PRIVATE.ME PLATFORM

xDNSGuard: DNS Root Zone Integrity

XorIDA splits DNSSEC root zone signing keys across geographically distributed registrars. Strengthens the existing key ceremony model with threshold secret sharing.

DNS / Infrastructure COMING SOON XorIDA Powered

Section 01

The Problem

DNSSEC root zone signing keys (KSK/ZSK) are single points of failure for the entire internet. Key ceremonies are infrequent and rely on physical security alone.

The current DNSSEC key ceremony model concentrates root zone signing authority in two physical facilities. While the ceremonies themselves are well-secured, the underlying key material remains a monolithic secret. If either facility is compromised, the trust anchor for the global DNS hierarchy is undermined.

Country-code TLDs face similar challenges: ccTLD operators must protect zone signing keys with limited budgets and infrastructure. Many rely on single-HSM deployments with manual backup procedures that introduce human error and insider threat risk.

The Old Way

Section 02

The PRIVATE.ME Solution

XorIDA splits root zone signing keys across geographically distributed registrars. No single registrar, facility, or jurisdiction holds complete key material.

The threshold sharing model transforms the DNSSEC key ceremony from a physical-security-dependent process into a cryptographic-guarantee-backed protocol. Key ceremonies become distributed events where K-of-N registrars cooperate to sign, but no single participant can act alone.

Each share is HMAC-SHA256 tagged, ensuring tamper detection at every stage. The split operation uses GF(2) arithmetic for sub-millisecond performance, making it feasible to integrate into existing ceremony workflows without introducing latency.

The New Way

Section 03

How It Works

The root zone integrity pipeline integrates with existing DNSSEC key ceremony processes while replacing the single-point-of-trust model with threshold cryptographic guarantees.

Key Security Properties

Geographic distribution: Shares stored across different jurisdictions eliminate single-jurisdiction seizure risk. Ceremony compatibility: Integrates with existing ICANN/IANA ceremony workflows. Quantum-safe: XorIDA's information-theoretic security is immune to quantum computing advances.

Section 03B

Fast Onboarding: 3 Acceleration Levels

Traditional DNS security requires manual resolver configuration, DNSSEC key generation, and custodian coordination. xDNSGuard collapses this to 15 seconds with zero-click accept, 90 seconds with one-line CLI, and 10 minutes with deploy buttons.

Level 1: Zero-Click Accept

15 seconds — Auto-accept invite from env var. No manual DID setup, no resolver config.

Node.js/Deno/Bun

// .env file
XDNS_INVITE_CODE=XDNS-abc123

// Auto-accept on first query
import { createDNSGuardManager } from '@private.me/xdnsguard';

const manager = createDNSGuardManager({
  zone: 'example.com',
  resolvers: ['8.8.8.8', '1.1.1.1', '9.9.9.9'],
  queryThreshold: 2,
  queryShares: 3
});
// ✅ Invite auto-accepted, ready to query

Level 2: One-Line CLI

90 seconds — Generates DNS Guard DID, configures resolvers, deploys first zone.

CLI

# Install and initialize
npx @private.me/xdnsguard init

# Output:
# ✅ DNS Guard DID generated
# ✅ Saved to .env
# ✅ Resolvers configured
# Ready to protect zones

# Configure your first zone
npx @private.me/xdnsguard setup \
  --zone example.com \
  --resolvers 8.8.8.8,1.1.1.1 \
  --threshold 2 --shares 3

Level 3: Deploy Button

10 minutes — One-click deploys split-channel resolver infrastructure to Vercel/Netlify/Railway.

INCLUDED

✓ Split-channel DNS resolver (2-of-3)
✓ DNSSEC key custody coordinator
✓ Encrypted query logging
✓ DDoS mitigation dashboard

Example: Zero-Click Accept

Set invite code in environment, configure zone on first query. No manual setup required.

