; vi: ft=bindzone:ts=8:sw=8:nowrap:noet
$ORIGIN kyriasis.com.
$TTL 2h

@       IN      SOA     theos.kyriasis.com. hostmaster (
                                35      ; serial
                                4h      ; refresh
                                1h      ; retry
                                1w      ; expire
                                1h      ; minttl
                        )
                NS ns1.kyriasis.com.
                NS ns2.kyriasis.com.

                ; -> lucifer.kyriasis.com
                A       178.79.157.58
                AAAA    2a01:7e00::f03c:91ff:fe69:1787

theos           A       212.71.254.33
theos           AAAA    2a01:7e00::f03c:91ff:fe6e:f996

NS1             A       212.71.254.33
NS1             AAAA    2a01:7e00::f03c:91ff:fe6e:f996
NS2             A       178.79.157.58
NS2             AAAA    2a01:7e00::f03c:91ff:fe69:1787

www             CNAME   kyriasis.com.
git             CNAME   theos.kyriasis.com.
ldap            CNAME   theos.kyriasis.com.
autoconfig      CNAME   theos.kyriasis.com.
ca              CNAME   theos.kyriasis.com.

;;; Keybase verification
@               TXT     "keybase-site-verification=ps0bAlsiJPIhNZy3mN-xDArc8f9A-AEoVhgsC6NDLDk"
theos           TXT     "keybase-site-verification=_bApRga8QdQm0OpTxOZLeBFAPDB1_VV_BGbB8X-jw-M"

;;; DNSSEC

; bind 9.9 and later supports "live signing" where the nameserver automatically signs the
; zone in memory. Due to this the live zone has a larger serial number than in this file

;;; DANE (TLSA) - http://tools.ietf.org/html/rfc6698
;   "TLSA" <usage> <selector> <match>
;   usage:
;     [0] match certification path & require known CA or trust anchor
;     [1] match end-entity certificate & require known CA or trust anchor
;     [2] match certification path, using given cert as trust anchor
;     [3] match end-entity certificate
;   selector:
;     [0] X.509 certificate
;     [1] public key
;   match:
;     [0] exact match
;     [1] SHA-256 hash
;     [2] SHA-512 hash

;; theos
; https; StartSSL
_443._tcp.theos         TLSA    3 0 1   35da01bd9fed5e538baae2cb423dd6923f8d313c774f2da1b40e64d418e3f271


;;; Mail

;; MX
@                       MX      5       theos.kyriasis.com.
@                       MX      20      lucifer.kyriasis.com.
theos                   MX      5       theos.kyriasis.com.

;; SPF <http://tools.ietf.org/html/rfc4408>
@                       TXT     "v=spf1 a mx ~all"
@                       SPF     "v=spf1 a mx ~all"
theos                   SPF     "v=spf1 a mx ~all"
theos                   TXT     "v=spf1 a mx ~all"

;; DKIM <http://tools.ietf.org/html/rfc6376>
theos._domainkey        TXT     "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDp4YIk0oJEW1PbPBwCEr8o/e7koQ57jHLmBml1nRKwcBSH/TIkuqz85YYT72s88LaXVlaz2JDygT43edcD/kBxPPDXAqfME8PRGxXi5X2nmyhbCBT+Q5w0kiPkbGOta8pes1Ger1tUIcvRWhuiqX5QHB0pY/cJ+rBBPb7VGqjHLwIDAQABoQ57jHLmBml1nRKwcBSH/TIku"
lucifer._domainkey      TXT     "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCurY0mrJZT5KKUYDfXkceauC2lLGk0E6z75bq0IcPcoNNrXbHIYQMuN5VMulrXv3qF6lbcJwA87XnvE7uS7471fmEYXluOZ2A+HdPm/W/LL1Z9De4LTgt45AWzanczDGxekh5hdy/VCwkxw1Kq6TA9G1fPJTF2sVvqo8JHNoI5swIDAQAB"
theos._domainkey.theos  TXT     "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDp4YIk0oJEW1PbPBwCEr8o/e7koQ57jHLmBml1nRKwcBSH/TIkuqz85YYT72s88LaXVlaz2JDygT43edcD/kBxPPDXAqfME8PRGxXi5X2nmyhbCBT+Q5w0kiPkbGOta8pes1Ger1tUIcvRWhuiqX5QHB0pY/cJ+rBBPb7VGqjHLwIDAQABoQ57jHLmBml1nRKwcBSH/TIku"

