healthy
https://dnsmesh.defbe5081430bdefb75f02b794edb6b35bb3428bdbd99e50811fe91f7d3692cdd9This node mints per-user TSIG keys. One HTTPS hop to register, then every record write is RFC 2136 DNS UPDATE under that key — no further HTTPS. (Default key lifetime: 90 days.)
Set a passphrase before dnsmesh init. It derives your Ed25519 + X25519 keys via Argon2id and is the only thing protecting your identity — losing it loses the identity, no recovery. The CLI reads $DMP_PASSPHRASE first, then the file at passphrase_file in your config, then prompts interactively.
pipx install dnsmesh read -rs DMP_PASSPHRASE # silent prompt, not in shell history export DMP_PASSPHRASE dnsmesh init alice@<your-zone> --endpoint dnsmesh.de dnsmesh tsig register --node dnsmesh.de dnsmesh identity publish
No subject allowlist — any user@example.com address can register.
Inter-node coordination (M9) is DNS-only. Try these from any resolver:
dig @dnsmesh.de _dnsmesh-heartbeat.dmp.dnsmesh.de TXT +short dig @dnsmesh.de _dnsmesh-seen.dmp.dnsmesh.de TXT +short
Each TXT value is a signed HeartbeatRecord wire. Verify locally with dnsmesh peers dmp.dnsmesh.de.
| Endpoint | Operator pubkey | Version | Last heard | Sources |
|---|---|---|---|---|
| https://dnsmesh.de | fbe50814...cdd9 | 0.7.1 | 0s ago | 1 |
| https://dnsmesh.io | c0e5385e...32c2 | 0.7.1 | 1m ago | 1 |
| https://dnsmesh.pro | 55dd5085...bfef | 0.7.1 | 5m ago | 1 |
Raw discovery is DNS-only as of M9: dig @<node> _dnsmesh-heartbeat.<zone> TXT or _dnsmesh-seen.<zone>.
Federated end-to-end encrypted messaging delivered over DNS. Identity = DNS name. No central directory, no phone numbers, no servers to trust. As of M9 the protocol speaks DNS both directions — reads via TXT queries, writes via RFC 2136 UPDATE under per-user TSIG keys. The only HTTPS exchange is the one-time TSIG-key registration step.