Join the SkyInclude & OwnTheDot LearnHNS Competition! Learn more & Submit

LearnHNS
Handout

Pilot notes

The first live Handout revival proof is .iamthat.

This page records the public story of the first LearnHNS Handout pilot: a real Handshake TLD, a small VPS, manual Bob records, Knot DNS, nginx, DNSSEC, DANE/TLSA, and the first managed SLD, handout.iamthat.

What worked

Root TLD

http://iamthat/ loads in SkyInclude Browser.

First SLD

http://handout.iamthat/ loads as the first Handout-managed subdomain.

Resolver proof

Public HNS resolution returned the expected A and TLSA records after the Bob update became effective.

The parent records

The TLD owner published the parent-zone records in Bob. Handout's job is to generate and verify these values, but for the first revival release the human still approves and submits them.

NS ns.iamthat.
GLUE4 ns.iamthat. 167.71.215.247
DS 46444 13 2 36c2e1eaa3cd2fb022aa03ae103c3bc1f1b93b3aa66aefe94fed7f95d581bad0

Why HTTP stays on

During the pilot, current HNS browser behavior made one decision obvious: the first installer should serve both HTTP and HTTPS and should not force an automatic redirect to HTTPS.

Default for the first revival release

HTTP remains available for HNS browser and local resolver compatibility. HTTPS remains available for DANE/TLSA-capable clients. ACME can be documented as a future bridge option, not the default.

What is on the server

The live pilot runs on a small DigitalOcean droplet at 167.71.215.247. The server is intentionally ordinary: Knot answers authoritative DNS, nginx serves the web pages, UFW limits exposed ports, and Handout keeps generated evidence and rollback notes alongside the live config.

Knot DNS

Authoritative DNS for .iamthat and managed SLD records.

nginx

Dual HTTP and HTTPS vhosts for the root TLD and SLD pages.

DNSSEC and TLSA

DANE-first certificate proof for Handshake-native trust.

Handout evidence

Review files, manifests, backups, public checks, and SLD gates.

The next shape: hosted Handout

This pilot proves the infrastructure path. The next product question is how to make it useful for people who do not want to manage a VPS.

A friendlier hosted flow

A TLD owner would choose a name, copy a small set of Bob records, and manage pages or SLDs from a dashboard. Handout would run the DNS, hosting, backups, and proof checks behind the scenes.

Release notes from the pilot

  • Knot should be the first modern authoritative DNS target.
  • The all-in-one historical Node server should stay as educational reference.
  • DANE and self-signed TLS should be the default Handshake-native path.
  • ACME support belongs on the long-term bridge-compatibility roadmap.
  • The SLD command language is the clearest naming for subdomain management.
  • Generated service config needs clean install, backup, upgrade, and uninstall boundaries.