Felix Mertins ds-watch

plain-language edition · no jargon ahead

What is this about?

ds-watch keeps an eye on a small but important piece of internet plumbing. This page explains what that piece is, why it can be tampered with quietly, and what a public logbook does about it. No networking background needed — five minutes, three pictures.

## the address book

Every time you send an email or open a website, your device first asks the internet's address book — the Domain Name System (DNS) — a simple question: "Where do I find example.org?" The answer decides where your message actually goes. Everything starts with that lookup.

## sealed entries

An address book that anyone can shout answers into is easy to abuse: hand someone a fake entry, and their email quietly goes to the wrong place. The fix is called DNSSEC: entries come with a tamper-proof seal — a digital signature. Your device can check the seal and reject forged answers.

But a seal is only as good as the key that made it. So the real question becomes: who says which key is the right one?

## a chain of vouching

the internet's root the .org zone example.org vouches for vouches for this link is a “DS record”
Each zone vouches for the keys of the one below it, all the way up to a single, well-known starting point.

The vouching works like a chain: the root vouches for .org, and .org vouches for example.org. The little note that does the vouching between a zone and its parent is called a DS record. It says, in effect: “the key below really belongs to this name.” Those links are exactly what ds-watch watches.

## the weak spot

Here is the uncomfortable part: links in that chain can be replaced. The organisations that operate the parent zone — and the companies you register domains through — can swap the vouching note for a different key. Sometimes that's legitimate (owners renew their keys all the time). Sometimes it wouldn't be: whoever controls the new key can speak as the domain — receive its email, impersonate its services.

And the DNS has no memory. Once a link is swapped, yesterday's link is simply gone. There is no built-in way for anyone — including the domain's owner — to notice that anything changed at all.

## what ds-watch does

one photo of every domain's key-link — every day day 1 day 2 day 3 day 4 day 5 day 6 day 7 logged: key changed
The moment a link looks different from yesterday, that becomes a permanent, public log entry.

ds-watch gives the DNS the memory it never had. Right now it photographs 1,012,806 key-links across 3 zones (.org, .info, .dev) — every day:

  1. photograph

    Take a daily snapshot of every key-link in the zones we cover.

  2. compare

    Hold it against yesterday's photo. Almost everything is identical.

  3. write it down

    Every difference goes into a public logbook that only ever grows — nothing can be quietly erased.

  4. ring the bell

    Domain owners on the watchlist get told the moment their link changes.

## receipts, not claims

One more trick makes the logbook hard to argue with: the zones that publish these key-links also sign them. ds-watch keeps those original signatures next to every log entry — like keeping the sealed envelope instead of just describing the letter. You don't have to trust us that a change happened; you can check the registry's own seal.

## why it matters

This plumbing carries more everyday weight than it looks: whether your email reaches the right server, whether its encryption can be trusted, whether a login page is talking to the right place. The web's certificates got a public watchdog back in 2013 — it's called Certificate Transparency, and it has caught real attacks. The DNS never got one. This project is a working argument that it should.