[zones] / distorted.lisp

;;; Zone file for distorted.org.uk

(load "hosts.lisp" :verbose nil)

;;;--------------------------------------------------------------------------
;;; Anycast services.

(defvar *anycast-routable-families* (list :ipv6))

(defzoneparse :anycast (name data rec :prefix prefix :zname zname)
  (destructuring-bind (any-provider default-provider &rest other-providers)
      data

    ;; First, the default address.  If the anycast network is preferred then
    ;; this is easy; otherwise we have something complicated to do because
    ;; IPv6 anycast addresses are globally routable, while IPv4 ones aren't.
    (if (zone-preferred-subnet-p (car any-provider))
	(zone-set-address #'rec (cdr any-provider) :make-ptr-p t)
	(do-host (addr (cdr any-provider))
	  (let ((family (ipaddr-family addr)))
	    (if (member family *anycast-routable-families*)
		(zone-set-address #'rec addr
				  :family family :make-ptr-p t)
		(zone-set-address #'rec (cdr default-provider)
				  :family family :make-ptr-p nil)))))

    ;; Now for all of the others.
    (dolist (provider (list* any-provider default-provider other-providers))
      (zone-set-address #'rec (cdr provider)
			:make-ptr-p (eq provider any-provider)
			:name (domain-name-concat prefix
						  (zone-parse-host
						   (car provider)
						   zname))))))

;;;--------------------------------------------------------------------------
;;; Hostname abbreviations.

(defvar *abbrev-subdomain*
  (make-domain-name :labels '("abbrev") :absolutep nil))
(defparameter *abbrev-used* (make-hash-table :test #'equal))

(defzoneparse :abbrev (name data rec :zname zname)
  (let* ((domain (zone-parse-host data
				  (domain-name-concat *abbrev-subdomain*
						      zname)))
	 (key (princ-to-string domain))
	 (existing (gethash key *abbrev-used*)))
    (when existing
      (error "Abbrev collision for ~A between ~A and ~A."
	     domain existing name))
    (setf (gethash key *abbrev-used*) name)
    (rec :name domain
	 :type :cname
	 :data name)))

;;;--------------------------------------------------------------------------
;;; Other definitions.

(setf *default-zone-admin* "hostmaster@distorted.org.uk")

(setf *default-zone-source* 'radius.distorted.org.uk.)

;;;--------------------------------------------------------------------------
;;; Main zone definition.

(defzone distorted.org.uk

  ;; Nameservers.
  :ns ((radius.ns :ip radius)
       (precision.ns :ip precision)
       (telecaster.ns :ip telecaster)
       (national.ns :ip national)
       #-view/inside (mythic-beasts-1.ns :ip mythic-ns1)
       #-view/inside (mythic-beasts-2.ns :ip mythic-ns2)
       #-view/inside (mythic-beasts-3.ns :ip mythic-ns3)
       #-view/inside (chiark.ns :ip chiark.greenend.org.uk))

  ;; Certification.
  :caa ((:issue "letsencrypt.org")
	(:issue "distorted.org.uk"))

  ;; Mail servers.
  ((@ mail blackhole) :mx mail :srv ((:smtp mail)))
  ((bugs) :ttl 300 :mx lists :srv ((:smtp bugs)))
  ((lists) :ttl 300 :mx lists :srv ((:smtp lists)))
  ((_domainkey _domainkey.mail) :dname stratocaster.dkim)
  ((_domainkey.bugs _domainkey.lists) :dname telecaster.dkim)

  ;; Anycast services.
  (dns0 :anycast ((any dns0.any) (dmz radius.dmz)
		  (unsafe radius.unsafe)))
  (dns1 :anycast ((any dns1.any) (dmz precision.dmz)
		  (unsafe precision.unsafe)))
  (dns :cname dns0)

  (ntp0 :anycast ((any ntp0.any) (dmz ibanez.dmz)
		  (unsafe ibanez.unsafe)))
  (ntp1 :anycast ((any ntp1.any) (dmz fender.dmz)
		  (unsafe fender.unsafe)))
  (ntp :cname ntp0)

  (www-cache :anycast ((any www-cache.any) (dmz telecaster.dmz)
		       (unsafe telecaster.unsafe)))
  (wpad :cname www-cache)

  (_kerberos :txt "DISTORTED.ORG.UK")
  (krb0 :anycast ((any krb0.any) (dmz radius.dmz)
		  (unsafe radius.unsafe)))
  (krb1 :anycast ((any krb1.any) (dmz precision.dmz)
		  (unsafe precision.unsafe)))
  (krb-master (unsafe :svc radius.unsafe)
	      (dmz :svc radius.dmz))
  :srv (((:kerberos :protocol :udp)
	 krb0
	 (krb1 :prio 100))
	((:kerberos-master :protocol :udp :port 88) krb-master)
	(:kerberos-adm krb-master)
	((:kpasswd :protocol :udp) krb-master))
  (krb :cname krb0)

