How it works
Whisper runs the whole trust chain — DNS, certificate authority, registry, egress, and the IP space itself — on one autonomous system it owns.
Most "agent identity" is a dashboard bolted onto someone else's infrastructure. That makes an agent only as trustworthy as the weakest vendor in a chain you can't see, and it disappears the day one of them changes terms, gets acquired, or goes down. This page is the alternative, layer by layer: what each one is, the RFC it implements, and how to check it yourself.
Three layers, one address
An agent's /128 — one IPv6 address, 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 — is the credential. Everything else is a proof about that address.
| Layer | What it is | Deep dive |
|---|---|---|
| Identity | The /128, a forward name (acef2002a323d40d4.<tenant>.agents.whisper.online), a PTR back to it, a DANE-pinned certificate, and a signed ledger entry. Seven proofs, all DNSSEC-anchored, none needing an SDK to check. |
Identity, Verify |
| Control | A per-agent resolver, egress path, and firewall, evaluated fresh at connection time against policy you set. | Control plane, Connect |
| Cognition | Before it acts, an agent can ask the graph "is this safe?" — identify / assess / explain over billions of fused BGP, DNS, WHOIS, TLS, hosting, and threat-intel records — and get an answer with its evidence. |
Graph & cognition |
The rest of this page is what makes those layers real: the network underneath them, and the six systems we run ourselves instead of renting.
The network: AS219419
Every proof terminates in one place — our own autonomous system.
- AS219419 — IPv6-only, RPKI-signed, dual-homed, MANRS-compliant, with a published geofeed and
security.txt. Listed on PeeringDB and bgp.tools. - 2a04:2a00::/31 — a RIPE-allocated superblock we hold outright.
- 2a04:2a01::/32 — the half agents come from. Every
/128is real, globally routable space we are the registry for. Not NAT, not a shared pool, not a lease from a cloud provider's block.
We hold the space, so we are the authority for it. Nobody has to take our word for what an address is — the routing system and the registries answer directly.
With stock tools — trace the announcement and the RIR delegation with whois and a route collector:
whois -h whois.radb.net 2a04:2a01::/32 # route object, origin AS219419
whois -h riswhois.ripe.net 2a04:2a01:eb5a::/48 # BGP origin, seen-by peer count
curl -sG https://stat.ripe.net/data/rpki-validation/data.json \
--data-urlencode 'resource=219419' \
--data-urlencode 'prefix=2a04:2a01::/32' | jq -r .data.status
# "valid"
With Whisper — the same chain, one verdict:
whisper verify 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4
# ✓ RPKI ROA valid (AS219419) ✓ in-region delegation (RIPE) ✓ reverse DNS matches forward
What we run ourselves
Nothing on this list is a SaaS we call at serve time. Each is a system we operate, and each has a public, standards-based way to check it.
1. Authoritative DNS + resolver
Forward zones under agents.whisper.online and reverse zones under ip6.arpa are DNSSEC-signed with ECDSA P-256 (algorithm 13, RFC 6605) and NSEC3 (RFC 5155) for authenticated denial. Changes propagate by ordinary zone transfer — AXFR (RFC 5936), IXFR (RFC 1995) — not a proprietary sync.
kdig +dnssec acef2002a323d40d4.demo.agents.whisper.online AAAA
# AAAA 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 + RRSIG, ad flag set
kdig -x 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 +dnssec # PTR, also signed
delv @1.1.1.1 acef2002a323d40d4.demo.agents.whisper.online AAAA # independent validator
2. RDAP and WHOIS — the registry
Every /128 gets a per-address RDAP record over HTTPS and a WHOIS record on port 43 — the same registry pattern any RIR runs, scoped to the space we hold, chaining up to RIPE.
curl -s https://rdap.whisper.online/ip/2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 # RFC 9083
whois -h whois.whisper.online 2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4 # RFC 3912
Ownership history and the delegation chain: RDAP.
3. A per-agent CA, DANE-pinned
Every agent gets its own TLS key and leaf certificate, and the pin is a TLSA record (RFC 6698) under its own name. Trust then rests on DNSSEC — which you already validate — not on the public CA ecosystem being uncompromised that day.
kdig +dnssec _443._tcp.acef2002a323d40d4.demo.agents.whisper.online TLSA
# TLSA 3 1 1 b653a4ef…fcb82d1d
openssl x509 -in agent.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum
# compare this hash against the TLSA record by hand
Key derivation, rotation, and revocation: Per-agent CA and DANE & TLSA.
4. Egress and a per-agent firewall
Outbound traffic sources from the agent's own /128 — over WireGuard, or a SOCKS5/HTTP-CONNECT proxy bound with AnyIP — so what leaves the network is the identity, never a shared exit IP. Policy (category, geography, ownership, routing posture) is enforced per agent against the live graph at connect time, not a static allow-list. Full flow: Connect & egress.
5. A transparency log
Every issuance and revocation is a leaf in an append-only Merkle tree, in the style of Certificate Transparency (RFC 6962). Signed checkpoints are anchored to Bitcoin via OpenTimestamps — an independent, permissionless proof the log existed at a point in time we cannot move.
# verify the Merkle inclusion proof yourself — no key required
import hashlib, requests
leaf = requests.get("https://rdap.whisper.online/ip/2a04:2a01:eb5a:ca74:cef2:2a:323d:40d4/transparency").json()
h = bytes.fromhex(leaf["leaf_hash"])
for sibling in leaf["proof"]:
pair = h + bytes.fromhex(sibling) if leaf["order"] else bytes.fromhex(sibling) + h
h = hashlib.sha256(b"\x01" + pair).digest()
assert h.hex() == leaf["checkpoint_root"]
Why tampering can't hide: Transparency log.
6. The graph
Under identify / assess / explain sits a graph fusing routing, DNS, WHOIS, TLS, hosting, and threat-intel history into one queryable structure, answering at resolver speed. It turns "here is an address" into "here is whether you should talk to it." See Graph & cognition.
Why it's all checkable
Each system above is verifiable with generic tools — dig, whois, openssl, curl, a hand-rolled Merkle check — precisely because none of them is a black box you trust on our say-so. The whisper CLI and the whisper.agents verb make the common case one command; they wrap the standards, never replace them.
Every page here resolves end to end on our own ns1/ns2 and validates AD=yes on 1.1.1.1 and 8.8.8.8. Whether you use our resolver, delegate a zone to it, or self-host the stack, you run the same standards — not a wrapper around ours.
Next
- Identity — the seven proofs on one address, in order
- Verify an agent — one command that runs this whole page's checks