;;; Zone file for odin.gg

(load "hosts.lisp" :verbose nil)

(setf *default-zone-admin* "hostmaster@odin.gg")

(setf *default-zone-source* 'radius.distorted.org.uk.)

(defzone odin.gg

  ;; Nameservers.  Sadly, the registry permits at most six.  Don't deploy
  ;; `mythic-ns1' (Linode Texas, duplicates `national') or `mythic-ns2'
  ;; (Mythic Beasts in Cambridge, too close to home0; `mythic-ns3' is in the
  ;; Netherlands, which is a better choice.
  :ns #+odin-glue
      ((radius.ns :ip radius)
       (precision.ns :ip precision)
       (telecaster.ns :ip telecaster)
       (national.ns :ip national)
       (eggle.ns :ip eggle)
       ;;(mythic-beasts-1.ns :ip mythic-ns1)
       ;;(mythic-beasts-2.ns :ip mythic-ns2)
       (mythic-beasts-3.ns :ip mythic-ns3))
      #-odin-glue
      (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.
       eggle.distorted.org.uk.
       ns3.mythic-beasts.com.)

  ;; Web service.
  ((@ www) :svc stratocaster
	   :tlsa (:https (:service-certificate-constraint
			  :public-key :sha-256 #p"https-stratocaster")))

  ;; Certification.
  :caa ((:issue "letsencrypt.org")
	(:issue "distorted.org.uk"))

  ;; Mail servers
  :mx ((mail :ip stratocaster))
  :srv ((:smtp mail))
  :spf ((:version "spf1")
	(:pass :ip stratocaster.dmz)
	(:soft :all))
  (_dmarc :dmarc (:v "DMARC1"
		  :p "quarantine" :sp "quarantine"
		  :adkim "s" :aspf "s"))
  (_domainkey :dname stratocaster.dkim.distorted.org.uk.))