  ;; Other services.
  :srv ((:http www)
	(:ftp ftp))

  ;; Formerly colocated services.
  ((irc vox keys wiki) (unsafe :svc jazz.unsafe :sshfp "jazz")
		       (dmz :svc jazz.dmz :sshfp "jazz"))
  ((irc vox keys wiki) :tlsa (:https (:service-certificate-constraint
				      :public-key :sha-256 #p"https-jazz")))
  ((bugs lists db ftp) (unsafe :svc telecaster.unsafe :sshfp "telecaster")
		       (dmz :svc telecaster.dmz :sshfp "telecaster"))
  ((bugs lists ftp) :tlsa (:https #3=(:service-certificate-constraint
				      :public-key :sha-256
				      #p"https-telecaster")))
  (dyndns :svc telecaster.dmz :sshfp "telecaster")
  ((git www mail) (unsafe :svc stratocaster.unsafe :sshfp "stratocaster")
		  (dmz :svc stratocaster.dmz :sshfp "stratocaster"))
  ((www git mail @) :tlsa (:https #2=(:service-certificate-constraint
				      :public-key :sha-256
				      #p"https-stratocaster")))
  (www-cache :tlsa (3127 #1=(:trust-anchor-assertion
			     :certificate :sha-256 #p"distorted-ca")))
  (mail :tlsa ((:submission :imap :imaps) #1#))
  (mail :tlsa (:smtp
	       #+view/inside #1#
	       #-view/inside (:domain-issued-certificate
			      :public-key :sha-256
			      #p"smtps-stratocaster")))
  ((bugs lists) :tlsa (:smtp
		       #+view/inside #1#
		       #-view/inside (:domain-issued-certificate
				      :public-key :sha-256
				      #p"smtps-telecaster")))
  :svc #+view/inside stratocaster.unsafe
       #-view/inside stratocaster.dmz
  (cabal :svc stratocaster.dmz :sshfp "stratocaster")

  ;; Local services.
  (rawk (unsafe :svc artist.unsafe) (dmz :svc artist.dmz))
  (rawk :tlsa (:https (:service-certificate-constraint
		       :public-key :sha-256
		       #p"https-artist")))
  (mirror (dmz :svc roadstar.dmz :sshfp "roadstar")
	  (unsafe :svc roadstar.unsafe :sshfp "roadstar"))

  ;; Internal services.
  ((news lpr) :svc roadstar.unsafe :sshfp "roadstar")

  ;; Anonymity services.
  (anon (dmz :svc anon.dmz)
	(unsafe :svc jazz.unsafe))

  ;; Fancy connectivity.
  (iodine (dmz :svc jazz.dmz))
  (hippotat (dmz :svc jazz.dmz))

  ;; Formerly colocated hosts.
  (fender :abbrev f (unsafe :abbrev fu) (dmz :abbrev fd))
  (fender (unsafe :addr fender.unsafe :sshfp "fender")
	  (dmz :addr fender.dmz :sshfp "fender"))
  (precision :abbrev p (unsafe :abbrev pu) (dmz :abbrev pd) (vpn :abbrev pv))
  (precision (unsafe :addr precision.unsafe :sshfp "precision")
	     (dmz :addr precision.dmz :sshfp "precision")
	     (vpn :addr precision.vpn :sshfp "precision"))
  (telecaster :alias tele :abbrev t
	      (unsafe :alias tele.unsafe :abbrev tu)
	      (dmz :alias tele.dmz :abbrev td))
  (telecaster (unsafe :addr telecaster.unsafe :sshfp "telecaster")
	      (dmz :addr telecaster.dmz :sshfp "telecaster"))
  (stratocaster :alias strat :abbrev s
		(unsafe :alias strat.unsafe :abbrev su)
		(dmz :alias strat.dmz :abbrev sd))
  (stratocaster (unsafe :addr stratocaster.unsafe :sshfp "stratocaster")
		(dmz :addr stratocaster.dmz :sshfp "stratocaster"))
  (jazz :abbrev z (unsafe :abbrev zu) (dmz :abbrev zd) (vpn :abbrev :zv))
  (jazz (unsafe :addr jazz.unsafe :sshfp "jazz")
	(dmz :addr jazz.dmz :sshfp "jazz")
	(vpn :addr jazz.vpn :sshfp "jazz")
	(iodine :addr jazz.iodine :sshfp "jazz")
	(hippo :addr jazz.hippo :sshfp "jazz"))

  ;; Virtual hosts.
  (national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
  (national (linode :addr national.linode)
	    (upn :addr national.upn))
  (mdwdev (upn :addr mdwdev.upn))

