X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/zones/blobdiff_plain/aa4209550daaa475ad22fee854140c4178575cd0..HEAD:/distorted.lisp diff --git a/distorted.lisp b/distorted.lisp index 604e93d..2f24778 100644 --- a/distorted.lisp +++ b/distorted.lisp @@ -71,6 +71,7 @@ (defzone distorted.org.uk (precision.ns :ip precision) (telecaster.ns :ip telecaster) (national.ns :ip national) + (eggle.ns :ip eggle) #-view/inside (mythic-beasts-1.ns :ip mythic-ns1) #-view/inside (mythic-beasts-2.ns :ip mythic-ns2) #-view/inside (mythic-beasts-3.ns :ip mythic-ns3) @@ -82,10 +83,19 @@ (defzone distorted.org.uk ;; Mail servers. ((@ mail blackhole) :mx mail :srv ((:smtp mail))) - ((bugs) :ttl 300 :mx lists :srv ((:smtp bugs))) - ((lists) :ttl 300 :mx lists :srv ((:smtp lists))) + (bugs :mx lists :srv ((:smtp bugs))) + (lists :mx lists :srv ((:smtp lists))) + (_dmarc :dmarc (:v "DMARC1" + :p "quarantine" :sp "quarantine" + :adkim "s" :aspf "s")) ((_domainkey _domainkey.mail) :dname stratocaster.dkim) + ((stratocaster @ mail) :spf ((:version "spf1") + (:pass :ip stratocaster.dmz) + (:soft :all))) ((_domainkey.bugs _domainkey.lists) :dname telecaster.dkim) + ((telecaster bugs lists) :spf ((:version "spf1") + (:pass :ip telecaster.dmz) + (:soft :all))) ;; Anycast services. (dns0 :anycast ((any dns0.any) (dmz radius.dmz) @@ -193,7 +203,9 @@ (defzone distorted.org.uk (dmz :alias strat.dmz :abbrev sd)) (stratocaster (unsafe :addr stratocaster.unsafe :sshfp "stratocaster") (dmz :addr stratocaster.dmz :sshfp "stratocaster")) - (jazz :abbrev z (unsafe :abbrev zu) (dmz :abbrev zd) (vpn :abbrev :zv)) + (jazz :abbrev z + (unsafe :abbrev zu) (dmz :abbrev zd) + (vpn :abbrev :zv) (iodine :abbrev z53) (hippo :abbrev zh)) (jazz (unsafe :addr jazz.unsafe :sshfp "jazz") (dmz :addr jazz.dmz :sshfp "jazz") (vpn :addr jazz.vpn :sshfp "jazz") @@ -202,8 +214,11 @@ (defzone distorted.org.uk ;; Virtual hosts. (national :abbrev n (linode :abbrev nl) (upn :abbrev ny)) - (national (linode :addr national.linode) - (upn :addr national.upn)) + (national (linode :addr national.linode :sshfp "national") + (upn :addr national.upn :sshfp "national")) + (eggle :abbrev e (jump :abbrev ej) (upn :abbrev ey)) + (eggle (jump :addr eggle.jump :sshfp "eggle") + (upn :addr eggle.upn :sshfp "eggle")) (mdwdev (upn :addr mdwdev.upn)) ;; Nicko's servers. @@ -212,7 +227,7 @@ (defzone distorted.org.uk ;; Entry is via little router box. (dmz :net dmz) - (guvnor (dmz :addr guvnor.dmz)) + (guvnor (dmz :addr guvnor.dmz :sshfp "radius")) (nat (dmz :addr nat.dmz)) ;; Wireless access points. @@ -224,9 +239,11 @@ (defzone distorted.org.uk (lunch :alias ap1) (lunch (safe :addr lunch.safe)) - ;; Printer. + ;; Printer and scanner. (burntaxe :alias lp0) (burntaxe (safe :addr burntaxe.safe)) + (unicorn :alias scan0) + (unicorn (safe :addr unicorn.safe)) ;; Switches. (grigsby :alias tp0) @@ -273,8 +290,7 @@ (defzone distorted.org.uk (artist (unsafe :addr artist.unsafe :sshfp "artist") (dmz :addr artist.dmz :sshfp "artist") (untrusted :addr artist.untrusted :sshfp "artist")) - (groove :abbrev gr - (vpn :abbrev grv) (unsafe :abbrev gru)) + (groove :abbrev gr (vpn :abbrev grv) (unsafe :abbrev gru)) (groove (vpn :addr groove.vpn :sshfp "groove") (unsafe :addr groove.unsafe :sshfp "groove")) @@ -288,9 +304,10 @@ (defzone distorted.org.uk ;; Virtual network. (vpn :net vpn) - (crybaby :abbrev cb) + (crybaby :abbrev cb (vpn :abbrev cbv) (hippo :abbrev cbh)) (crybaby (vpn :addr crybaby.vpn :sshfp "crybaby") (hippo :addr crybaby.hippo :sshfp "crybaby")) + (spirit :abbrev sp (vpn :abbrev spv) (hippo :abbrev sph)) (spirit (vpn :addr spirit.vpn :sshfp "spirit") (hippo :addr spirit.hippo :sshfp "spirit")) (terror (vpn :addr terror.vpn :sshfp "terror")) @@ -313,7 +330,8 @@ (defzone distorted.org.uk (dhcp :ns ((radius.ns.dhcp :ip radius) (precision.ns.dhcp :ip precision) (telecaster.ns.dhcp :ip telecaster) - (national.ns.dhcp :ip national)) + (national.ns.dhcp :ip national) + (eggle.ns.dhcp :ip eggle)) :ds ((55966 :rsasha256 :sha1 "95b05c1f4e84f950f29630004bac447f8a87ca33") (55966 :rsasha256 :sha256 @@ -322,7 +340,8 @@ (defzone distorted.org.uk (dyn :ns ((radius.ns.dyn :ip radius) (precision.ns.dyn :ip precision) (telecaster.ns.dyn :ip telecaster) - (national.ns.dyn :ip national)) + (national.ns.dyn :ip national) + (eggle.ns.dyn :ip eggle)) :ds ((11335 :rsasha256 :sha1 "7ed2b843b0bfb38ceca68617dfacbeafab1d1ea9") (11335 :rsasha256 :sha256 @@ -331,7 +350,8 @@ (defzone distorted.org.uk (dnserr :ns ((radius.ns.dnserr :ip radius.dmz) (precision.ns.dnserr :ip precision.dmz) (telecaster.ns.dnserr :ip telecaster.dmz) - (national.ns.dnserr :ip national.linode)) + (national.ns.dnserr :ip national.linode) + (eggle.ns.dnserr :ip eggle.jump)) :ds ((40945 :rsasha256 :sha1 "f35b5d0b877b940e63ad1b3afc21d6ba83cd1b3b") (40945 :rsasha256 :sha256 @@ -342,9 +362,10 @@ (defzone distorted.org.uk (precision.ns.stratocaster.dkim :ip precision.dmz) (telecaster.ns.stratocaster.dkim :ip telecaster.dmz) (national.ns.stratocaster.dkim :ip national.linode) - #+later (mythic-beasts-1.ns.stratocaster.dkim :ip mythic-ns1) - #+later (mythic-beasts-2.ns.stratocaster.dkim :ip mythic-ns2) - #+later (mythic-beasts-3.ns.stratocaster.dkim :ip mythic-ns3)) + (eggle.ns.stratocaster.dkim :ip eggle.jump) + (mythic-beasts-1.ns.stratocaster.dkim :ip mythic-ns1) + (mythic-beasts-2.ns.stratocaster.dkim :ip mythic-ns2) + (mythic-beasts-3.ns.stratocaster.dkim :ip mythic-ns3)) :ds ((24577 :rsasha256 :sha1 "d06847c01e19098509a8d07a9aafaceff532c9c7") (24577 :rsasha256 :sha256 @@ -355,26 +376,28 @@ (defzone distorted.org.uk (precision.ns.telecaster.dkim :ip precision.dmz) (telecaster.ns.telecaster.dkim :ip telecaster.dmz) (national.ns.telecaster.dkim :ip