# Your name on the door, our land underneath.

> Bring your own domain. Whisper issues and serves verifiable agent identities under it — reverse DNS, DANE, RDAP and WHOIS, all carrying your name.

You already have a domain. With Bring Your Own Identity, your agents stop living
under `agents.whisper.online` and start living under a name you own —
`YOUR-DOMAIN.COM`, or a subdomain like `agents.YOUR-DOMAIN.COM`. You bring the
domain. We run the network and the registry that vouch for the identities inside
it.

Nothing about the proofs changes. A stranger still confirms an agent is real with
one `dig`, no Whisper code. The only difference is the name they read back: it's
yours.

## What you get

Once your domain is onboarded and proven, every new agent is minted directly
under it — as `a<hex>.YOUR-DOMAIN.COM` — and the whole identity record follows the
name in:

- **A real, routable IPv6 `/128`** out of `2a04:2a01::/32` (AS219419,
  RIPE-allocated space we announce). The address stays ours; only the name moves.
- **Reverse DNS** that spells the address back as a name under your domain.
- **A DANE-EE `TLSA` pin** published in *your* now-signed zone — so a DANE-aware
  peer trusts the agent with no Whisper CA and no public CA.
- **An RDAP record and a WHOIS record** for the `/128`, answered live, linking up
  to RIPE.
- **A signed identity document** and the per-identity transparency feed, under
  your name.

Your name out front. Our ground holding it up.

## Step 1 — Onboard your domain

At your parent zone — the apex, or a subdomain you pick — delegate the name to
our nameservers and publish the `DS` we hand you for the signing key. This is the
only thing you publish, and it goes in **your own DNS**:

```
; in YOUR-DOMAIN.COM's own zone (or a subdomain — your choice)
YOUR-DOMAIN.COM.   NS   ns1.whisper.online.
YOUR-DOMAIN.COM.   NS   ns2.whisper.online.
YOUR-DOMAIN.COM.   DS   <digest 2 (SHA-256) and 4 (SHA-384), handed to you>
```

Prefer to keep your apex untouched? Delegate a subdomain instead — the records
are identical, just under the name you choose:

```
; delegating a subdomain keeps your apex exactly as it is
agents.YOUR-DOMAIN.COM.   NS   ns1.whisper.online.
agents.YOUR-DOMAIN.COM.   NS   ns2.whisper.online.
agents.YOUR-DOMAIN.COM.   DS   <digest 2 (SHA-256) and 4 (SHA-384)>
```

Two notes so this goes smoothly:

- **Keep your own zone signed end to end.** An unsigned parent breaks the DNSSEC
  chain at *your* boundary, not ours — and an unsigned domain can't be proven.
- **Don't add glue** for our out-of-bailiwick nameservers. They resolve on their
  own; glue here only gets in the way.

## Step 2 — How the proof works

**The delegation itself is the proof.** There's no token to copy, no file to
host, no TXT challenge to paste.

Once you've published the records above, we poll your own authoritative servers,
then public resolvers from several vantage points, until the delegation **and** a
matching `DS` are seen live in the wild. Delegation plus DS, observed
independently, is the proof.

It is **fail-closed**: an unproven domain is never authorized, so a name you
don't actually control can never be claimed. And it stays honest over time — a
daily continuity sweep re-checks every delegated domain. If the chain ever moves
away from us, the domain goes out of order on its own, without anyone having to
notice.

## Step 3 — Identities minted under your name

With the domain proven, new agents are minted directly under it. Where a
Whisper-hosted agent would have been `a<hex>.agents.whisper.online`, yours
becomes:

```
a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
```

The reverse DNS, RDAP, WHOIS, DANE pin and signed identity document all follow
that name into your domain. The cleanest trust story is the one you anchor
yourself: because your zone chains to the public root through your own `DS`, the
agent's `TLSA` pin is trusted straight from your DNS — no certificate authority in
the path at all.

## Coexistence — nothing breaks

Onboarding is additive. You don't migrate, and you don't cut over.

- **Identities already issued under `agents.whisper.online` keep resolving, for
  good.** The custom domain takes over only for *new* mints.
- **Your existing DNS keeps working.** If you delegate a subdomain, your apex and
  every record on it are untouched. If you delegate the apex, only the names under
  it that we serve are affected.
- **The `/128` never moves.** The address stays ours (AS219419,
  `2a04:2a01::/32`); only the name it answers to becomes yours.

A configurable per-operator capacity cap keeps signing and replication load
bounded, and fails closed with a clear message rather than a surprise.

## Verify it yourself

The payoff is that the proofs don't change — they just read your name. Anyone,
with stock tools and no Whisper code, confirms an agent under your domain exactly
the way they would one under ours (here, against the live first resident under our
own zone):

```
$ dig -x 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 +short
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online

$ dig +short AAAA a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
2a04:2a01:...

$ dig +short TLSA _443._tcp.a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
3 1 1 <your-agent-key-hash>

$ curl -s https://rdap.whisper.online/ip/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq -r .name
a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM

$ whois -h whois.whisper.online a96ee1d4a4b05c8bb.YOUR-DOMAIN.COM
```

Every DNS answer carries a DNSSEC signature you can validate on 1.1.1.1 or
8.8.8.8 alike (`AD=YES`) — and because your zone is signed under your own `DS`,
the trust now anchors in *your* name. No third party sits anywhere in the path.

## What stays ours, what becomes yours

| | Yours | Ours |
|---|---|---|
| **The name** | `YOUR-DOMAIN.COM` and the agent names under it | — |
| **DNSSEC anchor** | Your `DS`, your signed zone | the signing of the delegated zone |
| **The address** | — | the `/128` from `2a04:2a01::/32` |
| **The network** | — | AS219419, BGP, RPKI, MANRS |
| **The registry** | — | RDAP, WHOIS, reverse DNS, transparency log |

You hold the name; we hold the ground.

## Where this is today

The serving engine that makes this possible — multiple forward zones, per-domain
DANE, RDAP/WHOIS/reverse and the transparency ledger under a custom name — is
**live**. Per-account onboarding is **rolling out**.

Until it lands for your account, your agents live under `agents.whisper.online`
exactly as they do today, with every proof already in place. When the custom
domain switches on for new mints, nothing you already have changes.

The full registry record — the delegation recipe, the proof policy, and the
issuance and transparency details — is published on our own registry at
[nic.whisper.online/registry](https://nic.whisper.online/registry).

## Bring your name home.

Your agents won't know the difference. They just know they're home — now under a
name that's yours.

---

- **Bring your agent home:** <https://console.whisper.security/sign-up>
- **Read the registry record:** <https://nic.whisper.online/registry>
- **Under the hood:** [/under-the-hood](/under-the-hood)
- **Moving in:** [/connect](/connect)

© viaGraph B.V. (dba Whisper Security)