  ;; Nicko's servers.
  (richmond (dmz :svc richmond.dmz))
  (marshall (dmz :svc marshall.dmz))

  ;; Entry is via little router box.
  (dmz :net dmz)
  (guvnor (dmz :addr guvnor.dmz))
  (nat (dmz :addr nat.dmz))

  ;; Wireless access points.
  (wireless :net wireless)
  (evolution (safe :addr evolution.safe))
  (evolution :alias evo)
  (kitkat :alias ap0)
  (kitkat (safe :addr kitkat.safe))
  (lunch :alias ap1)
  (lunch (safe :addr lunch.safe))

  ;; Printer.
  (burntaxe :alias lp0)
  (burntaxe (safe :addr burntaxe.safe))

  ;; Switches.
  (grigsby :alias tp0)
  (grigsby (safe :addr grigsby.safe))
  (carling :alias tp1)
  (carling (safe :addr carling.safe))
  (tritan :alias tp2)
  (tritan (safe :addr tritan.safe))

  ;; Wired ethernet.
  (unsafe :net unsafe)
  (safe :net safe)
  (untrusted :net untrusted)
  (vampire :abbrev v
	   (unsafe :abbrev vu) (dmz :abbrev vd) (vpn :abbrev vv)
	   (safe :abbrev vs) (untrusted :abbrev vx))
  (vampire (unsafe :addr vampire.unsafe :sshfp "vampire")
	   (dmz :addr vampire.dmz :sshfp "vampire")
	   (vpn :addr vampire.vpn :sshfp "vampire")
	   (safe :addr vampire.safe :sshfp "vampire")
	   (untrusted :addr vampire.untrusted :sshfp "vampire"))
  (ibanez :abbrev i (unsafe :abbrev iu) (dmz :abbrev id))
  (ibanez (unsafe :addr ibanez.unsafe :sshfp "ibanez")
	  (dmz :addr ibanez.dmz :sshfp "ibanez"))
  (radius :abbrev r
	  (unsafe :abbrev ru) (dmz :abbrev rd) (vpn :abbrev rv)
	  (safe :abbrev rs) (untrusted :abbrev rx))
  (radius (unsafe :addr radius.unsafe :sshfp "radius")
	  (dmz :addr radius.dmz :sshfp "radius")
	  (vpn :addr radius.vpn :sshfp "radius")
	  (safe :addr radius.safe :sshfp "radius")
	  (untrusted :addr radius.untrusted :sshfp "radius"))
  (roadstar :abbrev rg (unsafe :abbrev rgu) (dmz :abbrev rgd))
  (roadstar (unsafe :addr roadstar.unsafe :sshfp "roadstar")
	    (dmz :addr roadstar.dmz :sshfp "roadstar"))
  (jem :abbrev j (unsafe :abbrev ju) (dmz :abbrev jd))
  (jem (unsafe :addr jem.unsafe :sshfp "jem")
       (dmz :addr jem.dmz :sshfp "jem"))
  (universe :abbrev u (unsafe :abbrev uu) (dmz :abbrev ud))
  (universe (unsafe :addr universe.unsafe :sshfp "universe")
	    (dmz :addr universe.dmz :sshfp "universe"))
  (artist :abbrev a
	  (unsafe :abbrev au) (dmz :abbrev ad) (untrusted :abbrev ax))
  (artist (unsafe :addr artist.unsafe :sshfp "artist")
	  (dmz :addr artist.dmz :sshfp "artist")
	  (untrusted :addr artist.untrusted :sshfp "artist"))
  (groove :abbrev gr
	  (vpn :abbrev grv) (unsafe :abbrev gru))
  (groove (vpn :addr groove.vpn :sshfp "groove")
	  (unsafe :addr groove.unsafe :sshfp "groove"))

  ;; DHCP hosts.
  (gibson :cname gibson.dhcp :abbrev g)
  (lespaul :cname lespaul.dhcp)
  (firebird :cname firebird.dhcp)
  (marauder :cname marauder.dhcp)
  (invader :cname invader.dhcp)
  (gretsch :cname gretsch.dhcp)

  ;; Virtual network.
  (vpn :net vpn)
  (crybaby :abbrev cb)
  (crybaby (vpn :addr crybaby.vpn :sshfp "crybaby")
	   (hippo :addr crybaby.hippo :sshfp "crybaby"))
  (spirit (vpn :addr spirit.vpn :sshfp "spirit")
	  (hippo :addr spirit.hippo :sshfp "spirit"))
  (terror (vpn :addr terror.vpn :sshfp "terror"))
  (orange :abbrev o)
  (orange (vpn :addr orange.vpn :sshfp "orange"))
  (haze :abbrev h)
  (haze (vpn :addr haze.vpn :sshfp "haze"))
  (iodine :net iodine)
  (hippo :net hippo)

