Trust anchor

All my domains are under control of stargrave.org’s nameservers. DNSSEC inherently sucks, at least because it is global-scale PKI, so it is not secure against government-level adversary. That is why, my nameservers use DNSCurve technology. All my TLS certificates use DANE, so their subject public key hashes are stored inside DNS TLSA records. However all that certificates are also signed by my own ca.cypherpunks.ru and cagost.cypherpunks.ru CAs.

There are my authoritative DNSCurve PGP signed nameservers below. Of course the trust anchor is my PGP key.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

uz5nulnd504gp3s7sdmdl5l2gxc762hpw926t90k39ltxp67flbccn
uz544mqwggqbf3z4utlhfqn45vpbpq78nc63hpg5u2ut29stkt0pkr
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEIpNVsPbb+nIRVbvGHh7ERWs1C6UFAmLdDEcACgkQHh7ERWs1
C6U9hQ//YsqdHjzjSHjRrarddvnOnBTtHayMUqsqnBw3IneXqdoKlH1yIdMxx169
M3vhwK0ZFIArWQ/+rIxXp7XmgZT4NAH/n5+lEqa7hb6GWujFZWXhoYK6aQXKpaID
nvne7gqUOSHuEO8xFVxmaXNKCK1MFKAXaERkzMxvs/7seEkTs2kLSWyRx/TGSM2/
FIY14CNYXpafHWlGy5FlFz4HaLBkxo0Zy9QZ7liHVA7WaDS/yIrzgM5hiTv8fh1M
ZqiJv15yOBWWq29tELr3ra39hA+A7844F03BvpVvK4I0EcnVHLs3ISrBH4g2yX+N
16poz1pj7d9OFfeBDu3YrRK8JJ7k2EE9P434okcfMRXRbRsHGlC/V5X+BYjJnHsH
rhgocS7dh9zFoGcm+BAU3HMDxoMF6STBxlKg8IOioJlraA1Up8i5b14ME87iEzYb
X/kSJX4T8rPmRjWZvKCQrkyqBm6Mr3+EDfUb7pWZk7MCxSnBrusMqOOp7iXbwGaN
DEYgnqDvnMuKdq642Gb78k6Qry/tJxYa86jtT2vw5zprUjPzew2AoO9jBdIyRkuE
27/OS89trc+/OSAEMzO3MtdLBGNDrtwuipIvrlDtINCEzekvZbyu61LnkRQFWjp4
3mhykgW3O0akiiTFt/LNtCADY/0wOqWlLYct7yBm8MnrGpMC5liIdQQBFgoAHRYh
BNsv+O1ECn6UmG+3dtIjfoQJCGy3BQJi3QxTAAoJENIjfoQJCGy3H/QA/3GrIPg9
wpPGkJ924pMzxkyY8SLbr0EeC1KWKZ91BkeHAQC0lfS8sMGjrjkLJz/DZpMYJ34w
sb1H6Z14I36mVhPrDQ==
=a+or
-----END PGP SIGNATURE-----

Also nearly all my domains has y. prefix, leading to Yggdrasil accessible address.