; vi: ft=bindzone:ts=8:sw=8:nowrap:noet
$ORIGIN kyriasis.com.
$TTL 2h

@       IN      SOA     theos.kyriasis.com. hostmaster (
                                74      ; serial
                                4h      ; refresh
                                1h      ; retry
                                1w      ; expire
                                1h      ; minttl
                        )
                NS ns1
                NS ns2
                NS ns3

                ; -> lucifer.kyriasis.com
                A       178.79.157.58
                AAAA    2a01:7e00::f03c:91ff:fe69:1787

theos           A       212.71.254.33
theos           AAAA    2a01:7e00::f03c:91ff:fe6e:f996
h.theos         AAAA    fca1:fabb:7792:f28d:4623:139:10af:549

NS1             A       212.71.254.33
NS1             AAAA    2a01:7e00::f03c:91ff:fe6e:f996
NS2             A       178.79.157.58
NS2             AAAA    2a01:7e00::f03c:91ff:fe69:1787
NS3             A       109.74.205.187
NS3             AAAA    2a01:7e00::f03c:91ff:fe50:9476

zorg            AAAA    2a01:7e00:e000:136::2
h.zorg          AAAA    fc3d:9b94:8d0e:8e88:72d3:2193:9425:6574
leeloo          A       80.217.51.233
h.leeloo        AAAA    fcb9:72d4:cd1b:57f4:1ab0:bd4:e015:7e03
h.tirxu         AAAA    fc29:58d6:7dbb:81e7:2d03:3205:fcce:20e7

www             CNAME   kyriasis.com.
www.theos       CNAME   theos
git             CNAME   theos
ldap            CNAME   theos
autoconfig      CNAME   theos
ca              CNAME   theos
wiki            CNAME   theos
xan             CNAME   theos

;;; Keybase verification
@               TXT     "keybase-site-verification=ps0bAlsiJPIhNZy3mN-xDArc8f9A-AEoVhgsC6NDLDk"
theos           TXT     "keybase-site-verification=_bApRga8QdQm0OpTxOZLeBFAPDB1_VV_BGbB8X-jw-M"

;;; DNSSEC

; bind 9.9 and later supports "live signing" where the nameserver automatically signs the
; zone in memory. Due to this the live zone has a larger serial number than in this file

;;; DANE (TLSA) - http://tools.ietf.org/html/rfc6698
;   "TLSA" <usage> <selector> <match>
;   usage:
;     [0] match certification path & require known CA or trust anchor
;     [1] match end-entity certificate & require known CA or trust anchor
;     [2] match certification path, using given cert as trust anchor
;     [3] match end-entity certificate
;   selector:
;     [0] X.509 certificate
;     [1] public key
;   match:
;     [0] exact match
;     [1] SHA-256 hash
;     [2] SHA-512 hash

;; theos
; https; StartSSL
_443._tcp.theos         TLSA    3 0 1   35da01bd9fed5e538baae2cb423dd6923f8d313c774f2da1b40e64d418e3f271


;;; Mail

;; MX
@                       MX      5       theos
@                       MX      5       lucifer
@                       MX      10      h.theos
h                       MX      5       h.theos
theos                   MX      5       theos
theos                   MX      25      lucifer
lists                   MX      5       theos

;; SPF <http://tools.ietf.org/html/rfc4408>
@                       TXT     "v=spf1 a mx ~all"
@                       SPF     "v=spf1 a mx ~all"
theos                   SPF     "v=spf1 a mx ~all"
theos                   TXT     "v=spf1 a mx ~all"

