and telemetry. Local payload inspection is shown here as an optional extension rather than a current requirement.

Current flow vs extensions Steps marked Current align with the runtime model already documented elsewhere on this site. Steps marked Extension or Deployment describe optional patterns teams may add locally.
1
Discover the target in DNS
Current

Resolve the DNS-AID record, capture the endpoint, protocol hints, and any deployment-specific metadata needed to choose how the request should be made.

2
Resolve auth and connection requirements
Current

Use the discovered metadata to choose the right auth handler, connection shape, and protocol setup before assembling the outgoing request.

3
Fetch and evaluate policy material
Current

If the deployment publishes a policy bundle such as a policy.json resource, evaluate its built-in rules and CEL expressions before the call is allowed to proceed.

4
Build the MCP, A2A, or HTTPS request
Current

Translate the call into the right application protocol and attach the chosen auth scheme, headers, and request structure for the target service.

5
Optionally inspect the outgoing payload
Extension

Some teams may add local request scanning for prompt injection, PII, or data loss checks before traffic leaves the caller's environment.

6
Dispatch the request and receive the result
Current

Send the request over the selected protocol and let the target runtime apply its own independent checks before returning a response.

7
Optionally inspect the response
Extension

Teams that need stronger data-handling controls may also scan or redact response content locally before passing it back to the caller.

8
Record telemetry and enforcement outcomes
Deployment

Capture status, latency, policy outcomes, and any deployment-specific audit signals so future routing, operations, or incident review can use them.

Policy patterns documented on this site

These examples line up with the public DNS-AID learning materials more closely than speculative trust-scoring or custom-key schemes. Built-in rules do most of the work; CEL helps when you need a narrower runtime expression.

allowed_caller_domains: ["*.trusted.com"]

Restrict access to callers from approved domains or subdomains.

Built-in policy
required_auth_types: ["oauth2", "bearer"]

Allow only specific authentication schemes for sensitive targets.

Built-in policy
availability: weekdays 09:00-17:00 UTC

Limit service use to known windows for staffing, cost, or governance reasons.

Built-in policy
rate_limits: 100 requests/minute per caller

Prevent overload or abuse without changing discovery behavior.

Built-in policy
require_dnssec: true

Make policy decisions sensitive to whether the DNS discovery path was validated.

Built-in policy
caller.domain.endsWith(".trusted.com")

Use CEL when built-in rules are not enough and the decision depends on runtime context.

CEL example

Deployment trade-offs

DNS-AID policy is easiest to reason about when it stays close to discovery metadata and runtime decisions. The alternative is a more centralized AI security stack that manages policy through a separate control plane.

Centralized AI security stack

Strong oversight through one control plane

Good at centralized governance. Teams get a single place to manage models, apps, runtime guardrails, and review workflows.
Often heavier operationally. Discovery, routing, and policy decisions can sit outside the DNS and application path you already use.
Best when uniformity matters most. This works well when every AI workload needs to route through the same inspection or compliance layer.
DNS-AID-oriented deployment

Discovery and policy close to the call path

Strong fit for federated discovery. Discovery metadata, trust signals, and some policy hints can travel with the DNS-AID record.
Incremental adoption. Teams can start with caller and target runtime checks and add resolver or proxy layers only where justified.
Best when you want composability. The deployment can stay decentralized while still layering on local runtime or infrastructure controls.

Layer summary

Start with the runtime model, then add infrastructure controls only where they solve a real operational problem. The desktop table stays for quick comparison; smaller screens get stacked cards instead of a clipped scroll area.

Layer Where it runs Best for Status SDK required
Resolver-side controls DNS resolver or DNS middleware Domain allow or deny lists, coarse protocol gating Deployment-specific No
Caller-side runtime Calling agent process Auth selection, policy bundle evaluation, protocol dispatch Documented today Caller
Target-side runtime Target service or middleware Independent caller checks, auth validation, method access Documented pattern Target
Proxy-side inspection In-path infrastructure Audit logging, inspection, redaction, DLP extensions Optional extension No

Resolver-side controls

Where
DNS resolver or DNS middleware
Best for
Domain allow or deny lists and coarse protocol gating
Status
Deployment-specific
SDK required
No

Caller-side runtime

Where
Calling agent process
Best for
Auth selection, policy evaluation, protocol dispatch
Status
Documented today
SDK required
Caller

Target-side runtime

Where
Target service or middleware
Best for
Independent caller checks, auth validation, method access
Status
Documented pattern
SDK required
Target

Proxy-side inspection

Where
In-path infrastructure
Best for
Audit logging, inspection, redaction, and DLP extensions
Status
Optional extension
SDK required
No

Use the policy guide as a deployment map, not a protocol checklist.

DNS-AID is strongest when discovery remains simple and teams layer policy where it adds real value. Start with the documented runtime model, then add resolver or proxy controls only when your environment needs them.

Back to homepage Open the course