WHAT IS THE DNS FLOWER
The fleet's DNS architecture is not a single provider — it's a flower. AKS pemos-system is the homebase (center).
Five petals each handle a different DNS function: external public resolution, email routing, cluster-internal, AWS DR, and GCP intelligence.
GoDaddy is the soil — registrar only, NS delegation points to Azure. Every DNS change goes to Azure DNS first.
The flower radiates outward: external queries travel outward from AKS; responses flow back in. This is the fleet's DNS sovereignty architecture.
γ₁ = 14.134725141734693 is the invariant floor — the DNS architecture is anchored here. Belt64 Seg 0 is the DNS invariant: the floor never changes.
All petals derive their legitimacy from the floor. Even when Route53 or GCP Cloud DNS go live, they are extensions — not replacements.
PETAL 1 — AZURE DNS (LIVE ✅)
Petal 1 · Gold
AZURE DNS
LIVE ✅
Resource Group: rg-eose-dns-dev
Zones: 37 active
NS Primary: ns1-04.azure-dns.com
NS Backup: ns2/3/4-04.azure-dns.org
external-dns: AKS deployment · auto-creates A records
cert-manager: 39 DNS01 solvers · managed identity 070bb5c8
Truth: ALL DNS CHANGES GO HERE FIRST
~$0.50/zone/month × 37 = ~$18.50/month
Zones Active
pemos.ca · eose.ca · pemos.xyz · temos.ca
pemos.io · deseof.ca · deseof.com · pemos.one
nanos.live · feedles.ca · serlf.com · + 26 more
external-dns auto-manages A records from AKS ingress annotations.
ImprovMX MX records are held inside Azure DNS zones.
cert-manager DNS01 challenges write TXT records to Azure DNS.
PETAL 2 — IMPROVMX (LIVE ✅)
Petal 2 · Purple · Email
IMPROVMX
LIVE ✅
Domains: pemos.ca · eose.ca · nanos.live · serlf.com · pemos.io
Active Aliases: 11
MX Record: mx1.improvmx.com (priority 10)
Plan: Premium — 30 domains · 100 aliases/domain · 15,000 emails/day
Note: MX records are held in Azure DNS (Azure is the truth)
~$9/month · Plan: Premium
Active Aliases
kayyo@pemos.ca → kewinjoffe@gmail.com
ayyo@pemos.ca → amani.joffe@gmail.com + kewinjoffe@gmail.com
*@pemos.ca (catch-all) → kewinjoffe@gmail.com
kayyo@eose.ca → kewinjoffe@gmail.com
ayyo@eose.ca → amani.joffe@gmail.com + kewinjoffe@gmail.com
info@eose.ca → kewinjoffe@gmail.com
sre@eose.ca → eosesreops@gmail.com + kewinjoffe@gmail.com
*@eose.ca (catch-all) → kewinjoffe@gmail.com
*@nanos.live (catch-all) → kewinjoffe@gmail.com
*@serlf.com (catch-all) → kewinjoffe@gmail.com
*@pemos.io (catch-all) → kewinjoffe@gmail.com
PETAL 3 — COREDNS AKS (LIVE ✅)
Petal 3 · Blue · Cluster-Internal
COREDNS AKS
LIVE ✅
Replicas: 2 running kube-system/coredns
Cluster Domain: cluster.local
Service Discovery: *.pemos-system.svc.cluster.local
Forward: external → Azure DNS → 168.63.129.16
Custom Zones: none yet (raincheque: fleet.local for LAN)
PEMCLAU: yone.yone-net.svc.cluster.local (when mesh joined)
$0 — included in AKS cluster
PETAL 4 — ROUTE53 (PLANNED 🔲)
Petal 4 · Orange · AWS DR
ROUTE53
PLANNED 🔲
Purpose: AWS DR routing + SRE analytics entry point
Planned Zones: aws.eose.ca · m1.aws.eose.ca
Health Checks: Route53 → failover to Azure primary
Latency Routing: us-east-2 users → AWS · ca-central-1 → Azure
Prerequisite: AWS account sreeose active (CATHEDRAL/JAYRHONE)
Belt64: Seg 22 extension (AWS cloud node)
~$0.50/zone + $0.50/million queries · estimated $2/month
Setup Steps
1. Create hosted zone aws.eose.ca in Route53
2. Update NS records in Azure DNS for aws.eose.ca subdomain
3. Route53 receives delegation for aws.* subzone
4. Configure Route53 health checks → Azure primary as failover
5. Latency-based routing: us-east-2 → AWS · ca-central-1 → Azure
6. Add Route53 as Belt64 Seg 22 in fleet topology
PETAL 5 — GCP CLOUD DNS (PLANNED 🔲)
Petal 5 · Green · GCP Intelligence
GCP CLOUD DNS
PLANNED 🔲
Purpose: GCP intelligence routing + GKE internal
Planned Zones: gcp.eose.ca · sre.gcp.eose.ca
Lighthouse: already answering at 34.19.136.54
GKE Internal: *.gke.cluster.local for eose-fleet project
Integration: GCP Cloud DNS → Azure DNS cross-cloud resolution
External-dns: GCP has its own external-dns deployment on GKE
Belt64: Seg 17 extension (GCP cloud node)
$0.20/zone/month — very cheap · estimated $1/month
LAN COREDNS (PLANNED 🔲)
Purpose: local fleet DNS resolution — msi01, yone, forge, msclo, pcdev → by name.
