Proposed standard · Internet-Draft in preparation

Make the right security contact easy to find.

Publish vulnerability reporting contacts and policy links in DNS—before a researcher connects to a service.

Domain-scoped. Transport-independent. Freshness built in.

_security.example.com
_security.example.com. 3600 IN TXT
  "security_contact=mailto:[email protected]"
_security.example.com. 3600 IN TXT
  "security_policy=https://example.com/security"
_security.example.com. 3600 IN TXT
  "security_expires=2027-01-01T00:00:00Z"
one DNS query TXT · RFC 3339

Reference programs

Disclosure at Internet scale

Five significant programs from the disclose.io directory. Reference examples—not claims of DNS Security TXT deployment.

Publish

Three records. One clear route.

Set a contact, optionally link a policy, and state when the information expires.

The reference domain, without _security.
An absolute mailto: or https:// URI.
An HTTPS vulnerability disclosure policy.
RFC 3339 UTC. Keep it less than one year ahead.
Zone-file output Ready to publish

            

Values update as you type.

01

security_contact

Required. Publish one or more absolute reporting URIs.

02

security_policy

Optional. Point to the applicable HTTPS policy.

03

security_expires

Required exactly once. Expired information is not used.

Discovery

A domain-level default, without guesswork.

  1. 1

    Choose the reference domain

    The application determines the domain whose security information it needs.

  2. 2

    Query _security

    Resolve the TXT RRset at _security.<domain>. No automatic apex fallback.

  3. 3

    Validate before use

    Parse known fields, check expiration, honor DNSSEC, and surface inconsistencies.

Works with security.txt

DNS Security TXT supplies a domain-scoped default. RFC 9116 remains the host-specific HTTP mechanism. Publishers should keep both consistent.

About security.txt

Why DNS

Findable before the first request.

Security contact discovery should not depend on an application being online, correctly routed, or even HTTP-based.

Authoritative location

DNS gives the domain operator a clear place to publish reporting information.

Central maintenance

One RRset can describe the default for services associated with a domain.

Explicit freshness

security_expires prevents stale contacts from living forever.

Non-HTTP discovery

Clients can find a contact without assuming a working website or web stack.

FAQ

Short answers.

The Internet-Draft is normative. This page stays deliberately practical.

Does this replace security.txt?

No. DNS Security TXT provides domain-scoped discovery, including for non-HTTP services. RFC 9116 remains useful for host-specific information.

Does publishing a record authorize testing?

No. A contact record is not permission to test. Any authorization, safe harbor, or rules of engagement must be explicit in the applicable policy.

Why is expiration required?

Stale contacts can lose or misdirect sensitive reports. Exactly one RFC 3339 timestamp states when the entire RRset stops being usable.

Should records also be published at the apex?

No for normative deployments. The proposed standard uses _security.<domain>. Apex records are legacy migration material only.

Is DNSSEC required?

Unsigned records remain useful for discovery, but DNSSEC is recommended. A DNSSEC result of Bogus must not be used.

Open standard

Read it. Test it. Improve it.

The proposal is being prepared as an individual IETF Internet-Draft. Technical review and implementation feedback are welcome.