Reference
Troubleshooting
DNS propagation, TTL, and common AID errors (1000–1005)
Troubleshooting
DNS propagation
- Try multiple resolvers:
dig @1.1.1.1 TXT _agent.<domain>,dig @8.8.8.8 .... - Check authoritative NS directly (from your registrar/host).
- Allow several minutes; some providers cache for longer.
TTL & caching
- Recommended TTL: 300–900 seconds.
- Clients may cache up to the DNS TTL.
- For testing, lower TTL temporarily; raise for production.
Common errors
- 1000 ERR_NO_RECORD:
_agent.<domain>TXT not found- Add at subdomain
_agent(not apex). Verify propagation.
- Add at subdomain
- 1001 ERR_INVALID_TXT: malformed record
- Required keys:
v=aid1;uri=...;proto=<token>. - Use
proto(preferred) orp(shorthand), not both. - Remote URIs must be
https://and parseable.
- Required keys:
- 1002 ERR_UNSUPPORTED_PROTO: unsupported
proto- Use one of:
mcp,openapi,a2a,local.
- Use one of:
- 1003 ERR_SECURITY: security policy violation
- DNSSEC failures, invalid local execution, or disallowed scheme.
- 1004 ERR_DNS_LOOKUP_FAILED: DNS/network timeout/failure
- Retry, try different resolver, increase client timeout.
- 1005 ERR_FALLBACK_FAILED: .well-known fetch failed/invalid
- Ensure
/.well-known/agentexists, returns JSON, and uses HTTPS.
- Ensure
PKA handshake failures (checklist)
- Missing covered fields: ensure exactly
"AID-Challenge" "@method" "@target-uri" "host" "date" - Algorithm mismatch:
algmust beed25519 - Timestamp skew:
createdor HTTPDateoutside ±300 seconds keyidmismatch: headerkeyiddoes not equal recordkid(quotes allowed)- Invalid key:
pkanotz...base58btc or not 32‑byte Ed25519 public key
Quick checks
- CLI:
aid-doctor check <domain>oraid-doctor json <domain>. - Web: aid.agentcommunity.org/workbench.
- For comprehensive diagnostics, use the aid-doctor CLI which provides detailed validation, security checks, and PKA verification.