X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/zones/blobdiff_plain/b9b55bea28191c862075fe4a5aedecddcfd30f3e..HEAD:/distorted.lisp?ds=sidebyside

diff --git a/distorted.lisp b/distorted.lisp
index 2161036..2f24778 100644
--- a/distorted.lisp
+++ b/distorted.lisp
@@ -71,6 +71,7 @@ (defzone distorted.org.uk
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (national.ns :ip national)
+       (eggle.ns :ip eggle)
        #-view/inside (mythic-beasts-1.ns :ip mythic-ns1)
        #-view/inside (mythic-beasts-2.ns :ip mythic-ns2)
        #-view/inside (mythic-beasts-3.ns :ip mythic-ns3)
@@ -82,12 +83,19 @@ (defzone distorted.org.uk
 
   ;; Mail servers.
   ((@ mail blackhole) :mx mail :srv ((:smtp mail)))
-  ((bugs) :ttl 300 :mx lists :srv ((:smtp bugs)))
-  ((lists) :ttl 300 :mx lists :srv ((:smtp lists)))
-
-  (stratocaster.20140403._domainkey
-   :dkim ("stratocaster-20140403"
-	  :v "DKIM1" :k "rsa" :h "sha256" :s "email"))
+  (bugs :mx lists :srv ((:smtp bugs)))
+  (lists :mx lists :srv ((:smtp lists)))
+  (_dmarc :dmarc (:v "DMARC1"
+		  :p "quarantine" :sp "quarantine"
+		  :adkim "s" :aspf "s"))
+  ((_domainkey _domainkey.mail) :dname stratocaster.dkim)
+  ((stratocaster @ mail) :spf ((:version "spf1")
+			       (:pass :ip stratocaster.dmz)
+			       (:soft :all)))
+  ((_domainkey.bugs _domainkey.lists) :dname telecaster.dkim)
+  ((telecaster bugs lists) :spf ((:version "spf1")
+				 (:pass :ip telecaster.dmz)
+				 (:soft :all)))
 
   ;; Anycast services.
   (dns0 :anycast ((any dns0.any) (dmz radius.dmz)
@@ -195,7 +203,9 @@ (defzone distorted.org.uk
 		(dmz :alias strat.dmz :abbrev sd))
   (stratocaster (unsafe :addr stratocaster.unsafe :sshfp "stratocaster")
 		(dmz :addr stratocaster.dmz :sshfp "stratocaster"))
-  (jazz :abbrev z (unsafe :abbrev zu) (dmz :abbrev zd) (vpn :abbrev :zv))
+  (jazz :abbrev z
+	(unsafe :abbrev zu) (dmz :abbrev zd)
+	(vpn :abbrev :zv) (iodine :abbrev z53) (hippo :abbrev zh))
   (jazz (unsafe :addr jazz.unsafe :sshfp "jazz")
 	(dmz :addr jazz.dmz :sshfp "jazz")
 	(vpn :addr jazz.vpn :sshfp "jazz")
@@ -204,8 +214,11 @@ (defzone distorted.org.uk
 
   ;; Virtual hosts.
   (national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
-  (national (linode :addr national.linode)
-	    (upn :addr national.upn))
+  (national (linode :addr national.linode :sshfp "national")
+	    (upn :addr national.upn :sshfp "national"))
+  (eggle :abbrev e (jump :abbrev ej) (upn :abbrev ey))
+  (eggle (jump :addr eggle.jump :sshfp "eggle")
+	 (upn :addr eggle.upn :sshfp "eggle"))
   (mdwdev (upn :addr mdwdev.upn))
 
   ;; Nicko's servers.
@@ -214,7 +227,7 @@ (defzone distorted.org.uk
 
   ;; Entry is via little router box.
   (dmz :net dmz)
-  (guvnor (dmz :addr guvnor.dmz))
+  (guvnor (dmz :addr guvnor.dmz :sshfp "radius"))
   (nat (dmz :addr nat.dmz))
 
   ;; Wireless access points.
@@ -226,9 +239,11 @@ (defzone distorted.org.uk
   (lunch :alias ap1)
   (lunch (safe :addr lunch.safe))
 
-  ;; Printer.
+  ;; Printer and scanner.
   (burntaxe :alias lp0)
   (burntaxe (safe :addr burntaxe.safe))
+  (unicorn :alias scan0)
+  (unicorn (safe :addr unicorn.safe))
 
   ;; Switches.
   (grigsby :alias tp0)
@@ -275,8 +290,7 @@ (defzone distorted.org.uk
   (artist (unsafe :addr artist.unsafe :sshfp "artist")
 	  (dmz :addr artist.dmz :sshfp "artist")
 	  (untrusted :addr artist.untrusted :sshfp "artist"))
-  (groove :abbrev gr
-	  (vpn :abbrev grv) (unsafe :abbrev gru))
+  (groove :abbrev gr (vpn :abbrev grv) (unsafe :abbrev gru))
   (groove (vpn :addr groove.vpn :sshfp "groove")
 	  (unsafe :addr groove.unsafe :sshfp "groove"))
 