;; SRV for email discovery <https://tools.ietf.org/html/rfc6186>
;;   (not sure if anything useful uses them?)
_submission._tcp        SRV     0       0       587     theos.kyriasis.com.
_imap._tcp              SRV     0       0       143     theos.kyriasis.com.
_imaps._tcp             SRV     0       0       993     theos.kyriasis.com.


;;; Kerberos <http://web.mit.edu/Kerberos/krb5-latest/doc/admin/realm_config.html>
_kerberos               TXT     "KYRIASIS.COM"
_kerberos._udp          SRV     0       0       88      theos.kyriasis.com.
_kerberos._tcp          SRV     0       0       88      theos.kyriasis.com.
_kerberos-master._udp   SRV     0       0       88      theos.kyriasis.com.
_kerberos-adm._tcp      SRV     0       0       749     theos.kyriasis.com.
_kpasswd._udp           SRV     0       0       464     theos.kyriasis.com.


;;; LDAP
_ldap._tcp              SRV     0       0       389     theos.kyriasis.com.
_ldaps._tcp             SRV     0       0       636     theos.kyriasis.com.

;;; Gale
gale                    CNAME   theos.kyriasis.com.

;;; SSH hostkeys <http://tools.ietf.org/html/rfc4255>
;  <http://www.iana.org/assignments/dns-sshfp-rr-parameters/dns-sshfp-rr-parameters.xhtml>
;  "SSHFP" <algorithm> <fingerprint type> <fingerpint>
;  algorithm:
;    [1] RSA
;    [2] DSA
;    [3] ECDSA
;    [4] ED25519
;  fingerprint type:
;    [1] SHA-1
;    [2] SHA-256

;; theos
; RSA
theos                   SSHFP   1 1     35fb44db05be6c6b6867663021c1375c78ebdf33
theos                   SSHFP   1 2     74befd1f190727fd27ab0f20338a352264d7da1cafe14dd7315a25d6
; Ed25519
theos                   SSHFP   4 1     50a1c85a3c98ca1bbc44a6b602b6be662a51b433
theos                   SSHFP   4 2     bc7d361c8576cc7e6ddfc12b9d826074d2201a521233b94896c1cb6c06a87e41


;;; Users

; CERT and _pka records are used by GnuPG for looking up recipient's public key.
; - See <http://www.gushi.org/make-dns-cert/HOWTO.html> for a guide.
; - See RFC 4398 § 2.2 for CERT IPGP.

; OPENPGPKEY records are similar, but have the complete key.
; - See <http://tools.ietf.org/html/draft-wouters-dane-openpgp-02>

johannes                TXT      "Johannes Löthberg <johannes@kyriasis.com>, +46739525259"
                        CERT     IPGP   0  0    ( FFE0756vZflba7FgjlD7myc6nQu1aHR0cHM6Ly90aGVvcy
                                                  5reXJpYXNpcy5jb20vfmt5cmlhcy9wZ3Ata2V5LnR4dA== )
johannes._pka           TXT      "v=pka1;fpr=5134EF9EAF65F95B6BB1608E50FB9B273A9D0BB5;uri=https://theos.kyriasis.com/~kyrias/pgp-key.txt"


;;; Delegated subdomains

;; Arch-TkK
arch                    NS      ns1.he.net.
                        NS      ns2.he.net.
                        NS      ns3.he.net.
                        NS      ns4.he.net.
                        NS      ns5.he.net.


$INCLUDE "/home/kyrias/dns/lucifer.kyriasis.com.zone"