Context. I resolve "delegated" IPNS chains where one IPNS record points to another IPNS name before reaching content: /ipns/An → /ipns/Mn → /ipfs/<cid>. This keeps an owner key (An) offline while an online delegate re-signs the inner record (Mn). The final content is signed by the terminal key Mn, not by An.
Problem. When loading this over an untrusted gateway, the final content alone is not enough — I must independently verify each hop's signed IPNS record to bind An → … → Mn (otherwise a malicious gateway could serve content under any key and claim it is An's resolution). Today a plain GET /ipns/An makes the gateway recurse internally and returns only the final content; the intermediate signed IPNS records are discarded and exposed in no response header (X-Ipfs-Path / X-Ipfs-Roots only carry the final CID — verified empirically on a 2-hop and a 3-hop chain). So trustless verification currently requires one extra GET /ipns/<name>?format=ipns-record per hop, sequentially — N+1 round-trips instead of 1.
Question / request. Is there an existing or planned way for a single gateway request to return both the ordered chain of signed IPNS records traversed during recursion and the final content (or final CID)? For example: a multi-record ?format=ipns-record response, an extension to ?format=car that includes the IPNS records along the path, or response metadata enumerating the intermediate records. The goal is for a trustless client to verify the whole An → … → Mn → /ipfs/<cid> chain in one round-trip rather than N+1.
Thanks!
Context. I resolve "delegated" IPNS chains where one IPNS record points to another IPNS name before reaching content:
/ipns/An → /ipns/Mn → /ipfs/<cid>. This keeps an owner key (An) offline while an online delegate re-signs the inner record (Mn). The final content is signed by the terminal keyMn, not byAn.Problem. When loading this over an untrusted gateway, the final content alone is not enough — I must independently verify each hop's signed IPNS record to bind
An → … → Mn(otherwise a malicious gateway could serve content under any key and claim it isAn's resolution). Today a plainGET /ipns/Anmakes the gateway recurse internally and returns only the final content; the intermediate signed IPNS records are discarded and exposed in no response header (X-Ipfs-Path/X-Ipfs-Rootsonly carry the final CID — verified empirically on a 2-hop and a 3-hop chain). So trustless verification currently requires one extraGET /ipns/<name>?format=ipns-recordper hop, sequentially —N+1round-trips instead of 1.Question / request. Is there an existing or planned way for a single gateway request to return both the ordered chain of signed IPNS records traversed during recursion and the final content (or final CID)? For example: a multi-record
?format=ipns-recordresponse, an extension to?format=carthat includes the IPNS records along the path, or response metadata enumerating the intermediate records. The goal is for a trustless client to verify the wholeAn → … → Mn → /ipfs/<cid>chain in one round-trip rather thanN+1.Thanks!