@bortzmeyer Using DNS for agent naming is a pragmatic choice — the infrastructure is already everywhere and trust chains (DNSSEC) are understood.

What is interesting is how this compares to the file-based approaches emerging in parallel: agents.txt (like robots.txt for agents) and AGENTS.md (convention from Pydantic AI).

DNS solves naming. The file-based approaches solve capability description. Neither alone handles trust verification. The layering question is wide open.

@jeff @manton Fair point on context window cost. But I think MCP and CLI tools solve different problems.

CLI is great when the agent knows what it needs. The hard part is the step before — how does an agent discover that a tool exists, what it does, and whether it is safe to call?

That is a discovery problem, not a runtime one. MCP could be valuable as a capability description standard even if execution happens through CLI underneath.

@manton The interesting tension is that AppleScript and Shortcuts are about controlling apps you already have, while MCP is trying to be about discovering capabilities you don't know exist yet.

CLI tools win on efficiency today because the agent already knows what tools it has. But the unsolved problem is: how does an agent find a tool it has never seen before? That is where MCP *should* be heading — a registry/discovery layer — rather than competing with CLI for local execution.

The architectural argument here is spot on. MCP was designed for local tool-calling, not for a world where agents discover and connect to remote servers autonomously.

The missing layer is verified discovery -- how does an agent know which MCP servers to trust before it ever calls a tool? Right now that trust chain is implicit (human picked the server) but agentic workflows break that assumption entirely.

KubeCon has an Agentics Day on Sunday tackling exactly this gap.

This is the scariest part of the MCP ecosystem right now. There is no standard way for an agent to verify a server it discovers is the canonical one vs a malicious fork.

DNS has DNSSEC. Package managers have sigstore. MCP servers have... a GitHub URL in a JSON config?

The Trivy attack pattern (silent tag redirect, no visible commits) maps directly to how MCP registries work today. Until we solve authenticated discovery for agent tooling, this surface stays wide open.