đĄ How to use relay.testls.bit â a Namecoin .bit-gated Nostr relay
đ wss://relay.testls.bit/
đĄď¸ What makes it different
The relay only accepts events from pubkeys whose kind:0 metadata declares
a .bit NIP-05 identifier (e.g. _@yourname.bit, m@testls.bit). Verification
is done against Namecoin directly via ElectrumX â no DNS, no public CAs.
đ To use it as a write relay you need:
1. A Namecoin .bit name (d/ namespace) you control
2. Set the .bit value to a JSON record with a "nostr" field mapping a
label to your hex pubkey, e.g.
{"nostr":{"names":{"_":"<your-hex-pubkey>"}}}
3. Update your kind:0 metadata so "nip05" = "<label>@<yourname>.bit"
4. Add wss://relay.testls.bit/ to your client's relay list
đą Native client support
Amethyst (Android + iOS + Desktop) has full .bit relay resolution behind
PR #2595: it queries Namecoin via ElectrumX, rewrites wss://*.bit/ to the
underlying real wss:// host or .onion, and pins TLS via Namecoin TLSA.
No client-side config needed beyond adding the relay URL.
https://github.com/vitorpamplona/amethyst/pull/2595
đĄ Read-only access works for everyone
Even without a .bit identity you can subscribe with REQ and read the relay
freely. Only writes are gated.
đ Why this matters
It's a working demo of the cypherpunk thesis: name resolution and TLS
trust without ICANN, without public CAs, without DNS. Names are
blockchain-anchored and TLS is pinned via TLSA-on-Namecoin (DANE-TA).
đ Browse it in your browser: https://relay.testls.bit/
(vanilla SPA, talks WSS back to the same host. Self-signed cert is
pinned via Namecoin TLSA.)
Go to https://www.namecoin.org/download/ to figure out how to resolve
on your OS or in your browser
đ§ Nuts and Bolts â what a publisher actually has to do
1. On-chain Namecoin records (one-time per identity using <name>):
⢠id/<name> MUST exist with JSON like:
{"nostr":{"pubkey":"<hex-pubkey>",
"relays":["wss://relay.testls.bit/", ...]}}
id/<name> is the canonical NIP-05 namespace; the relay verifies
_@<name>.bit against this record.
⢠d/<name> SHOULD mirror the same "nostr" block for .bit-aware
clients that resolve the domain side too.
2. Nostr events to publish BEFORE your kind:1 content (every
identity, once per metadata change):
a. kind:0 (profile metadata) with content JSON containing
"nip05": "_@<name>.bit"
The "_" localpart resolves to id/<name> via the NIP-05
default-name rule. Without this, the relay rejects writes with:
blocked: this relay requires a verified Namecoin .bit NIP-05
b. kind:10002 (NIP-65 relay list) listing
wss://relay.testls.bit/
as a write relay. Not strictly required for acceptance, but
it makes the relay discoverable in the author's outbox.
Send both (a) and (b) to relay.testls.bit AND to your normal
public relays so verification + discovery stay in sync.
3. TLS handshake (every connection):
a. Resolve the host via Namecoin:
name_show d/testls -> map.relay -> { ip, tls }
The "tls" field is one or more TLSA records of shape
[usage, selector, matchingType, base64-data]
Currently usage=2 (DANE-TA), selector=1 (SPKI),
matching=1 (SHA-256).
b. Open TCP/TLS to that IP with SNI = "relay.testls.bit" and
your own certificate validation (rejectUnauthorized=false).
c. Pin against the TLSA. IMPORTANT: neither the leaf SPKI nor
the intermediate SPKI hashes match â the pin is the
AIA Parent CA SPKI, which the Namecoin TLS scheme staples
as JSON inside the *issuer's* serialNumber RDN:
serialNumber=Namecoin TLS Certificate
\n\nStapled: {"pubb64":"<b64url SPKI DER>"}
The cert literally encodes \" as backslash+quote and \0A
as \ 0 A in that string â unescape both before JSON.parse.
SHA-256 of base64url-decoded pubb64 is what TLSA covers.
d. Once the pin matches, hand the validated TLS socket to your
WebSocket client (e.g. ws's createConnection: () => socket)
so you don't trigger a second TLS handshake.