  ;; ITS.
  (its :net its)
  (gw (its :addr gw.its))
  (mz (its :addr mz.its))

  ;; Strange things.
  (blackhole (dmz :addr blackhole.dmz))

  ;; Delegations.
  (dhcp :ns ((radius.ns.dhcp :ip radius)
	     (precision.ns.dhcp :ip precision)
	     (telecaster.ns.dhcp :ip telecaster)
	     (national.ns.dhcp :ip national))
	:ds ((55966 :rsasha256 :sha1
	     "95b05c1f4e84f950f29630004bac447f8a87ca33")
	     (55966 :rsasha256 :sha256
	      #.(concatenate 'string "31696bf54b577362b2eb75793adeb9ec"
				     "2e8440ec671371b35d8d978cd9ca3007"))))
  (dyn :ns ((radius.ns.dyn :ip radius)
	    (precision.ns.dyn :ip precision)
	    (telecaster.ns.dyn :ip telecaster)
	    (national.ns.dyn :ip national))
       :ds ((11335 :rsasha256 :sha1
	    "7ed2b843b0bfb38ceca68617dfacbeafab1d1ea9")
	    (11335 :rsasha256 :sha256
	     #.(concatenate 'string "6eb15eb587c48f5b84ca128a656a4cce"
				    "0a41cf040d3d0f15a44dffd6476b2b55"))))
  (dnserr :ns ((radius.ns.dnserr :ip radius.dmz)
	       (precision.ns.dnserr :ip precision.dmz)
	       (telecaster.ns.dnserr :ip telecaster.dmz)
	       (national.ns.dnserr :ip national.linode))
	  :ds ((40945 :rsasha256 :sha1
		"f35b5d0b877b940e63ad1b3afc21d6ba83cd1b3b")
	       (40945 :rsasha256 :sha256
		#.(concatenate 'string "fb171d206d4d64c5a7a6c290ce6e20df"
				       "44f1db7f41e2260f1fe8d7c55d524c11"))))
  (stratocaster.dkim
   :ns ((radius.ns.stratocaster.dkim :ip radius.dmz)
	(precision.ns.stratocaster.dkim :ip precision.dmz)
	(telecaster.ns.stratocaster.dkim :ip telecaster.dmz)
	(national.ns.stratocaster.dkim :ip national.linode)
	#+later (mythic-beasts-1.ns.stratocaster.dkim :ip mythic-ns1)
	#+later (mythic-beasts-2.ns.stratocaster.dkim :ip mythic-ns2)
	#+later (mythic-beasts-3.ns.stratocaster.dkim :ip mythic-ns3))
   :ds ((24577 :rsasha256 :sha1
	 "d06847c01e19098509a8d07a9aafaceff532c9c7")
	(24577 :rsasha256 :sha256
	 #.(concatenate 'string "a40cdb1c633041cfbc1b80a400cff527"
				"2cad051915fc0cd40296a2d4590b9d2b"))))
  (telecaster.dkim
   :ns ((radius.ns.telecaster.dkim :ip radius.dmz)
	(precision.ns.telecaster.dkim :ip precision.dmz)
	(telecaster.ns.telecaster.dkim :ip telecaster.dmz)
	(national.ns.telecaster.dkim :ip national.linode)
	#+later (mythic-beasts-1.ns.telecaster.dkim :ip mythic-ns1)
	#+later (mythic-beasts-2.ns.telecaster.dkim :ip mythic-ns2)
	#+later (mythic-beasts-3.ns.telecaster.dkim :ip mythic-ns3))
   :ds ((38896 :rsasha256 :sha1
	 "2c2daea658784e22c46bf9e86da67def1e34cf40")
	(38896 :rsasha256 :sha256
	 #.(concatenate 'string "66997571c7d47f912caa65f2154ecd37"
				"5b9d391e3ed44d79ac35eef59264e521"))))
  (io :ns ((ns.io :ip jazz.dmz)))
  (play :ns (radius.ns precision.ns telecaster.ns national.ns)))

;;;--------------------------------------------------------------------------
;;; Other subsidiary zones.