@@ -290,9 +304,10 @@ (defzone distorted.org.uk
 
   ;; Virtual network.
   (vpn :net vpn)
-  (crybaby :abbrev cb)
+  (crybaby :abbrev cb (vpn :abbrev cbv) (hippo :abbrev cbh))
   (crybaby (vpn :addr crybaby.vpn :sshfp "crybaby")
 	   (hippo :addr crybaby.hippo :sshfp "crybaby"))
+  (spirit :abbrev sp (vpn :abbrev spv) (hippo :abbrev sph))
   (spirit (vpn :addr spirit.vpn :sshfp "spirit")
 	  (hippo :addr spirit.hippo :sshfp "spirit"))
   (terror (vpn :addr terror.vpn :sshfp "terror"))
@@ -315,7 +330,8 @@ (defzone distorted.org.uk
   (dhcp :ns ((radius.ns.dhcp :ip radius)
 	     (precision.ns.dhcp :ip precision)
 	     (telecaster.ns.dhcp :ip telecaster)
-	     (national.ns.dhcp :ip national))
+	     (national.ns.dhcp :ip national)
+	     (eggle.ns.dhcp :ip eggle))
 	:ds ((55966 :rsasha256 :sha1
 	     "95b05c1f4e84f950f29630004bac447f8a87ca33")
 	     (55966 :rsasha256 :sha256
@@ -324,7 +340,8 @@ (defzone distorted.org.uk
   (dyn :ns ((radius.ns.dyn :ip radius)
 	    (precision.ns.dyn :ip precision)
 	    (telecaster.ns.dyn :ip telecaster)
-	    (national.ns.dyn :ip national))
+	    (national.ns.dyn :ip national)
+	    (eggle.ns.dyn :ip eggle))
        :ds ((11335 :rsasha256 :sha1
 	    "7ed2b843b0bfb38ceca68617dfacbeafab1d1ea9")
 	    (11335 :rsasha256 :sha256
@@ -333,22 +350,54 @@ (defzone distorted.org.uk
   (dnserr :ns ((radius.ns.dnserr :ip radius.dmz)
 	       (precision.ns.dnserr :ip precision.dmz)
 	       (telecaster.ns.dnserr :ip telecaster.dmz)
-	       (national.ns.dnserr :ip national.linode))
+	       (national.ns.dnserr :ip national.linode)
+	       (eggle.ns.dnserr :ip eggle.jump))
 	  :ds ((40945 :rsasha256 :sha1
 		"f35b5d0b877b940e63ad1b3afc21d6ba83cd1b3b")
 	       (40945 :rsasha256 :sha256
 		#.(concatenate 'string "fb171d206d4d64c5a7a6c290ce6e20df"
 				       "44f1db7f41e2260f1fe8d7c55d524c11"))))
-  (io :ns ((ns.io :ip jazz.dmz))))
+  (stratocaster.dkim
+   :ns ((radius.ns.stratocaster.dkim :ip radius.dmz)
+	(precision.ns.stratocaster.dkim :ip precision.dmz)
+	(telecaster.ns.stratocaster.dkim :ip telecaster.dmz)
+	(national.ns.stratocaster.dkim :ip national.linode)
+	(eggle.ns.stratocaster.dkim :ip eggle.jump)
+	(mythic-beasts-1.ns.stratocaster.dkim :ip mythic-ns1)
+	(mythic-beasts-2.ns.stratocaster.dkim :ip mythic-ns2)
+	(mythic-beasts-3.ns.stratocaster.dkim :ip mythic-ns3))
+   :ds ((24577 :rsasha256 :sha1
+	 "d06847c01e19098509a8d07a9aafaceff532c9c7")
+	(24577 :rsasha256 :sha256
+	 #.(concatenate 'string "a40cdb1c633041cfbc1b80a400cff527"
+				"2cad051915fc0cd40296a2d4590b9d2b"))))
+  (telecaster.dkim
+   :ns ((radius.ns.telecaster.dkim :ip radius.dmz)
+	(precision.ns.telecaster.dkim :ip precision.dmz)
+	(telecaster.ns.telecaster.dkim :ip telecaster.dmz)
+	(national.ns.telecaster.dkim :ip national.linode)
+	(eggle.ns.telecaster.dkim :ip eggle.jump)
+	(mythic-beasts-1.ns.telecaster.dkim :ip mythic-ns1)
+	(mythic-beasts-2.ns.telecaster.dkim :ip mythic-ns2)
+	(mythic-beasts-3.ns.telecaster.dkim :ip mythic-ns3))
+   :ds ((38896 :rsasha256 :sha1
+	 "2c2daea658784e22c46bf9e86da67def1e34cf40")
+	(38896 :rsasha256 :sha256
+	 #.(concatenate 'string "66997571c7d47f912caa65f2154ecd37"
+				"5b9d391e3ed44d79ac35eef59264e521"))))
+  (io :ns ((ns.io :ip jazz.dmz)))
+  (play :ns (radius.ns precision.ns telecaster.ns national.ns eggle.jump)))
 
 ;;;--------------------------------------------------------------------------
 ;;; Other subsidiary zones.
 
