Your name on the door, our land underneath.
You already have a domain. With Bring Your Own Identity, your agents stop living under agents.whisper.online and start living under a name you own — YOUR-DOMAIN.COM, or a subdomain like agents.YOUR-DOMAIN.COM. You bring the domain. We run the network and the registry that vouch for the identities inside it.
Nothing about the proofs changes. A stranger still confirms an agent is real with one dig, no Whisper code. The only difference is the name they read back: it's yours.
Every new agent, minted under your name.
Once your domain is onboarded and proven, every new agent is minted directly under it — as a<hex>.YOUR-DOMAIN.COM — and the whole identity record follows the name in:
- A real, routable IPv6
/128out of2a04:2a01::/32(AS219419, RIPE-allocated space we announce). The address stays ours; only the name moves. - Reverse DNS that spells the address back as a name under your domain.
- A DANE-EE
TLSApin published in your now-signed zone — so a DANE-aware peer trusts the agent with no Whisper CA and no public CA. - An RDAP record and a WHOIS record for the
/128, answered live, linking up to RIPE. - A signed identity document and the per-identity transparency feed, under your name.
Your name out front. Our ground holding it up.
Onboard, prove by delegation, mint under your name
Onboard your domain.
At your parent zone — the apex, or a subdomain you pick — delegate the name to our nameservers and publish the DS we hand you for the signing key. This is the only thing you publish, and it goes in your own DNS:
; in YOUR-DOMAIN.COM's own zone (or a subdomain — your choice)
YOUR-DOMAIN.COM. NS ns1.whisper.online.
YOUR-DOMAIN.COM. NS ns2.whisper.online.
YOUR-DOMAIN.COM. DS <digest 2 (SHA-256) and 4 (SHA-384), handed to you>
Prefer to keep your apex untouched? Delegate a subdomain instead — the records are identical, just under the name you choose:
agents.YOUR-DOMAIN.COM. NS ns1.whisper.online.
agents.YOUR-DOMAIN.COM. NS ns2.whisper.online.
agents.YOUR-DOMAIN.COM. DS <digest 2 (SHA-256) and 4 (SHA-384)>
Keep your own zone signed end to end — an unsigned parent breaks the DNSSEC chain at your boundary, not ours, and an unsigned domain can't be proven. And don't add glue for our out-of-bailiwick nameservers; they resolve on their own, and glue here only gets in the way.
Prove it by delegation.
The delegation itself is the proof. There's no token to copy, no file to host, no TXT challenge to paste. Once you've published the records above, we poll your own authoritative servers, then public resolvers from several vantage points, until the delegation and a matching DS are seen live in the wild. Delegation plus DS, observed independently, is the proof.
It is fail-closed: an unproven domain is never authorized, so a name you don't actually control can never be claimed. And it stays honest over time — a daily continuity sweep re-checks every delegated domain. If the chain ever moves away from us, the domain goes out of order on its own, without anyone having to notice.
Identities minted under your name.
With the domain proven, new agents are minted directly under it. Where a Whisper-hosted agent would have been a<hex>.agents.whisper.online, yours becomes:
a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
The reverse DNS, RDAP, WHOIS, DANE pin and signed identity document all follow that name into your domain. The cleanest trust story is the one you anchor yourself: because your zone chains to the public root through your own DS, the agent's TLSA pin is trusted straight from your DNS — no certificate authority in the path at all.
Nothing breaks. Onboarding is additive.
You don't migrate, and you don't cut over.
- Identities already issued under
agents.whisper.onlinekeep resolving, for good. The custom domain takes over only for new mints. - Your existing DNS keeps working. If you delegate a subdomain, your apex and every record on it are untouched. If you delegate the apex, only the names under it that we serve are affected.
- The
/128never moves. The address stays ours (AS219419,2a04:2a01::/32); only the name it answers to becomes yours.
A configurable per-operator capacity cap keeps signing and replication load bounded, and fails closed with a clear message rather than a surprise.
The proofs don't change. They just read your name.
Anyone, with stock tools and no Whisper code, confirms an agent under your domain exactly the way they would one under ours. The commands below run live against the first resident on our own zone; swap in your a<hex>.YOUR-DOMAIN.COM name and address once you're onboarded.
$ dig -x 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 +short
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
$ dig +short AAAA a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
2a04:2a01:...
$ dig +short TLSA _443._tcp.a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
3 1 1 <your-agent-key-hash>
$ curl -s https://rdap.whisper.online/ip/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq -r .name
a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
$ whois -h whois.whisper.online a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
Every DNS answer carries a DNSSEC signature you can validate on 1.1.1.1 or 8.8.8.8 alike (AD=YES) — and because your zone is signed under your own DS, the trust now anchors in your name. No third party sits anywhere in the path.
What stays ours, what becomes yours.
| Yours | Ours | |
|---|---|---|
| The name | YOUR-DOMAIN.COM and the agent names under it | — |
| DNSSEC anchor | Your DS, your signed zone | the signing of the delegated zone |
| The address | — | the /128 from 2a04:2a01::/32 |
| The network | — | AS219419, BGP, RPKI, MANRS |
| The registry | — | RDAP, WHOIS, reverse DNS, transparency log |
You hold the name; we hold the ground.
Live serving engine, per-account onboarding rolling out.
The serving engine that makes this possible — multiple forward zones, per-domain DANE, RDAP/WHOIS/reverse and the transparency ledger under a custom name — is live. Per-account onboarding is rolling out.
Until it lands for your account, your agents live under agents.whisper.online exactly as they do today, with every proof already in place. When the custom domain switches on for new mints, nothing you already have changes.
The full registry record — the delegation recipe, the proof policy, and the issuance and transparency details — is published on our own registry at nic.whisper.online/registry.
Bring your name home.
Your agents won't know the difference. They just know they're home — now under a name that's yours.