#+view/outside
(defzone dhcp.distorted.org.uk
  :ns ((radius.ns :ip radius.dmz)
       (precision.ns :ip precision.dmz)
       (telecaster.ns :ip telecaster.dmz)
       (national.ns :ip national.linode))
  (gibson :addr gibson.unsafe)
  (crybaby :addr crybaby.unsafe)
  (lespaul :addr lespaul.unsafe)
  (gretsch :addr gretsch.unsafe)
  (spirit :addr spirit.unsafe)
  (haze :addr haze.unsafe)
  (invader :addr invader.safe)
  (marauder :addr marauder.safe))

#+view/outside
(defzone (dyn.distorted.org.uk :source telecaster.distorted.org.uk.)
  :ns ((radius.ns :ip radius)
       (precision.ns :ip precision)
       (telecaster.ns :ip telecaster)
       (national.ns :ip national)))

#+view/outside
(defzone nicko.org
  (richmond :addr richmond.dmz))

#+view/outside
(defzone stratocaster.dkim.distorted.org.uk
  :ns ((radius.ns :ip radius.dmz)
       (precision.ns :ip precision.dmz)
       (telecaster.ns :ip telecaster.dmz)
       (national.ns :ip national.linode)
       #+later (mythic-beasts-1.ns :ip mythic-ns1)
       #+later (mythic-beasts-2.ns :ip mythic-ns2)
       #+later (mythic-beasts-3.ns :ip mythic-ns3)))
#+view/outside
(defzone telecaster.dkim.distorted.org.uk
  :ns ((radius.ns :ip radius.dmz)
       (precision.ns :ip precision.dmz)
       (telecaster.ns :ip telecaster.dmz)
       (national.ns :ip national.linode)
       #+later (mythic-beasts-1.ns :ip mythic-ns1)
       #+later (mythic-beasts-2.ns :ip mythic-ns2)
       #+later (mythic-beasts-3.ns :ip mythic-ns3)))

(defrevzone trusted
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.)
  :reverse unsafe
  :reverse vpn
  :reverse its
  :reverse any
  (dhcp :ns (radius.distorted.org.uk.
	     precision.distorted.org.uk.
	     telecaster.distorted.org.uk.
	     national.distorted.org.uk.))
  :multi (((dhcp safe) :family :ipv4 :suffix "199.29.172.dhcp") :cname *))

#+view/outside
(defzone dhcp.199.29.172.in-addr.arpa
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.))

(defrevzone untrusted
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.))

(defzone 128-143.238.187.81.in-addr.arpa
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.
       secondary-dns.co.uk.)
  :reverse ((((:ipv4 dmz)))))

(defzone 64-79.12.169.217.in-addr.arpa
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.
       secondary-dns.co.uk.)
  :reverse ((((:ipv4 dmz1)))))

(defzone 195.113.2.81.in-addr.arpa
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.
       secondary-dns.co.uk.)
  :reverse ((((:ipv4 gw)))))

(defrevzone (distorted.org.uk-aaisp :family :ipv6)
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.
       secondary-dns.co.uk.)
  (0.7.3.6.8.6.4.6.1.0.0.0 :ns (radius.distorted.org.uk.
				precision.distorted.org.uk.
				telecaster.distorted.org.uk.
				national.distorted.org.uk.))
  :reverse ((((:ipv6 distorted.org.uk-aaisp)))))

(defrevzone (dhcp :family :ipv6)
  :ns (radius.distorted.org.uk.
       precision.distorted.org.uk.
       telecaster.distorted.org.uk.
       national.distorted.org.uk.))

#+view/outside
(defzone io.distorted.org.uk
  :ns ((ns :ip jazz.dmz))
  (about :txt "Fake zone used for IP-over-DNS tunnelling."))