+#+view/outside
 (defzone dhcp.distorted.org.uk
-  :ns ((radius.ns :ip radius.dmz)
-       (precision.ns :ip precision.dmz)
-       (telecaster.ns :ip telecaster.dmz)
-       (national.ns :ip national.linode))
+  :ns ((radius.ns :ip radius)
+       (precision.ns :ip precision)
+       (telecaster.ns :ip telecaster)
+       (national.ns :ip national)
+       (eggle.ns :ip eggle))
   (gibson :addr gibson.unsafe)
   (crybaby :addr crybaby.unsafe)
   (lespaul :addr lespaul.unsafe)
@@ -358,21 +407,47 @@ (defzone dhcp.distorted.org.uk
   (invader :addr invader.safe)
   (marauder :addr marauder.safe))
 
-(defzone dyn.distorted.org.uk
+#+view/outside
+(defzone (dyn.distorted.org.uk :source telecaster.distorted.org.uk.)
   :ns ((radius.ns :ip radius)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
-       (national.ns :ip national)))
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)))
 
 (defzone nicko.org
-  (richmond :addr richmond.dmz))
+  (richmond :addr richmond.dmz)
+  (marshall :addr marshall.dmz))
+
+#+view/outside
+(defzone stratocaster.dkim.distorted.org.uk
+  :ns ((radius.ns :ip radius)
+       (precision.ns :ip precision)
+       (telecaster.ns :ip telecaster)
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)
+       (mythic-beasts-1.ns :ip mythic-ns1)
+       (mythic-beasts-2.ns :ip mythic-ns2)
+       (mythic-beasts-3.ns :ip mythic-ns3)))
+#+view/outside
+(defzone telecaster.dkim.distorted.org.uk
+  :ns ((radius.ns :ip radius)
+       (precision.ns :ip precision)
+       (telecaster.ns :ip telecaster)
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)
+       (mythic-beasts-1.ns :ip mythic-ns1)
+       (mythic-beasts-2.ns :ip mythic-ns2)
+       (mythic-beasts-3.ns :ip mythic-ns3)))
 
 (defrevzone trusted
   :ns (radius.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.)
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.)
   :reverse unsafe
+  :reverse safe
   :reverse vpn
   :reverse its
   :reverse any
@@ -380,25 +455,30 @@ (defrevzone trusted
 	     precision.distorted.org.uk.
 	     telecaster.distorted.org.uk.
 	     national.distorted.org.uk.))
-  :multi (((dhcp safe) :family :ipv4 :suffix "199.29.172.dhcp") :cname *))
+  :multi (((unsafe-dhcp01 unsafe-dhcp1x safe-dhcp011 safe-dhcp1xx)
+	   :family :ipv4 :suffix "199.29.172.dhcp") :cname *))
 
+#+view/outside
 (defzone dhcp.199.29.172.in-addr.arpa
   :ns (radius.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.))
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
 
 (defrevzone untrusted
   :ns (radius.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.))
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
 
 (defzone 128-143.238.187.81.in-addr.arpa
   :ns (radius.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 dmz)))))
 
@@ -407,6 +487,7 @@ (defzone 64-79.12.169.217.in-addr.arpa
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 dmz1)))))
 
@@ -415,6 +496,7 @@ (defzone 195.113.2.81.in-addr.arpa
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 gw)))))
 
@@ -423,19 +505,38 @@ (defrevzone (distorted.org.uk-aaisp :family :ipv6)
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   (0.7.3.6.8.6.4.6.1.0.0.0 :ns (radius.distorted.org.uk.
 				precision.distorted.org.uk.
 				telecaster.distorted.org.uk.
-				national.distorted.org.uk.))
+				national.distorted.org.uk.
+				eggle.distorted.org.uk.))
   :reverse ((((:ipv6 distorted.org.uk-aaisp)))))
 
-(defrevzone (dhcp :family :ipv6)
+(defrevzone jump-ipv6
+  :ns (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.)
+  :reverse ((((:ipv6 jump-ipv6)))))
+
+(defrevzone (unsafe-dhcp :family :ipv6)
   :ns (radius.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.))
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
+
+(defrevzone (safe-dhcp :family :ipv6)
+  :ns (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
 
+#+view/outside
 (defzone io.distorted.org.uk
   :ns ((ns :ip jazz.dmz))
   (about :txt "Fake zone used for IP-over-DNS tunnelling."))