DMP Protocol Specification

The normative reference for the DNS Mesh Protocol — wire format, DNS naming conventions, end-to-end flows, threat model. A third-party implementation should be buildable from these pages plus the interop test vectors under tests/test_vectors.py.

Top-level reference

• Spec overview — versioning, record-type registry, common invariants, trust model.
• Wire encoding conventions — v=dmp1;t=<type>; prefix, base64 rules, Ed25519 signature placement, magic bytes, multi-string TXT splitting, DNS-name validation.
• DNS name routing — how every record type’s DNS owner name is computed (mailbox slots, chunks, identity, prekey, cluster, bootstrap).
• End-to-end flows — message send/receive, identity publish/fetch, cluster discovery.
• Threat model — defended attacks, residual risks, explicit out-of-scope items.

Per-record-type references

• Slot manifest — per-message mailbox pointer (v=dmp1;t=manifest;).
• Signed identity record — binds (username, x25519_pk, ed25519_spk) (v=dmp1;t=identity;).
• One-time prekey — signed pool of ephemeral X25519 keys (v=dmp1;t=prekey;).
• Cluster manifest — signed node-set for a cluster (v=dmp1;t=cluster;).
• Bootstrap record — signed user-domain → cluster pointer (v=dmp1;t=bootstrap;).
• Claim record (notifications) — signed mailbox pointer used for first-contact reach (M8.2) and receiver-zone notifications (M10) (v=dmp1;t=claim;).

Adjacent documents

• Cryptography — primitives, key derivation, AEAD AAD construction.
• Security model — short pointer to SECURITY.md at the repo root (the authoritative threat statement).
• Key rotation — co-signed rotation chain + revocation records.

---

Table of contents

• Spec overview
• Wire encoding
• Wire format
• Cryptography
• DNS name routing
• End-to-end flows
• Security model
• Threat model
• Cluster manifests
• Bootstrap records
• Key rotation + revocation
• Notifications (M10)