Zero-Click Accept Example

// 1. Set environment variable
// .env file:
XDNS_INVITE_CODE=https://xdns.private.me/invite/XDNS-abc123

// 2. Configure zone (auto-accepts invite)
import { createDNSGuardManager } from '@private.me/xdnsguard';

const manager = await createDNSGuardManager({
  zone: 'example.com',
  enableSplitChannel: true,
  queryThreshold: 2,
  queryShares: 3,
  resolvers: ['8.8.8.8', '1.1.1.1', '9.9.9.9'],
  enableDNSSEC: true,
  enableQueryLog: true,
  onProgress: (percent, msg) => console.log(`[${percent}%]`, msg)
});

// 3. Execute split-channel query
const queryResult = await manager.query({
  id: 'q1',
  domain: 'www.example.com',
  type: 'A',
  timestamp: new Date(),
  client: 'did:key:z6Mk...',
  dnssecValidation: true
});

if (queryResult.ok) {
  console.log('✅ Query protected via 2-of-3 split');
  console.log('✅ DNSSEC validated');
  console.log('✅ Query encrypted in logs');
  console.log('Response:', queryResult.value.records);
}

// What happened:
// 1. Invite auto-accepted from XDNS_INVITE_CODE env var
// 2. DNS Guard DID generated and saved to .env
// 3. Query split via XorIDA (2-of-3)
// 4. Shares sent to 3 independent resolvers
// 5. Responses verified with HMAC-SHA256
// 6. Query logged with AES-256-GCM encryption
// Total time: ~15 seconds

Example: CLI Setup

One command generates DNS Guard DID, configures resolvers, and protects your first zone.

CLI Example

# Step 1: Install CLI globally
npm install -g @private.me/xdnsguard

# Step 2: Initialize (generates DID, configures resolvers)
xdnsguard init

# Output:
# Generating DNS Guard DID...
# ✅ DNS Guard DID: did:key:z6Mk...
# ✅ Saved to .env
# ✅ Resolvers configured: 8.8.8.8, 1.1.1.1, 9.9.9.9
# Ready to protect zones

# Step 3: Configure your first zone
xdnsguard setup \
  --zone example.com \
  --resolvers 8.8.8.8,1.1.1.1,9.9.9.9 \
  --threshold 2 \
  --shares 3 \
  --dnssec-algorithm ED25519

# Output:
# [0%] Validating configuration...
# [20%] Generating DNSSEC key pair...
# [40%] Splitting private key via XorIDA...
# [70%] Distributing shares to custodians...
# [100%] Zone configuration complete
#
# ✅ Zone configured with 2-of-3 split-channel
# ✅ DNSSEC key generated (ED25519)
# ✅ Key shares distributed to 3 custodians
# ✅ Query logging encrypted
# Ready to serve queries: xdnsguard serve

# Total time: ~90 seconds

Example: Deploy Button

Click one button to provision split-channel resolver infrastructure with DNSSEC key custody, encrypted logging, and DDoS mitigation.

DEPLOY BUTTONS

Deploy to Vercel Deploy to Netlify

Provisions complete DNS security infrastructure in one click. Environment variables auto-configured, DNS Guard DID auto-generated, ready to serve queries immediately.

INFRASTRUCTURE INCLUDED

✓ Split-channel DNS resolver with XorIDA query distribution
✓ DNSSEC key custody coordinator (2-of-3 default)
✓ Encrypted query logging (AES-256-GCM)
✓ DDoS mitigation with per-client rate limiting
✓ Resolver health monitoring dashboard

Viral growth mechanics

Zero-Click Accept enables invite code sharing. DNS admins who receive invite codes can deploy protected zones in 15 seconds, then generate their own invite codes for downstream zones. Each deployment creates 3-5 viral loops: zone operator → subdomain admins → registrars → managed DNS providers → enterprise customers. Viral coefficient: 1.2→5.0+ depending on zone delegation depth.

Section 04

Use Cases

🌍

Global DNS

DNSSEC Key Ceremony Modernization

Split root KSK across global registrar sites. Threshold signing ceremony replaces single-facility model. Backward-compatible with existing DNSSEC infrastructure.

3-of-7 threshold

🇪🇺

Country-Code TLDs

ccTLD Key Management

National registries split zone signing keys across government facilities. Ensures continuity even if one facility is compromised or unavailable.