;;;----- That's all, folks --------------------------------------------------
Commit	Line	Data
e80b4c2d MW	1	;;; Zone file for distorted.org.uk
e80b4c2d MW	2
b4d4c18b	3	(load "hosts.lisp" :verbose nil)
e80b4c2d	4
b1d5c6c2	5	;;;--------------------------------------------------------------------------
aef7892b MW	6	;;; Anycast services.
	7
	8	(defvar anycast-routable-families (list :ipv6))
	9
	10	(defzoneparse :anycast (name data rec :prefix prefix :zname zname)
	11	(destructuring-bind (any-provider default-provider &rest other-providers)
	12	data
	13
	14	;; First, the default address. If the anycast network is preferred then
	15	;; this is easy; otherwise we have something complicated to do because
	16	;; IPv6 anycast addresses are globally routable, while IPv4 ones aren't.
	17	(if (zone-preferred-subnet-p (car any-provider))
	18	(zone-set-address #'rec (cdr any-provider) :make-ptr-p t)
6baf2de2	19	(do-host (addr (cdr any-provider))
aef7892b MW	20	(let ((family (ipaddr-family addr)))
	21	(if (member family anycast-routable-families)
	22	(zone-set-address #'rec addr
	23	:family family :make-ptr-p t)
	24	(zone-set-address #'rec (cdr default-provider)
	25	:family family :make-ptr-p nil)))))
	26
	27	;; Now for all of the others.
	28	(dolist (provider (list* any-provider default-provider other-providers))
	29	(zone-set-address #'rec (cdr provider)
	30	:make-ptr-p (eq provider any-provider)
c9f96590 MW	31	:name (domain-name-concat prefix
	32	(zone-parse-host
	33	(car provider)
	34	zname))))))
aef7892b MW	35
aef7892b MW	36	;;;--------------------------------------------------------------------------
07fe1e43 MW	37	;;; Hostname abbreviations.
	38
	39	(defvar abbrev-subdomain
	40	(make-domain-name :labels '("abbrev") :absolutep nil))
	41	(defparameter abbrev-used (make-hash-table :test #'equal))
	42
	43	(defzoneparse :abbrev (name data rec :zname zname)
	44	(let* ((domain (zone-parse-host data
	45	(domain-name-concat abbrev-subdomain
	46	zname)))
	47	(key (princ-to-string domain))
	48	(existing (gethash key abbrev-used)))
	49	(when existing
	50	(error "Abbrev collision for ~A between ~A and ~A."
	51	domain existing name))
	52	(setf (gethash key abbrev-used) name)
	53	(rec :name domain
	54	:type :cname
	55	:data name)))
	56
	57	;;;--------------------------------------------------------------------------
b1d5c6c2	58	;;; Other definitions.
e80b4c2d MW	59
e80b4c2d MW	60	(setf default-zone-admin "hostmaster@distorted.org.uk")
2bc217e8	61
ff6c53ad	62	(setf default-zone-source 'radius.distorted.org.uk.)
e80b4c2d	63
b1d5c6c2 MW	64	;;;--------------------------------------------------------------------------
	65	;;; Main zone definition.
	66
e80b4c2d	67	(defzone distorted.org.uk
ec4898f9	68
6ef39f28	69	;; Nameservers.
981c9c20 MW	70	:ns ((radius.ns :ip radius)
	71	(precision.ns :ip precision)
	72	(telecaster.ns :ip telecaster)
1a8dfbe2	73	(national.ns :ip national)
981c9c20 MW	74	#-view/inside (mythic-beasts-1.ns :ip mythic-ns1)
981c9c20 MW	75	#-view/inside (mythic-beasts-2.ns :ip mythic-ns2)
fdcd43da	76	#-view/inside (mythic-beasts-3.ns :ip mythic-ns3)
981c9c20	77	#-view/inside (chiark.ns :ip chiark.greenend.org.uk))
ec4898f9	78
2e7d3852 MW	79	;; Certification.
	80	:caa ((:issue "letsencrypt.org")
	81	(:issue "distorted.org.uk"))
	82
6ef39f28	83	;; Mail servers.
68db42b5	84	((@ mail blackhole) :mx mail :srv ((:smtp mail)))
beb363e0	85	((bugs) :ttl 300 :mx lists :srv ((:smtp bugs)))
68db42b5	86	((lists) :ttl 300 :mx lists :srv ((:smtp lists)))
aa420955 MW	87	((_domainkey _domainkey.mail) :dname stratocaster.dkim)
aa420955 MW	88	((_domainkey.bugs _domainkey.lists) :dname telecaster.dkim)
69bbb181	89
06f1bb3f	90	;; Anycast services.
be5a78bf	91	(dns0 :anycast ((any dns0.any) (dmz radius.dmz)
aef7892b	92	(unsafe radius.unsafe)))
