poztter.org

component · 0x0050 / 0x0051

Service Zone.

All components · Email · Feed · Auth

The Service Zone is the centralized infrastructure registry for a POZ record. All server endpoints, ports, encryption methods, and CA keys live here, exactly once. Other zones reference services by hash, not by hostname — so changing a server's address doesn't require updating every zone that uses it.

service entries

Each service has a name (optional), a type, and a pool of hosts. The service hash is computed from the entry's content and is the handle other zones use to refer to it.

service types

TypeUse
POZ_QUERYQuery servers (port 7074 / 7075)
POZ_SUBMITAuthoritative submit servers (port 7076)
HTTPSWeb endpoint
MAILMail servers, referenced by inbox entries
FEEDFeed post servers
REVOCATIONReal-time key revocation lookup
CUSTOMAnything else

pool entries

Each host in a pool specifies hostname, port, transport (TCP/UDP), encryption (NONE / TLS / NOISE_NK), the per-server public key (optional), the CA key index, and the standard MX-style priority and weight for failover and load balancing.

EMAIL ZONE inbox "Main" → mail_svc_hash FEED ZONE feed "main" → feed_svc_hash AUTH ZONE revocation ref → revoke_svc_hash SERVICE ZONE · 0x0051 MAIL · "primary" 2 pool hosts mail1.example:25 · pri 10, wt 50, TLS mail2.example:25 · pri 20, wt 50, TLS hash: 0xa3… FEED · "publish" 2 pool hosts feed1.example:443 · pri 10, NOISE_NK feed2.example:443 · pri 20, NOISE_NK hash: 0xb7… REVOCATION · "live" 1 pool host revoke.example:443 · TLS CA key ref: K3 hash: 0xc2… other zones reference services by hash, never by hostname
fig 01 · the Service Zone holds infrastructure exactly once. Other zones cite services by content-hash — change the pool, the hash changes, and dependent zones must acknowledge it.

POZ-as-CA

The ca_key_index field designates which POZ key signed the server's TLS certificate. A POZ-aware client can verify that a server's cert chains to a key in your record — not to a public CA. This eliminates the dependency on DigiCert, Let's Encrypt, and the rest of the public PKI for clients that have already loaded your POZ record, while staying TLS-compatible for everyone else (load balancers, firewalls, CDNs).

The same TLS certificate that satisfies a generic browser also satisfies a POZ client — the POZ client just verifies an additional, stronger property.

cross-zone references

When infrastructure changes, the service hash changes, which means every zone referencing it must be updated to acknowledge the new configuration. A provider can't quietly swap your servers; if they do, the chain breaks.

see also