2-of-3 threshold

🏢

Enterprise

Enterprise DNS Security

Large organizations split internal DNS signing keys across security teams. Prevents single-admin DNS hijacking. Integrates with existing BIND/PowerDNS deployments.

2-of-3 threshold

🖧

Registrar Operations

Registrar Key Distribution

Domain registrars distribute DNSSEC signing keys across data centers. Automated key rotation with threshold reconstruction at signing time.

3-of-5 threshold

Section 05

Integration

Quick Start

import { splitRootKey, performCeremony } from '@private.me/xdnsguard';

// Split root KSK across 5 registrars (3 needed)
const shares = await splitRootKey(rootKsk, registrars, {
  n: 5,
  k: 3,
});

// Distribute to geographically separated sites
await Promise.all(shares.map((s, i) =>
  deliverToRegistrar(registrars[i], s)
));

// Perform threshold signing ceremony
const result = await performCeremony({
  shares: [shares[0], shares[2], shares[4]],
  zone: '.',
});

splitRootKey(ksk: Buffer, registrars: string[], config: { n: number, k: number }): Promise<RootShare[]>

Splits a DNSSEC root zone signing key (KSK or ZSK) into N shares distributed across registrars. Each share is HMAC-tagged and includes registrar identity binding.

performCeremony(opts: { shares: RootShare[], zone: string }): Promise<CeremonyResult>

Reconstructs the signing key from K shares and performs zone signing. Verifies all share HMACs, reconstructs key material, signs the zone, and securely erases key from memory.

Section 06

Security Properties

Property	Mechanism	Guarantee
Confidentiality	XorIDA GF(2) splitting	Information-theoretic (unconditional)
Integrity	HMAC-SHA256 per share	Tamper detection pre-reconstruction
Geographic Isolation	Multi-jurisdiction distribution	No single-seizure compromise
Ceremony Audit	Witness logs + share tracking	Full provenance chain
Quantum Resistance	Information-theoretic model	Immune to quantum attacks

<1ms

KSK split time

Dependencies

100%

Test coverage

K-of-N

Threshold model

VERIFIED BY XPROVE

Verifiable Data Protection

Every operation in this ACI produces a verifiable audit trail via xProve. HMAC-chained integrity proofs let auditors confirm that data was split, stored, and reconstructed correctly — without accessing the data itself.

XPROVE AUDIT TRAIL

Every XorIDA split generates HMAC-SHA256 integrity tags. xProve chains these into a tamper-evident audit trail that proves data was handled correctly at every step. Upgrade to zero-knowledge proofs when regulators or counterparties need public verification.

Read the xProve white paper →

GET STARTED

Ready to deploy xDNSGuard?

Talk to Ren, our AI sales engineer, or book a live demo with our team.

Book a Demo

VERIFIABLE WITHOUT CODE EXPOSURE

Ship Proofs, Not Source

xDnsguard generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.

XPROVE CRYPTOGRAPHIC PROOF

Download proofs:

Tier 1 HMAC (~0.7KB)
Tier 2 Commit-Reveal (~0.5KB)
Tier 3 IT-MAC (~0.3KB)
Tier 4 KKW ZK (~0.4KB)

Verify proofs online →

Use Cases

🏛️

REGULATORY

FDA / SEC Submissions

Prove algorithm correctness for distributed systems without exposing trade secrets or IP.

Zero IP Exposure

🏦

FINANCIAL

Audit Without Access

External auditors verify secure operations without accessing source code or production systems.

FINRA / SOX Compliant

🛡️

DEFENSE

Classified Verification

Security clearance holders verify distributed systems correctness without clearance for source code.

CMMC / NIST Ready

🏢

ENTERPRISE

Procurement Due Diligence

Prove security + correctness during RFP evaluation without NDA or code escrow.

No NDA Required

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Enterprise SLA available

View Pricing →

📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/xdnsguard
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

Complete data sovereignty
Air-gap capable deployment
Custom SLA + dedicated support
Professional services included

Request Quote →

Enterprise On-Premise Deployment

While xDNSGuard is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
Air-gapped environments — SCIF, classified networks, offline operations
Data residency requirements — EU GDPR, China data laws, government mandates
Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →