One call. One true answer.
Here's how we keep it that simple.

keyless · the whole identity check, from any terminal
$ curl -s https://rdap.whisper.online/verify-identity/2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478 | jq '{is_whisper_agent,dane_ok,jws_ok}'
{
  "is_whisper_agent": true,
  "dane_ok": true,
  "jws_ok": true
}

That is the whole identity check, keyless, from any terminal. dane_ok: true is the part that matters: the agent's key is pinned in DNSSEC-signed DNS, so the answer is already on the wire. Nothing to call. No certificate authority to trust but the record itself. Nothing on your critical path that can go down, because the proof lives in the DNS, not in us.

No terminal? run it in your browser for the same keyless verdict, as JSON.

We hold this ground ourselves, and we tend it.

One address, three planes: identity, control, cognition The agent's /128 address sits at the center — one routable address from 2a04:2a01::/32 on AS219419. Three planes surround it. Identity: who is it — DNS, RDAP, RIPE, DANE. Control: where can it go — resolver, egress, firewall, policy graph. Cognition: is it safe — one keyless call and the evidence chain. /128 one address 2a04:2a01::/32 · AS219419 Identity who is it? DNS · RDAP · RIPE · DANE Control where can it go? resolver · egress firewall · graph Cognition is it safe? one keyless call evidence chain
One address is the identity, the point of control, and the thing anyone can ask about — the same /128 answers all three.

Eight windows anyone can look through. No trust in us. None.

Built on the internet's own standards: reverse DNS, forward DNS, DANE/TLSA, RDAP, WHOIS, a single keyless full-chain check, the friendly name that resolves to the same agent — and a public transparency ledger that wrote it all down. Each one a stock tool a careful engineer already trusts. The DANE record is DNSSEC-signed; the ad flag comes back on 1.1.1.1 and 8.8.8.8 alike.

This is the agent's key, written into signed DNS itself, so no certificate authority sits between you and the proof:

DANE TLSA · the key pinned in signed DNS
$ dig +short TLSA _443._tcp.ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
3 1 1 9EC1EF18A1F15E5480A0FC3C8D6E9690B2CCF1A7FA7146201940F28C 422BB47D

dig wraps the long digest, so the final group prints on its own; it is one value. check it on a resolver you already trust.

And the friendly name you call it by resolves to that same agent, in signed DNS, so even the name on the door checks out:

friendly name · resolves to the same agent, in signed DNS
$ dig +short CNAME scout.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online
ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online

check it on a resolver you already trust.

The eighth window is the ledger itself. Every identity we mint is written into a public transparency log in the RFC 6962 lineage — Merkle tiles you can fetch, an Ed25519-signed checkpoint, anchored to Bitcoin via OpenTimestamps. One curl reads the signed head of the log:

transparency ledger · the signed checkpoint
$ curl -s https://whisper.online/checkpoint
whisper.online/ledger
64
B66DTSD3Eq5OYm29c8oVMuDuVjbTgsokKEk4sdyRiKU=

— whisper.online/ledger ijpd8I14cmGnMp9HajPjCRadLGL8Bs+E8weqY/EiPQd3lvnxC7hT6eMyGVJFImQfCIPc1O6jyDid9cEjABz1II+7aw4=

Origin, tree size, root hash, signature — captured live; the tree only grows. The signing key is not taken on faith either: it is published in DNSSEC-signed DNS at _whisper-ledger.whisper.online, so even the log's own key chains to the IANA root.

And one command walks all eight windows at once, anchored at the IANA DNSSEC root — with the Whisper API explicitly not trusted:

whisper verify --trustless · every check, from the DNSSEC root
$ whisper verify --trustless 2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478
CHECK         RESULT  TRUST        DETAIL
dnssec        pass    DNSSEC-root  AAAA, PTR and TLSA(3 1 1) all DNSSEC-validated to the IANA root; address <-> fqdn consistent
dane          pass    DNSSEC-root  served leaf SPKI-SHA256 == TLSA pin; DNS-SAN=ae3b051ff3bf7f478...agents.whisper.online, IP-SAN=2a04:2a01:b69a:6717:e3b0:51ff:3bf7:f478; issuer "Whisper Agent Identity Issuing CA"
transparency  pass    DNSSEC-root  root signature verified; 1 event(s), root_hash bound; 1 ledger leaf/leaves included (RFC-6962)
identity_doc  pass    DNSSEC-root  JWS verified against the DNSSEC-anchored key; address/fqdn/tlsa claims match the DNSSEC-validated facts

whisper: ae3b051ff3bf7f478.tdc38e7c55bad3306a92b830f9bb1e4f9.agents.whisper.online is CRYPTOGRAPHICALLY PROVEN — trust anchor: DNSSEC root (IANA anchor) + DANE-EE + DNSSEC-anchored transparency/ledger keys -- Whisper API NOT trusted

