plain-language edition · no jargon ahead
What is this about?
ds-watch keeps an eye on a small but important piece of internet plumbing. This page explains what that piece is, why it can be tampered with quietly, and what a public logbook does about it. No networking background needed — five minutes, three pictures.
## the address book
Every time you send an email or open a website, your device first asks the internet's address book — the Domain Name System (DNS) — a simple question: "Where do I find example.org?" The answer decides where your message actually goes. Everything starts with that lookup.
## sealed entries
An address book that anyone can shout answers into is easy to abuse: hand someone a fake entry, and their email quietly goes to the wrong place. The fix is called DNSSEC: entries come with a tamper-proof seal — a digital signature. Your device can check the seal and reject forged answers.
But a seal is only as good as the key that made it. So the real question becomes: who says which key is the right one?
## a chain of vouching
The vouching works like a chain: the root vouches for .org, and .org vouches for example.org. The little note that does the vouching between a zone and its parent is called a DS record. It says, in effect: “the key below really belongs to this name.” Those links are exactly what ds-watch watches.
## the weak spot
Here is the uncomfortable part: links in that chain can be replaced. The organisations that operate the parent zone — and the companies you register domains through — can swap the vouching note for a different key. Sometimes that's legitimate (owners renew their keys all the time). Sometimes it wouldn't be: whoever controls the new key can speak as the domain — receive its email, impersonate its services.
And the DNS has no memory. Once a link is swapped, yesterday's link is simply gone. There is no built-in way for anyone — including the domain's owner — to notice that anything changed at all.
## what ds-watch does
ds-watch gives the DNS the memory it never had. Right now it photographs 1,012,806 key-links across 3 zones (.org, .info, .dev) — every day:
-
photograph
Take a daily snapshot of every key-link in the zones we cover.
-
compare
Hold it against yesterday's photo. Almost everything is identical.
-
write it down
Every difference goes into a public logbook that only ever grows — nothing can be quietly erased.
-
ring the bell
Domain owners on the watchlist get told the moment their link changes.
## receipts, not claims
One more trick makes the logbook hard to argue with: the zones that publish these key-links also sign them. ds-watch keeps those original signatures next to every log entry — like keeping the sealed envelope instead of just describing the letter. You don't have to trust us that a change happened; you can check the registry's own seal.
## why it matters
This plumbing carries more everyday weight than it looks: whether your email reaches the right server, whether its encryption can be trusted, whether a login page is talking to the right place. The web's certificates got a public watchdog back in 2013 — it's called Certificate Transparency, and it has caught real attacks. The DNS never got one. This project is a working argument that it should.