;; DKIM <http://tools.ietf.org/html/rfc6376>
theos._domainkey        TXT     "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5u7MOeQk0oIgy64BcFDvmxiRGuZBPTFaFvRTz0LZMIq66E0iW76RFC9tBONQrVvVUCeMldmgy7AGjRMbZaszgtL14PJQeD9HDfbVnEVQhS12kMY2HPR3HruwfLcSgADjBwt3nVkdXusjTsNoGB/Yj7+Bdr/HFHi5blLB3a+6S7wIDAQAB"
lucifer._domainkey      TXT     "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYcYHES1v8w5pgSxmU5OuvG+JoNCynxPNnTzzwaiG6AWvTbToCRrqjVksCxeC+3YpzVvJGU3NifmM6c64rJRz/IVZYkim0UkZP2L07fhm0mUNwkcemziTG9YmrcGI9h9BiSYoW+v0hZuGjtmDUfPzupLYk1Cif3ZPZg7IwUai5+QIDAQAB"
theos._domainkey.theos  TXT     "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5u7MOeQk0oIgy64BcFDvmxiRGuZBPTFaFvRTz0LZMIq66E0iW76RFC9tBONQrVvVUCeMldmgy7AGjRMbZaszgtL14PJQeD9HDfbVnEVQhS12kMY2HPR3HruwfLcSgADjBwt3nVkdXusjTsNoGB/Yj7+Bdr/HFHi5blLB3a+6S7wIDAQAB"

;; DMARC <https://tools.ietf.org/html/rfc7489>
_dmarc                  TXT     "v=DMARC1; adkim=r; aspf=r; fo=1:d:s; p=none; rua=mailto:aggrep@kyriasis.com; ruf=mailto:authfail@kyriasis.com"

;; SRV for email discovery <https://tools.ietf.org/html/rfc6186>
;;   (not sure if anything useful uses them?)
_submission._tcp        SRV     0       0       587     theos
_imap._tcp              SRV     0       0       143     theos
_imaps._tcp             SRV     0       0       993     theos


;;; Kerberos <http://web.mit.edu/Kerberos/krb5-latest/doc/admin/realm_config.html>
_kerberos               TXT     "KYRIASIS.COM"
_kerberos._udp          SRV     0       0       88      theos
_kerberos._tcp          SRV     0       0       88      theos
_kerberos-master._udp   SRV     0       0       88      theos
_kerberos-adm._tcp      SRV     0       0       749     theos
_kpasswd._udp           SRV     0       0       464     theos


;;; LDAP
_ldap._tcp              SRV     0       0       389     theos
_ldaps._tcp             SRV     0       0       636     theos


;;; XMPP
_xmpp-client._tcp       SRV     5       0       5222    theos
_xmpp-client._tcp       SRV     5       5       5222    h.theos
_xmpp-server._tcp       SRV     5       0       5269    theos
_xmpp-server._tcp       SRV     5       5       5269    h.theos

;;; Gale
gale                    CNAME   theos


;;; IPFS
johannes                TXT     "QmYWhbxWNi91iGwhFdYoKmQaDLg4cEYcnzY5kzSV8qrgQ3"
johannes                TXT     "dnslink=/ipns/QmYWhbxWNi91iGwhFdYoKmQaDLg4cEYcnzY5kzSV8qrgQ3"


;;; Users

; CERT and _pka records are used by GnuPG for looking up recipient's public key.
; - See <http://www.gushi.org/make-dns-cert/HOWTO.html> for a guide.
; - See RFC 4398 § 2.2 for CERT IPGP.

; OPENPGPKEY records are similar, but have the complete key.
; - See <http://tools.ietf.org/html/draft-wouters-dane-openpgp-02>

johannes                TXT      "Johannes Löthberg <johannes@kyriasis.com>, +46739525259"
                        CERT     IPGP   0  0    ( FFE0756vZflba7FgjlD7myc6nQu1aHR0cHM6Ly90aGVvcy
                                                  5reXJpYXNpcy5jb20vfmt5cmlhcy9wZ3Ata2V5LnR4dA== )
oqcqzgr1asi197b33efih1a8y5q37xz3._pka CERT IPGP 0 0 5134EF9EAF65F95B6BB1608E50FB9B273A9D0BB5
johannes._pka           TXT      "v=pka1;fpr=5134EF9EAF65F95B6BB1608E50FB9B273A9D0BB5;uri=https://theos.kyriasis.com/~kyrias/pgp-key.txt"


;;; Delegated subdomains

;; Arch-Tk
arch                    NS      ns1.he.net.
                        NS      ns2.he.net.
                        NS      ns3.he.net.
                        NS      ns4.he.net.
                        NS      ns5.he.net.


$INCLUDE "/home/kyrias/dns/lucifer.kyriasis.com.zone"
$INCLUDE "/home/kyrias/dns/_openpgpkey.kyriasis.com.zone"