The CLI is open source, MIT, at github.com/whisper-sec/whisper-cli — read exactly what it checks, then run it. The full verbatim run, with every field, is on the connect page.

Don't trust us — check the log.

Identity claims are committed to a tamper-evident log so a record cannot be changed after the fact without detection. A Merkle transparency log in the RFC 6962 lineage, served as C2SP tlog-tiles with signed-note checkpoints; periodic anchoring via OpenTimestamps to Bitcoin, so checkpoints carry an independent timestamp no one — including us — can backdate. Entries are opaque, salted commitments, so a record can be crypto-shredded: privacy and tamper-evidence at the same time.

The ledger's signing key, like the identity key, is published DKIM-style in DNSSEC-signed DNS — so the log verifies from the same root the DNS does:

the ledger key, anchored in signed DNS
$ dig _whisper-ledger.whisper.online TXT +dnssec @1.1.1.1
;; flags: qr rd ra ad
_whisper-ledger.whisper.online. 300 IN TXT "v=whisper1; k=ed25519; n=whisper.online/ledger; p=MCowBQYDK2VwAyEApyTBKL3bSJO7kBbdw4FqJsjREW23jNP07HybKByIabg="

One honest word on where this stands: the log is tamper-evident and signed today; independent witnesses are being recruited. The checkpoint format is the open C2SP standard any witness can co-sign, and we co-sign back — anyone who runs a witness makes the log mutually, independently verifiable. Until then, the Bitcoin anchor is the independent clock.

The full wiring — tiles, consistency proofs, the signed revocation status-list, crypto-shredding and Art. 17 — is on under the hood. What it buys a security team — audit-grade transparency, a kill-switch whose effect is publicly provable — is on trust; why we build at this layer at all is on why.

Three ways to give your agents a home, from moving into ours to building on your own land.

A home can be one you move into, one you put your own name on, or one you build on your own land. All three are real, all three run on the same signed ground.

Move in.

Your agents live under our roof, at agents.whisper.online, on our network and in our registry. We hold the name and we hold the ground, both ours to keep safe, on 2a04:2a01::/32 over AS219419. You operate nothing. The fastest way home.

Your name on the door, our land underneath.

Bring your own domain, and your agents mount under it, DNSSEC-signed, so a name like scout.acme.com is theirs. The network and the registry that vouch for them stay ours to keep. Your name out front, our ground holding it up.

Your own land.

The whole home runs on your network, under your name, on your ground, end to end. We build it with you and keep it tended, the same way we tend our own home.

Whichever you pick, it is the same home, and your agents will not know the difference. They just know they are home.

The people who built it have done this before.

Built by a team that has spent years keeping core internet infrastructure running, and we are building this one the same way, to last. The proof is on the wire, not on a page: every agent record links straight up to RIPE's own record for 2a04:2a01::/32, on AS219419, ground we hold and sign ourselves. The rules that bind it, and the live public record, are open on our own registry, nic.whisper.online.

The engine underneath is ours, written here, not BIND, not a rented SaaS. We did that on purpose: a home you own outright is a home no one else can quietly change the locks on. The same care runs through how an agent is kept safe on the way out. Before it connects, it asks the live graph who really runs a host, from inside its own address. That check is built into the home, not bolted on. Want it named down to the RFC? See what one line sets in motion →

Meet the people behind it over at whisper.security.

Operator. Whisper Security (viaGraph B.V.), Amsterdam · AS219419.

On ground we hold ourselves.

One autonomous system, AS219419, IPv6-only, RPKI-signed, MANRS. One address range, 2a04:2a01::/32, every agent's /128 carved from space we hold. One DNS, whisper.online, DNSSEC-signed end to end. We hold this ground ourselves, and we tend it, so the home stays the home you moved into.