national.linode) - #+later (mythic-beasts-1.ns.telecaster.dkim :ip mythic-ns1) - #+later (mythic-beasts-2.ns.telecaster.dkim :ip mythic-ns2) - #+later (mythic-beasts-3.ns.telecaster.dkim :ip mythic-ns3)) + (eggle.ns.telecaster.dkim :ip eggle.jump) + (mythic-beasts-1.ns.telecaster.dkim :ip mythic-ns1) + (mythic-beasts-2.ns.telecaster.dkim :ip mythic-ns2) + (mythic-beasts-3.ns.telecaster.dkim :ip mythic-ns3)) :ds ((38896 :rsasha256 :sha1 "2c2daea658784e22c46bf9e86da67def1e34cf40") (38896 :rsasha256 :sha256 #.(concatenate 'string "66997571c7d47f912caa65f2154ecd37" "5b9d391e3ed44d79ac35eef59264e521")))) (io :ns ((ns.io :ip jazz.dmz))) - (play :ns (radius.ns precision.ns telecaster.ns national.ns))) + (play :ns (radius.ns precision.ns telecaster.ns national.ns eggle.jump))) ;;;-------------------------------------------------------------------------- ;;; Other subsidiary zones. #+view/outside (defzone dhcp.distorted.org.uk - :ns ((radius.ns :ip radius.dmz) - (precision.ns :ip precision.dmz) - (telecaster.ns :ip telecaster.dmz) - (national.ns :ip national.linode)) + :ns ((radius.ns :ip radius) + (precision.ns :ip precision) + (telecaster.ns :ip telecaster) + (national.ns :ip national) + (eggle.ns :ip eggle)) (gibson :addr gibson.unsafe) (crybaby :addr crybaby.unsafe) (lespaul :addr lespaul.unsafe) @@ -389,37 +412,42 @@ (defzone (dyn.distorted.org.uk :source telecaster.distorted.org.uk.) :ns ((radius.ns :ip radius) (precision.ns :ip precision) (telecaster.ns :ip telecaster) - (national.ns :ip national))) + (national.ns :ip national) + (eggle.ns :ip eggle))) -#+view/outside (defzone nicko.org - (richmond :addr richmond.dmz)) + (richmond :addr richmond.dmz) + (marshall :addr marshall.dmz)) #+view/outside (defzone stratocaster.dkim.distorted.org.uk - :ns ((radius.ns :ip radius.dmz) - (precision.ns :ip precision.dmz) - (telecaster.ns :ip telecaster.dmz) - (national.ns :ip national.linode) - #+later (mythic-beasts-1.ns :ip mythic-ns1) - #+later (mythic-beasts-2.ns :ip mythic-ns2) - #+later (mythic-beasts-3.ns :ip mythic-ns3))) + :ns ((radius.ns :ip radius) + (precision.ns :ip precision) + (telecaster.ns :ip telecaster) + (national.ns :ip national) + (eggle.ns :ip eggle) + (mythic-beasts-1.ns :ip mythic-ns1) + (mythic-beasts-2.ns :ip mythic-ns2) + (mythic-beasts-3.ns :ip mythic-ns3))) #+view/outside (defzone telecaster.dkim.distorted.org.uk - :ns ((radius.ns :ip radius.dmz) - (precision.ns :ip precision.dmz) - (telecaster.ns :ip telecaster.dmz) - (national.ns :ip national.linode) - #+later (mythic-beasts-1.ns :ip mythic-ns1) - #+later (mythic-beasts-2.ns :ip mythic-ns2) - #+later (mythic-beasts-3.ns :ip mythic-ns3))) + :ns ((radius.ns :ip radius) + (precision.ns :ip precision) + (telecaster.ns :ip telecaster) + (national.ns :ip national) + (eggle.ns :ip eggle) + (mythic-beasts-1.ns :ip mythic-ns1) + (mythic-beasts-2.ns :ip