Public Common

Projects

Service	What it does
public-common.com	Management node — this site, contact, project index
public-adns.com	Public authoritative DNS service (NSD, DNSSEC ECDSAP256SHA256)
public-rdns.com	Public recursive DNS resolver (Unbound, DoH/DoT, DNSSEC, Hagezi RPZ blocking)
public-utc.com	Public NTP / NTS time service (chrony 4.x, RFC 8915)
public-repo.com	Public mirror service for Arch, Debian, Ubuntu, Gentoo, LineageOS, F-Droid, and more
public-blank.com	Public static / parking endpoint

What Is This

public-common.com is the central management host. It does not serve end-user traffic for any of the public services on its own — DNS queries, NTP packets, package downloads each have their own dedicated machines. What this node does is the boring but important plumbing:

Issuing and renewing TLS certificates for every public-* domain via ACME (Let's Encrypt, DNS-01).
Distributing configuration changes to the service nodes.
Hosting this index page so people can find the projects and reach the operator.

Everything user-visible lives on the per-service sites. The reason this domain exists at all is so each service can publish an independent privacy posture without one host being able to silently see traffic for another.

Principles

Free. No charge, no signup, no API key, no premium tier.
No client logging. Each user-facing service explicitly does not log query / request data to disk. Operational logs cover the daemon, not the user.
Encrypted at rest. ZFS native encryption is used on every host, including this one.
No analytics, no cookies, no third-party content. All of these sites are static HTML served by nginx.
Open standards only. RFC 8915 (NTS), DoH/DoT, DNSSEC ECDSAP256SHA256, ACME. No proprietary extensions, no client lock-in.
Independent boxes. Each service runs on its own host with its own address space, so a compromise of one cannot quietly tap traffic on another.

Privacy

Privacy claims that matter live on the per-service pages, because what counts is what the service that talks to you logs. Summary:

public-rdns.com — DNS queries are not written to disk. QNAME minimisation reduces upstream exposure.
public-adns.com — individual queries are not written to disk; ANY refused; identity / version hidden.
public-utc.com — NTP requests are not written to disk; NTS provides authentication.
public-repo.com — HTTP access requests are not written to disk; HTTPS only.
public-common.com (this site) — static HTML, no analytics, no cookies. The only thing this server cares about over HTTP is GET requests for these pages.

Across all hosts: ZFS native encryption at rest, no shell history retained, headless servers with no public remote-console exposure.

Operations

The public-* family is operated as a single project. Concrete shape:

One management host (this one) that holds the ACME account and pushes out renewed certificates.
Per-service hosts that run only the daemon they advertise — nsd on the authoritative DNS box, unbound + nginx on the recursive box, chronyd on the time box, nginx + a continuous rsync loop on the mirror box, nginx for the static sites.
Service-specific configuration is checked into a private repo and synced down; this site mirrors the publishable subset.
Method limits at the web tier: only HTTP GET is allowed on the public sites — everything else is denied at nginx.

TLS & ACME

All public-* domains use Let's Encrypt certificates issued via ACME with the DNS-01 challenge:

CA: Let's Encrypt (acme-v02 directory).
Challenge: DNS-01. The TXT record _acme-challenge.<domain> is published programmatically at the DNS provider, validated, then removed.
Key type: ECC P-256 (prime256v1 / ec-256). Smaller, faster than RSA-2048 for the connection rates these services see.
Coverage: apex plus wildcard (*.<domain>) per certificate, so subdomains can be added without re-issuing.
Renewal cadence: the ACME loop runs continuously; acme.sh only re-issues when a certificate is within its renewal window, so the public load on Let's Encrypt is bounded.
DH parameters: Mozilla ffdhe2048, refreshed from the upstream Mozilla SSL config service.
Tooling: acme.sh.

Certificates are deployed to the service nodes out of band; private keys never leave the host that owns them.

Infrastructure

OS: FreeBSD across all nodes.
Web server: nginx with HTTP/2 and HTTP/3 (QUIC) on every public site, including this one.
Filesystem: ZFS with native encryption everywhere.
Hardening headers (this and every public-* site): X-Content-Type-Options: nosniff, X-Frame-Options: DENY.
HTTP method: only GET permitted on public sites.
No remote console exposed to the public internet beyond the documented services on each host.
Operator hygiene: no shell history retained; sessions leave nothing on disk.

Status & Reliability

All public-* services are operated as a public good, best-effort. There is no paid SLA. If your use case needs strict availability:

DNS: always configure several resolvers (or several authoritatives) from independent operators. public-rdns.com exposes two IPv4 and two IPv6 addresses; pair it with another provider. For authoritative hosting see public-adns.com.
NTP/NTS: configure at least three independent time sources. The client picks a healthy majority, so a single one going offline cannot move your clock. public-utc.com is one such source.
Mirrors: use the project's mirror pool, not a hardcoded host. public-repo.com is one entry in those pools.

Outages are reachable by emailing the operator (below).

Abuse Reports

For abuse complaints relating to any public-* service:

DNS abuse — if a domain hosted on public-adns.com is being used for malware, phishing, or scams, send the domain and evidence to the address below. Hosting will be terminated.
Resolver / mirror abuse — DDoS amplification attempts, excessive scraping, or other misuse of public-rdns.com, public-repo.com, or public-utc.com can be reported with source IP and timestamps.
Please include UTC timestamps and as much identifying detail as you can; logs are intentionally minimal, so context from the reporter is what makes a report actionable.

Responsible-disclosure security reports are also welcome at the same address.

FAQ

Who runs this?

A single operator. The project is run as a public good — there is no company, no funding round, no upsell.

Why all the separate domains?

Each service has its own privacy posture and its own host. Splitting them across distinct domains makes that posture auditable from outside and prevents one service from silently aggregating data about another's users.

Can I donate?

Yes — Bitcoin, see Contact. Donations are appreciated but never required to use any of the services.

Can I help operate this?

Independent mirrors / resolvers / time servers help the broader internet far more than another contributor on this one. Run your own — the configurations behind these services are intentionally simple precisely so they can be reproduced.

Is there a status page?

Not currently. Each service exposes its own freshness signal — e.g. mirror lastsync files, DNS responses, NTP chronyc tracking against the host. If something looks broken, email.

Can I host my project under public-*?

The naming convention is reserved for first-party services run from this management node, so no — but if your project would benefit from one of the existing services (e.g. authoritative DNS hosting on public-adns.com), email and ask.

How are certificates issued?

ACME DNS-01 against Let's Encrypt with ECC P-256 keys, apex plus wildcard. See TLS & ACME.

Why FreeBSD?

ZFS, jails, a small kernel surface, and stable long-term behaviour. The services here don't need anything Linux-specific, and FreeBSD's defaults align with the operational hygiene this project cares about.