be5a78bf MW	93	(dns1 :anycast ((any dns1.any) (dmz precision.dmz)
be5a78bf MW	94	(unsafe precision.unsafe)))
cfecfa5c MW	95	(dns :cname dns0)
cfecfa5c MW	96
be5a78bf MW	97	(ntp0 :anycast ((any ntp0.any) (dmz ibanez.dmz)
	98	(unsafe ibanez.unsafe)))
	99	(ntp1 :anycast ((any ntp1.any) (dmz fender.dmz)
	100	(unsafe fender.unsafe)))
cfecfa5c MW	101	(ntp :cname ntp0)
cfecfa5c MW	102
be5a78bf MW	103	(www-cache :anycast ((any www-cache.any) (dmz telecaster.dmz)
be5a78bf MW	104	(unsafe telecaster.unsafe)))
345c0f69 MW	105	(wpad :cname www-cache)
345c0f69 MW	106
cfecfa5c	107	(_kerberos :txt "DISTORTED.ORG.UK")
be5a78bf MW	108	(krb0 :anycast ((any krb0.any) (dmz radius.dmz)
	109	(unsafe radius.unsafe)))
	110	(krb1 :anycast ((any krb1.any) (dmz precision.dmz)
	111	(unsafe precision.unsafe)))
cfecfa5c MW	112	(krb-master (unsafe :svc radius.unsafe)
	113	(dmz :svc radius.dmz))
	114	:srv (((:kerberos :protocol :udp)
	115	krb0
	116	(krb1 :prio 100))
	117	((:kerberos-master :protocol :udp :port 88) krb-master)
	118	(:kerberos-adm krb-master)
	119	((:kpasswd :protocol :udp) krb-master))
	120	(krb :cname krb0)
	121
6ef39f28	122	;; Other services.
96c2a692 MW	123	:srv ((:http www)
96c2a692 MW	124	(:ftp ftp))
ec4898f9	125
be5a78bf MW	126	;; Formerly colocated services.
	127	((irc vox keys wiki) (unsafe :svc jazz.unsafe :sshfp "jazz")
	128	(dmz :svc jazz.dmz :sshfp "jazz"))
270fa799	129	((irc vox keys wiki) :tlsa (:https (:service-certificate-constraint
15cca8c6	130	:public-key :sha-256 #p"https-jazz")))
be5a78bf MW	131	((bugs lists db ftp) (unsafe :svc telecaster.unsafe :sshfp "telecaster")
be5a78bf MW	132	(dmz :svc telecaster.dmz :sshfp "telecaster"))
40832d80 MW	133	((bugs lists ftp) :tlsa (:https #3=(:service-certificate-constraint
	134	:public-key :sha-256
	135	#p"https-telecaster")))
be5a78bf MW	136	(dyndns :svc telecaster.dmz :sshfp "telecaster")
	137	((git www mail) (unsafe :svc stratocaster.unsafe :sshfp "stratocaster")
	138	(dmz :svc stratocaster.dmz :sshfp "stratocaster"))
40832d80 MW	139	((www git mail @) :tlsa (:https #2=(:service-certificate-constraint
	140	:public-key :sha-256
	141	#p"https-stratocaster")))
5a8c792f MW	142	(www-cache :tlsa (3127 #1=(:trust-anchor-assertion
5a8c792f MW	143	:certificate :sha-256 #p"distorted-ca")))
e30dcd9f	144	(mail :tlsa ((:submission :imap :imaps) #1#))
b868d3f4 MW	145	(mail :tlsa (:smtp
	146	#+view/inside #1#
	147	#-view/inside (:domain-issued-certificate
	148	:public-key :sha-256
	149	#p"smtps-stratocaster")))
	150	((bugs lists) :tlsa (:smtp
	151	#+view/inside #1#
	152	#-view/inside (:domain-issued-certificate
	153	:public-key :sha-256
	154	#p"smtps-telecaster")))
be5a78bf MW	155	:svc #+view/inside stratocaster.unsafe
	156	#-view/inside stratocaster.dmz
	157	(cabal :svc stratocaster.dmz :sshfp "stratocaster")
4c25329e	158
6ef39f28	159	;; Local services.
77fbb917	160	(rawk (unsafe :svc artist.unsafe) (dmz :svc artist.dmz))
c0e64dd8 MW	161	(rawk :tlsa (:https (:service-certificate-constraint
	162	:public-key :sha-256
	163	#p"https-artist")))
f5c3343e	164	(mirror (dmz :svc roadstar.dmz :sshfp "roadstar")
8d261a89	165	(unsafe :svc roadstar.unsafe :sshfp "roadstar"))
ec4898f9	166
6ef39f28	167	;; Internal services.
ccc6ea89	168	((news lpr) :svc roadstar.unsafe :sshfp "roadstar")
ec4898f9	169
04db9729	170	;; Anonymity services.
be5a78bf MW	171	(anon (dmz :svc anon.dmz)
be5a78bf MW	172	(unsafe :svc jazz.unsafe))
04db9729	173
85a3496c	174	;; Fancy connectivity.
be5a78bf MW	175	(iodine (dmz :svc jazz.dmz))
	176	(hippotat (dmz :svc jazz.dmz))
	177
	178	;; Formerly colocated hosts.
	179	(fender :abbrev f (unsafe :abbrev fu) (dmz :abbrev fd))
	180	(fender (unsafe :addr fender.unsafe :sshfp "fender")
	181	(dmz :addr fender.dmz :sshfp "fender"))
	182	(precision :abbrev p (unsafe :abbrev pu) (dmz :abbrev pd) (vpn :abbrev pv))