mythic-ns2) + (mythic-beasts-3.ns :ip mythic-ns3))) (defrevzone trusted :ns (radius.distorted.org.uk. precision.distorted.org.uk. telecaster.distorted.org.uk. - national.distorted.org.uk.) + national.distorted.org.uk. + eggle.distorted.org.uk.) :reverse unsafe + :reverse safe :reverse vpn :reverse its :reverse any @@ -427,26 +455,30 @@ (defrevzone trusted precision.distorted.org.uk. telecaster.distorted.org.uk. national.distorted.org.uk.)) - :multi (((dhcp safe) :family :ipv4 :suffix "199.29.172.dhcp") :cname *)) + :multi (((unsafe-dhcp01 unsafe-dhcp1x safe-dhcp011 safe-dhcp1xx) + :family :ipv4 :suffix "199.29.172.dhcp") :cname *)) #+view/outside (defzone dhcp.199.29.172.in-addr.arpa :ns (radius.distorted.org.uk. precision.distorted.org.uk. telecaster.distorted.org.uk. - national.distorted.org.uk.)) + national.distorted.org.uk. + eggle.distorted.org.uk.)) (defrevzone untrusted :ns (radius.distorted.org.uk. precision.distorted.org.uk. telecaster.distorted.org.uk. - national.distorted.org.uk.)) + national.distorted.org.uk. + eggle.distorted.org.uk.)) (defzone 128-143.238.187.81.in-addr.arpa :ns (radius.distorted.org.uk. precision.distorted.org.uk. telecaster.distorted.org.uk. national.distorted.org.uk. + eggle.distorted.org.uk. secondary-dns.co.uk.) :reverse ((((:ipv4 dmz))))) @@ -455,6 +487,7 @@ (defzone 64-79.12.169.217.in-addr.arpa precision.distorted.org.uk. telecaster.distorted.org.uk. national.distorted.org.uk. + eggle.distorted.org.uk. secondary-dns.co.uk.) :reverse ((((:ipv4 dmz1))))) @@ -463,6 +496,7 @@ (defzone 195.113.2.81.in-addr.arpa precision.distorted.org.uk. telecaster.distorted.org.uk. national.distorted.org.uk. + eggle.distorted.org.uk. secondary-dns.co.uk.) :reverse ((((:ipv4 gw))))) @@ -471,18 +505,36 @@ (defrevzone (distorted.org.uk-aaisp :family :ipv6) precision.distorted.org.uk. telecaster.distorted.org.uk. national.distorted.org.uk. + eggle.distorted.org.uk. secondary-dns.co.uk.) (0.7.3.6.8.6.4.6.1.0.0.0 :ns (radius.distorted.org.uk. precision.distorted.org.uk. telecaster.distorted.org.uk. - national.distorted.org.uk.)) + national.distorted.org.uk. + eggle.distorted.org.uk.)) :reverse ((((:ipv6 distorted.org.uk-aaisp))))) -(defrevzone (dhcp :family :ipv6) +(defrevzone jump-ipv6 + :ns (radius.distorted.org.uk. + precision.distorted.org.uk. + telecaster.distorted.org.uk. + national.distorted.org.uk. + eggle.distorted.org.uk.) + :reverse ((((:ipv6 jump-ipv6))))) + +(defrevzone (unsafe-dhcp :family :ipv6) :ns (radius.distorted.org.uk. precision.distorted.org.uk. telecaster.distorted.org.uk. - national.distorted.org.uk.)) + national.distorted.org.uk. + eggle.distorted.org.uk.)) + +(defrevzone (safe-dhcp :family :ipv6) + :ns (radius.distorted.org.uk. + precision.distorted.org.uk. + telecaster.distorted.org.uk. + national.distorted.org.uk. + eggle.distorted.org.uk.)) #+view/outside (defzone io.distorted.org.uk