4. Operational order for a content broadcast:
a. Verify id/<name> + d/<name> on chain.
b. Publish kind:0 (with .bit nip05) â public relays + .bit relay.
c. Publish kind:10002 (with .bit relay) â public relays + .bit relay.
d. Publish kind:1 (your content) â public relays + .bit relay.
5. Common failure modes:
⢠"tls: TLSA pin mismatch"
You're hashing the leaf or chain SPKI. Use the stapled
AIA Parent CA SPKI from the issuer's serialNumber RDN.
⢠"blocked: this relay requires a verified Namecoin .bit NIP-05"
Latest kind:0 doesn't carry a .bit nip05, OR id/<name>
on-chain doesn't list this pubkey.
⢠TLSA pin mismatch after a server cert rotation
The on-chain "tls" array under d/<base>/map/<sub> needs an
update â the AIA Parent CA pubkey is the trust anchor.
Reference implementation:
https://github.com/mstrofnone/nmcLightningService (publish-announce-bit.js)
#namecoin #nostr #cypherpunk #dotbit
mstrofnone
npub1gvâŚ8xchs
2026-05-01 02:27:11 UTC
Author Public Key
npub1gvv9ahktvavf9qjtrgm62le7gplmmchd5usp5wpfhr85hf79kncqj8xchsPublished at
2026-05-01 02:27:11 UTCEvent JSON
{
"id": "72c3c1d9d96801f3f0d4bc07077ee2398557a53e961029a0005308bc396682a7",
"pubkey": "43185edecb675892824b1a37a57f3e407fbde2eda7201a3829b8cf4ba7c5b4f0",
"created_at": 1777602431,
"kind": 1,
"tags": [
[
"t",
"namecoin"
],
[
"t",
"nostr"
],
[
"t",
"cypherpunk"
],
[
"t",
"dotbit"
],
[
"r",
"wss://relay.testls.bit/"
],
[
"r",
"https://relay.testls.bit/"
],
[
"r",
"https://github.com/vitorpamplona/amethyst/pull/2595"
],
[
"e",
"8db5e660c47c79468e7603d20b358e0b9de020c407bf1e61e9998b593660a125",
"",
"mention"
]
],
"content": "đĄ How to use relay.testls.bit â a Namecoin .bit-gated Nostr relay\n\nđ wss://relay.testls.bit/\n\nđĄď¸ What makes it different\n The relay only accepts events from pubkeys whose kind:0 metadata declares\n a .bit NIP-05 identifier (e.g. _@yourname.bit, m@testls.bit). Verification\n is done against Namecoin directly via ElectrumX â no DNS, no public CAs.\n\nđ To use it as a write relay you need:\n 1. A Namecoin .bit name (d/ namespace) you control\n 2. Set the .bit value to a JSON record with a \"nostr\" field mapping a\n label to your hex pubkey, e.g.\n {\"nostr\":{\"names\":{\"_\":\"\u003cyour-hex-pubkey\u003e\"}}}\n 3. Update your kind:0 metadata so \"nip05\" = \"\u003clabel\u003e@\u003cyourname\u003e.bit\"\n 4. Add wss://relay.testls.bit/ to your client's relay list\n\nđą Native client support\n Amethyst (Android + iOS + Desktop) has full .bit relay resolution behind\n PR #2595: it queries Namecoin via ElectrumX, rewrites wss://*.bit/ to the\n underlying real wss:// host or .onion, and pins TLS via Namecoin TLSA.\n No client-side config needed beyond adding the relay URL.\n\n https://github.com/vitorpamplona/amethyst/pull/2595\n\nđĄ Read-only access works for everyone\n Even without a .bit identity you can subscribe with REQ and read the relay\n freely. Only writes are gated.\n\nđ Why this matters\n It's a working demo of the cypherpunk thesis: name resolution and TLS\n trust without ICANN, without public CAs, without DNS. Names are\n blockchain-anchored and TLS is pinned via TLSA-on-Namecoin (DANE-TA).\n\nđ Browse it in your browser: https://relay.testls.bit/\n (vanilla SPA, talks WSS back to the same host. Self-signed cert is\n pinned via Namecoin TLSA.)