The Problem
Blockchain custody environments need a way to verify public keys without relying on centralised key servers. PGP keyservers suffer from spam, lack of authentication, and no clear ownership verification. In regulated environments (particularly digital asset custody) you need to prove that a key belongs to an organisation with the same certainty that an SSL certificate proves domain ownership.
The Insight
DNS already solves this problem for other domains. SPF records prove email sending authority. DKIM records publish email signing keys. DMARC policies dictate enforcement. The infrastructure for broadcasting machine-readable key material via DNS TXT records is battle-tested, globally distributed, and already trusted by regulated institutions.
DN-Key applies the same pattern to cryptographic public keys: publish your Bitcoin, Ethereum, or arbitrary public keys as DNS TXT records on a domain you control. Verification becomes a DNS lookup. No custom infrastructure, no trust in third-party keyservers, no registration required.
How It Works
- Key publication — add a TXT record to your domain:
_dnkey.example.com TXT "v=DNKEY1; k=bitcoin; p=xpub..." - Discovery — clients resolve the TXT record to find the public key for a given domain and key type
- Verification — domain ownership is proven by DNS control (same trust model as SSL). The key is authentic because only the domain owner can set TXT records
- Multi-key support — multiple records for different chains, key types, or purposes on the same domain
Design Decisions
The protocol deliberately mirrors email authentication standards (SPF/DKIM) so that existing DNS management tools, compliance workflows, and audit procedures work without modification. Regulated custodians already have DNS management processes audited by compliance teams. DN-Key slots into that existing workflow rather than introducing new infrastructure that needs separate audit.
The format is intentionally simple: a single TXT record with key-value pairs. No custom DNS record types (which require registrar support), no complex encoding, no dependencies beyond standard DNS resolution.
Adoption
DN-Key was adopted by ATA Plus ECF (a member of the Blockchain Embassy consortium) for their custody infrastructure, proving the concept in a regulated Malaysian financial services context.
The protocol was subsequently cited by name in the Securities Commission Malaysia's official capital markets blueprint during Project Castor (2018), used for multi-signature redeem scripts, deterministic key creation, and enforcement of pre-approved multi-signature accounts. This represents a national regulator formally incorporating an independently authored protocol into its capital markets architecture.
DN-Key informed later work on CoKeeps (Malaysia's first approved Digital Asset Custodian) where key management and proof of custody were central regulatory requirements. In 2025, the protocol was reused in Oviato's chain-agnostic identity layer for passkey-native wallets, and made Nostr NIP-05 compatible, proving forward-compatibility with protocols that didn't exist when DN-Key was written in 2016.