Deployment

Running a DMP node that other people publish to.

Must-read before production: Hardening — TLS, token hygiene, operator signing-key handling, DNS zone hardening, file permissions, network exposure, upgrade cadence. Missing an item here is the most common way a DMP node gets owned.

• Docker — build, run, healthcheck, volumes, ports. The default path.
• DigitalOcean — one-shot bootstrap script for a single Droplet (works on any UDP-capable VPS). The fastest way to a real node on the public internet.
• Native Ubuntu — install directly via apt + pip + systemd, no Docker. ~50 MB idle RAM footprint vs ~150 MB for the Docker recipe. Fronted by Caddy for auto-TLS.
• Production — TLS via Caddy, rate limiting, per-name RRset caps, metrics scraping, env-var reference.
• Clustered deployment — 3-node federation with anti-entropy sync, for operators who need survival across individual node failure.
• Multi-tenant node — per-user publish tokens (M5.5): self-service registration, operator CLI, scope rules, split audit / anonymity property.
• Node heartbeat + directory — opt-in peer-to-peer discovery layer (M5.8): each node pings peers with signed heartbeats, aggregators render a public directory off the resulting signed feed. No central trust anchor required. Project-canonical render at /directory/, refreshed every 30 min from directory/seeds.txt.
• Hardening — mandatory operator checklist before production.

You only need to run a node if you want other people to publish to your zone. Using the dnsmesh CLI against someone else’s node does not require you to run one yourself — just point --endpoint at theirs.

---

Table of contents

• Docker
• DigitalOcean
• Production
• Clustered deployment
• Native Ubuntu (no Docker)
• Hardening
• Multi-tenant node
• Node heartbeat + discovery directory