\n Go to https://www.namecoin.org/download/ to figure out how to resolve\n on your OS or in your browser\n\nđ§ Nuts and Bolts â what a publisher actually has to do\n\n 1. On-chain Namecoin records (one-time per identity using \u003cname\u003e):\n\n ⢠id/\u003cname\u003e MUST exist with JSON like:\n {\"nostr\":{\"pubkey\":\"\u003chex-pubkey\u003e\",\n \"relays\":[\"wss://relay.testls.bit/\", ...]}}\n id/\u003cname\u003e is the canonical NIP-05 namespace; the relay verifies\n _@\u003cname\u003e.bit against this record.\n\n ⢠d/\u003cname\u003e SHOULD mirror the same \"nostr\" block for .bit-aware\n clients that resolve the domain side too.\n\n 2. Nostr events to publish BEFORE your kind:1 content (every\n identity, once per metadata change):\n\n a. kind:0 (profile metadata) with content JSON containing\n \"nip05\": \"_@\u003cname\u003e.bit\"\n The \"_\" localpart resolves to id/\u003cname\u003e via the NIP-05\n default-name rule. Without this, the relay rejects writes with:\n blocked: this relay requires a verified Namecoin .bit NIP-05\n\n b. kind:10002 (NIP-65 relay list) listing\n wss://relay.testls.bit/\n as a write relay. Not strictly required for acceptance, but\n it makes the relay discoverable in the author's outbox.\n\n Send both (a) and (b) to relay.testls.bit AND to your normal\n public relays so verification + discovery stay in sync.\n\n 3. TLS handshake (every connection):\n\n a. Resolve the host via Namecoin:\n name_show d/testls -\u003e map.relay -\u003e { ip, tls }\n The \"tls\" field is one or more TLSA records of shape\n [usage, selector, matchingType, base64-data]\n Currently usage=2 (DANE-TA), selector=1 (SPKI),\n matching=1 (SHA-256).\n\n b. Open TCP/TLS to that IP with SNI = \"relay.testls.bit\" and\n your own certificate validation (rejectUnauthorized=false).\n\n c. Pin against the TLSA. IMPORTANT: neither the leaf SPKI nor\n the intermediate SPKI hashes match â the pin is the\n AIA Parent CA SPKI, which the Namecoin TLS scheme staples\n as JSON inside the *issuer's* serialNumber RDN:\n\n serialNumber=Namecoin TLS Certificate\n \\n\\nStapled: {\"pubb64\":\"\u003cb64url SPKI DER\u003e\"}\n\n The cert literally encodes \\\" as backslash+quote and \\0A\n as \\ 0 A in that string â unescape both before JSON.parse.\n SHA-256 of base64url-decoded pubb64 is what TLSA covers.\n\n d. Once the pin matches, hand the validated TLS socket to your\n WebSocket client (e.g. ws's createConnection: () =\u003e socket)\n so you don't trigger a second TLS handshake.\n\n 4. Operational order for a content broadcast:\n\n a. Verify id/\u003cname\u003e + d/\u003cname\u003e on chain.\n b. Publish kind:0 (with .bit nip05) â public relays + .bit relay.\n c. Publish kind:10002 (with .bit relay) â public relays + .bit relay.\n d. Publish kind:1 (your content) â public relays + .bit relay.\n\n 5. Common failure modes:\n\n ⢠\"tls: TLSA pin mismatch\"\n You're hashing the leaf or chain SPKI. Use the stapled\n AIA Parent CA SPKI from the issuer's serialNumber RDN.\n\n ⢠\"blocked: this relay requires a verified Namecoin .bit NIP-05\"\n Latest kind:0 doesn't carry a .bit nip05, OR id/\u003cname\u003e\n on-chain doesn't list this pubkey.\n\n ⢠TLSA pin mismatch after a server cert rotation\n The on-chain \"tls\" array under d/\u003cbase\u003e/map/\u003csub\u003e needs an\n update â the AIA Parent CA pubkey is the trust anchor.\n\n Reference implementation:\n https://github.com/mstrofnone/nmcLightningService (publish-announce-bit.js)\n\n\n#namecoin #nostr #cypherpunk #dotbit\n",
"sig": "acd992a566b80ecc74a7b0ebeba55e4c93ec3924df08fa102df5b5bde399259cf0edde374aec5c72ae1772afd7082000a333572f4bcdf7b69764c774d757e8d7"
}