CONTINUOUS INTERNET TELEMETRY24H DRIFT2,077 material changesacross 1,868 domains · -474 vs yesterdayDNS DRIFT16 domains changed DNS providertop destination cloudflare.comEMAIL DRIFT5 domains switched email providertop destination google.comCERT DRIFT1 domains switched issuing CA24h · -4 vs yesterdayNOW3,391 curated domains not answeringlast probe, steadyERRORS10,886 responded with an errorlast probe · 5xx / 404 / 429 / 40324H DRIFT2,077 material changesacross 1,868 domains · -474 vs yesterdayDNS DRIFT16 domains changed DNS providertop destination cloudflare.comEMAIL DRIFT5 domains switched email providertop destination google.comCERT DRIFT1 domains switched issuing CA24h · -4 vs yesterdayNOW3,391 curated domains not answeringlast probe, steadyERRORS10,886 responded with an errorlast probe · 5xx / 404 / 429 / 403
Verify a DomainDrift bundle
Paste any DomainDrift signed bundle below. Every receipt is verified in your browser using the public Ed25519 keys. Nothing is sent to a server. This page works offline once loaded.
Formats: connor.signed-bundle.v1 (full) · connor.signed-bundle-compact.v2 (Merkle rollup) · Algorithm: Ed25519 · Verified locally against DomainDrift's published keys
or paste below
How verification works
  1. Each observation carries a receipt_json (a commitment: the hash of what was observed, a signature, and the public_key that produced it) and, alongside it, signed_outputs — the exact data that was hashed and signed. The receipt itself holds no data; that is why the observed bytes are archived next to it.
  2. This page calls DRM3Provenance.verifySignature(receipt) from the open-source drm3-provenance WASM SDK loaded with this page. That proves attribution (DomainDrift produced this receipt) and integrity (it has not been altered).
  3. Where signed_outputs is present, the page also canonicalizes it, computes hashValue(), and confirms it equals receipt.output_hash. That is the data-binding check: it ties the signature to the observed data itself. Observations recorded before DomainDrift began archiving the signed payload show binding n/a — their signatures are still valid; the optional check simply cannot be run on them.
  4. The page also fetches DomainDrift's published key registry at /.well-known/connor-keys.json and grades every signing key's lifecycle: current keys verify, rotated keys verify for receipts inside their validity window (marked "key since rotated"), and compromised, revoked, or unregistered keys FAIL even when the signature math passes. If the registry is unreachable the result is reported as signature-only.
  5. Want to verify with your own tools? The SDK is on npm: @drm3/sdk. Run npm i @drm3/sdk, then @drm3/sdk/receipts checks the signature and the hash and @drm3/sdk/keys grades the key registry, the same checks this page runs.