MagicDNS

Friendly names for every peer.

Beacons issues per-fleet DNS subdomains. A peer named scribe-7 in the acme fleet resolves to scribe-7.acme.beacons.mesh from anywhere inside the fleet. DNS records are signed and policy-gated.

Where DNS lives

DNS for Beacons is served by the Relays platform (PowerDNS under the hood). Each fleet gets a subdomain of beacons.mesh(or your custom suffix). Inside the fleet, peers resolve each other by name. Outside the fleet, the names do not exist.

How records are derived

Records are not edited by hand. They are derived from the same policy state that drives ACLs. When a peer enrolls, its name becomes resolvable inside its fleet. When a peer is revoked, its name is removed. When an alias is granted (e.g.papi.acme.beacons.meshscribe-7), the alias inherits the policy of the target peer.

DNSSEC

Records are DNSSEC-signed. Per-fleet zones use independent KSK/ZSK pairs so a compromise of one fleet's zone signing key does not cascade.

Open a fleet

The mesh that fits agents and humans.

A `did:oas`-rooted private mesh that ships peer configurations to any device, anywhere, by policy — not by hand.

Open consoleRead the quickstart