Where: CoreDNS container on msi01 or forge (always-on). Zones: fleet.local, eose.local.
msi01.fleet.local → 192.168.2.18 · yone.fleet.local → 192.168.2.23
forge.fleet.local → 192.168.2.12 · msclo.fleet.local → 192.168.2.19
pcdev.fleet.local → 192.168.2.16 · nas.fleet.local → 192.168.2.20
Forward: fleet.local → CoreDNS · everything else → 192.168.2.1 (router)
WSL2: point /etc/resolv.conf → 192.168.2.18:5353 (fleet CoreDNS)
Cost: $0 (local Docker container)
DOMAIN → SILO OWNERSHIP MAP
| Domain | Silo Owner | Crew | Belt64 | Purpose | DNS Status |
| pemos.ca | msi01 | IMHOTEP+BOB+BOSUN | Seg 8+0 | Fleet home, primary portal | LIVE ✅ |
| eose.ca | msclo | IMHOTEP+CLO | Seg 9+0 | Legal identity, EOSE Labs root | LIVE ✅ |
| pemos.xyz | msi01 | BOB+MO | Seg 8 | Enterprise gateway | LIVE ✅ |
| temos.ca | msi01 | TAZ+GREYBACK | Seg 8 | me-sorry game | LIVE ✅ |
| pemos.io | yone | BOSUN+SIGNALS | Seg 10 | Test/chaos | LIVE ✅ |
| deseof.ca | msclo | IMHOTEP+CLO | Seg 9 | Canadian sovereign | NS FLIP PENDING |
| deseof.com | msclo | IMHOTEP+CLO | Seg 9 | Global sovereign | NS FLIP PENDING |
| pemos.one | pcdev | JOHN+CODY | Seg 13 | Math/theorem portal | LIVE ✅ |
| lilo.pemos.ca | lilo | GID-FAM-001 | Seg 12 | lilo family silo | LIVE ✅ |
| nanos.live | forge | RICK+SIGNALS | Seg 11 | Analytics/live feed | LIVE ✅ |
| feedles.ca | msclo | AMANI+CLO | Seg 9 | CA noble gas treasury | LIVE ✅ |
| serlf.com | msi01 | BOB+RICK | Seg 8 | SRE/elf domain | LIVE ✅ |
PENDING DNS ACTIONS (PRIORITIZED)
-
1
deseof.ca + deseof.com: flip GoDaddy NS → Azure DNS
5 MIN TASK
Just NS records in GoDaddy. Azure DNS zones already exist. Pure registrar config. No downtime.
-
2
Deploy LAN CoreDNS: Docker on forge, fleet.local zone
SOON
CoreDNS Corefile with fleet.local zone + forward block. Point WSL2 resolv.conf to 192.168.2.12:5353.
-
3
pemos.one: fix 404 on rh1one/rh1np — check AKS deployment
SOON
DNS is live (Azure zone), but AKS ingress rule may be missing or deployment is down.
-
4
Provision Route53 zone for DR — aws.eose.ca
PLANNED
Requires AWS account sreeose active. CATHEDRAL/JAYRHONE nodes prerequisite.
-
5
GCP Cloud DNS for GKE internal — gcp.eose.ca
PLANNED
Lighthouse already at 34.19.136.54. GKE cluster *.gke.cluster.local setup needed.
DNS BELT64 MAPPING
Seg 0
γ₁ floor — DNS invariant: the floor never changes. All DNS derives sovereignty from here.
INVARIANT
Seg 1
Azure DNS — external public truth. 37 zones. external-dns writes here. MX (ImprovMX) lives in Seg 1.
LIVE
Seg 5
AKS CoreDNS — cluster-internal mesh. kube-dns. service discovery. cluster.local.
LIVE
Seg 17
GCP Cloud DNS — future extension. GKE internal + intelligence routing. gcp.eose.ca.
PLANNED
Seg 22
Route53 — future AWS cloud node. DR routing + SRE analytics. aws.eose.ca.
PLANNED