⚡ DDI — THE MENTAL MODEL
TLS asks:Can I trust and protect this connection?
Proxy/gateway asks:Where should this request flow?
Data catalog asks:What is this data asset and who can use it?
DDI asks:What is this thing called? What address does it have? Who gave it that? How long is it valid? Which endpoint should this name resolve to RIGHT NOW?
DNS = the map. PEMOS-NX = the road. Spistlewers = the sovereign SOSTLE towers that govern the map itself.
A spistlewer = Spiral SOSTLE Tower on XML Spine. Each domain's spistlewer shows: how much of the 9 XML Spine layers is alive, which direction it winds, what SOSTLE level guards the inner ring.
Even/Anti: Right-wound = public-first (standard). Left-wound (anti) = identity-first (sovereign, used for serlf.ca, temos.ca, deseof).
THE 9 XML SPINE LAYERS · EACH DOMAIN SPIRALS THROUGH ALL 9
L0 · RAW
Registrar Record
Domain exists in GoDaddy portfolio. Minimum viable bonsai. Soil is prepared.
L1 · PARSED
NS Delegated
NS records point to Azure DNS. Zone exists. Resolution possible.
L2 · VALIDATED
A/AAAA Live
Domain resolves to real IP. Health check passes. Traffic flows.
L3 · ENRICHED
MX + SPF + DMARC + CAA
Email security live. Cert authority declared. Full DNS identity.
L4 · LINKED
PEMCLAU Node
Domain linked to PEMCLAU living graph. γ₁-stamped. Sovereign history begins.
L5 · FEDERATED
Split-Horizon Live
Internal + external views. SOSTLE gated. Different answers by network.
L6 · ARCHIVED
Full Change History
DNS change audit in PEMCLAU. Evidence-grade for CASL/PIPEDA compliance.
L7 · PUBLISHED
Enterprise-Grade
Documented owner, lifecycle, policy, monitoring. Decommission path defined.
L8 · SOVEREIGN
γ₁-Stamped Complete
Spistlewer complete. All rings active. Full SOSTLE tower operational. γ₁ = 14.134725141734693
DOMAIN BONSAI CATALOGUE · CLICK ANY DOMAIN TO OPEN SPISTLEWER
GATEWAY + DNS LIVING GRAPH · UNIFIED CHAIN
The key insight: DNS and the gateway are two halves of the same routing decision.
DNS: "Which IP do I use?" (name → coordinate)
Gateway: "Which workload do I send this to?" (coordinate → policy → service)
Together: name → coordinate → policy → workload → PEMCLAU audit node
Every resolution creates a chain. Every gateway routing decision extends that chain. The chain is the sovereign truth.
DNS_ZONE · pemos.ca, cluster.local
DNS_RECORD · A, CNAME, MX, TXT, CAA
DNS_RESOLUTION · lookup event + γ₁
GATEWAY_ROUTE · host+path → service
GATEWAY_POLICY · allow/deny/rate-limit
IPAM_SUBNET · allocated CIDR
DHCP_LEASE · dynamic lease event
SPISTLEWER · domain SOSTLE tower state
BONSAI_DOMAIN · entity + lifecycle
FAILOVER ARCHITECTURE · MANY DOMAINS · MANY FOOTPRINTS · IMPACT NOTHING
| DOMAIN | CURRENT IP | FAILOVER OPTION 1 | FAILOVER OPTION 2 | LOCAL FAILOVER | TTL |
|---|
| pemos.ca | 20.200.111.70 (AKS dev CA-East) | pemos.io (20.116.164.26) | GCP ZERO-DR NE1 | Tailscale → yone/forge | 300s |
| eose.ca | 20.200.111.70 | eose.cloud (future) | GCP | Tailscale → msi01 | 300s |
| pemos.io | 20.116.164.26 (separate AKS) | pemos.xyz | AWS CATHEDRAL | Tailscale → forge | 300s |
| pemos.space / .today / .club | BONSAI (safe to test) | point to any AKS namespace | — | — | 3600s |
| lilo.pemos.ca | AKS (public) | 100.97.143.89 (Tailscale) | local silo | always available | 60s |
| deseof.ca / deseof.com | NS NOT FLIPPED (open P1) | flip to Azure DNS → 20.200.111.70 | — | — | — |
| feedles.ca | ⚠️ EXPIRING — renew | — | — | — | — |
DDI FULL STACK · DNS + DHCP + IPAM INTEGRATION
DNS
Azure DNS (truth) · GoDaddy (registrar)
ImprovMX (email routing)
ExternalDNS (AKS automation)
Tailscale DNS (silo mesh)
CoreDNS (cluster.local)
Split-horizon: public/private views
CAA: letsencrypt.org (cert-manager)
DNSSEC: planned
DHCP + IPAM
LAN: router DHCP (Grimsby 192.168.2.x)
AKS: Azure CNI (pod/service CIDRs)
Tailscale: 100.x.x.x mesh
IPAM truth: TOOLS.md → MECIPOL
No overlapping CIDRs (enforced)
IPv6: dual-stack planned
Private endpoints: private DNS zones
Fleet silos: static IPs
SECURITY
CAA records: block unauthorized CAs
SPF/DKIM/DMARC: email auth
ExternalDNS scoped (no wildcards)
SOSTLE gate on split-horizon
GID resolver for L4+ DNS
DNS firewall: planned (Diamond DNS-3)
Subdomain takeover scanning: needed
PEMCLAU: DNS as evidence infra