odin.lisp: Retreat to glueless delegation due to loss of glue records.

[zones] / odin.lisp

diff --git a/odin.lisp b/odin.lisp
index 8263a747eb400adc323a20c0aef44d3c1d0402d4..1c00cb7428d7300647656bcdd4bb1df74454854a 100644 (file)
--- a/odin.lisp
+++ b/odin.lisp
@@ -8,15 +8,43 @@ (setf *default-zone-source* 'radius.distorted.org.uk.)
 
 (defzone odin.gg
 
-  ;; Nameservers
-  :ns ((radius-ns :ip radius)
-       (precision-ns :ip precision)
-       ns6.gandi.net.)
+  ;; Nameservers.  Sadly, the registry permits at most six.  Don't deploy
+  ;; `mythic-ns1' (Linode Texas, duplicates `national') or `mythic-ns2'
+  ;; (Mythic Beasts in Cambridge, too close to home0; `mythic-ns3' is in the
+  ;; Netherlands, which is a better choice.
+  :ns #+odin-glue
+      ((radius.ns :ip radius)
+       (precision.ns :ip precision)
+       (telecaster.ns :ip telecaster)
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)
+       ;;(mythic-beasts-1.ns :ip mythic-ns1)
+       ;;(mythic-beasts-2.ns :ip mythic-ns2)
+       (mythic-beasts-3.ns :ip mythic-ns3))
+      #-odin-glue
+      (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.
+       ns3.mythic-beasts.com.)
 
   ;; Web service.
-  ((@ www) :svc stratocaster)
+  ((@ www) :svc stratocaster
+          :tlsa (:https (:service-certificate-constraint
+                         :public-key :sha-256 #p"https-stratocaster")))
+
+  ;; Certification.
+  :caa ((:issue "letsencrypt.org")
+       (:issue "distorted.org.uk"))
 
   ;; Mail servers
-  (@ :ttl 300
-     :mx ((mail :ip vampire))
-     :srv ((:smtp mail))))
+  :mx ((mail :ip stratocaster))
+  :srv ((:smtp mail))
+  :spf ((:version "spf1")
+       (:pass :ip stratocaster.dmz)
+       (:soft :all))
+  (_dmarc :dmarc (:v "DMARC1"
+                 :p "quarantine" :sp "quarantine"
+                 :adkim "s" :aspf "s"))
+  (_domainkey :dname stratocaster.dkim.distorted.org.uk.))