	183	(precision (unsafe :addr precision.unsafe :sshfp "precision")
	184	(dmz :addr precision.dmz :sshfp "precision")
	185	(vpn :addr precision.vpn :sshfp "precision"))
07fe1e43	186	(telecaster :alias tele :abbrev t
be5a78bf MW	187	(unsafe :alias tele.unsafe :abbrev tu)
	188	(dmz :alias tele.dmz :abbrev td))
	189	(telecaster (unsafe :addr telecaster.unsafe :sshfp "telecaster")
	190	(dmz :addr telecaster.dmz :sshfp "telecaster"))
07fe1e43	191	(stratocaster :alias strat :abbrev s
be5a78bf MW	192	(unsafe :alias strat.unsafe :abbrev su)
	193	(dmz :alias strat.dmz :abbrev sd))
	194	(stratocaster (unsafe :addr stratocaster.unsafe :sshfp "stratocaster")
	195	(dmz :addr stratocaster.dmz :sshfp "stratocaster"))
	196	(jazz :abbrev z (unsafe :abbrev zu) (dmz :abbrev zd) (vpn :abbrev :zv))
	197	(jazz (unsafe :addr jazz.unsafe :sshfp "jazz")
	198	(dmz :addr jazz.dmz :sshfp "jazz")
aa779726	199	(vpn :addr jazz.vpn :sshfp "jazz")
df1d9fe1 MW	200	(iodine :addr jazz.iodine :sshfp "jazz")
df1d9fe1 MW	201	(hippo :addr jazz.hippo :sshfp "jazz"))
38c2de7c	202
b577b999	203	;; Virtual hosts.
be5a78bf	204	(national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
b577b999	205	(national (linode :addr national.linode)
be5a78bf MW	206	(upn :addr national.upn))
be5a78bf MW	207	(mdwdev (upn :addr mdwdev.upn))
b577b999	208
e8ba93bc	209	;; Nicko's servers.
be5a78bf MW	210	(richmond (dmz :svc richmond.dmz))
be5a78bf MW	211	(marshall (dmz :svc marshall.dmz))
a20ec58c	212
76e1e45a MW	213	;; Entry is via little router box.
76e1e45a MW	214	(dmz :net dmz)
f5c3343e MW	215	(guvnor (dmz :addr guvnor.dmz))
f5c3343e MW	216	(nat (dmz :addr nat.dmz))
76e1e45a	217
327c80f3	218	;; Wireless access points.
76e1e45a MW	219	(wireless :net wireless)
	220	(evolution (safe :addr evolution.safe))
	221	(evolution :alias evo)
25679b6d	222	(kitkat :alias ap0)
327c80f3	223	(kitkat (safe :addr kitkat.safe))
25679b6d	224	(lunch :alias ap1)
327c80f3	225	(lunch (safe :addr lunch.safe))
f233386b MW	226
f233386b MW	227	;; Printer.
af319f47	228	(burntaxe :alias lp0)
32926f3b	229	(burntaxe (safe :addr burntaxe.safe))
76e1e45a	230
f8f3b283	231	;; Switches.
c32d96fa MW	232	(grigsby :alias tp0)
	233	(grigsby (safe :addr grigsby.safe))
	234	(carling :alias tp1)
	235	(carling (safe :addr carling.safe))
	236	(tritan :alias tp2)
	237	(tritan (safe :addr tritan.safe))
f8f3b283	238
6ef39f28	239	;; Wired ethernet.
04d65182 MW	240	(unsafe :net unsafe)
	241	(safe :net safe)
	242	(untrusted :net untrusted)
07fe1e43	243	(vampire :abbrev v
be5a78bf	244	(unsafe :abbrev vu) (dmz :abbrev vd) (vpn :abbrev vv)
f5c3343e	245	(safe :abbrev vs) (untrusted :abbrev vx))
c3997955 MW	246	(vampire (unsafe :addr vampire.unsafe :sshfp "vampire")
c3997955 MW	247	(dmz :addr vampire.dmz :sshfp "vampire")
aa779726	248	(vpn :addr vampire.vpn :sshfp "vampire")
c3997955 MW	249	(safe :addr vampire.safe :sshfp "vampire")
c3997955 MW	250	(untrusted :addr vampire.untrusted :sshfp "vampire"))
f5c3343e	251	(ibanez :abbrev i (unsafe :abbrev iu) (dmz :abbrev id))
c3997955 MW	252	(ibanez (unsafe :addr ibanez.unsafe :sshfp "ibanez")
c3997955 MW	253	(dmz :addr ibanez.dmz :sshfp "ibanez"))
07fe1e43	254	(radius :abbrev r
be5a78bf	255	(unsafe :abbrev ru) (dmz :abbrev rd) (vpn :abbrev rv)
f5c3343e	256	(safe :abbrev rs) (untrusted :abbrev rx))
c3997955 MW	257	(radius (unsafe :addr radius.unsafe :sshfp "radius")
c3997955 MW	258	(dmz :addr radius.dmz :sshfp "radius")
aa779726	259	(vpn :addr radius.vpn :sshfp "radius")
c3997955 MW	260	(safe :addr radius.safe :sshfp "radius")
c3997955 MW	261	(untrusted :addr radius.untrusted :sshfp "radius"))
f5c3343e	262	(roadstar :abbrev rg (unsafe :abbrev rgu) (dmz :abbrev rgd))
c3997955 MW	263	(roadstar (unsafe :addr roadstar.unsafe :sshfp "roadstar")
c3997955 MW	264	(dmz :addr roadstar.dmz :sshfp "roadstar"))
f5c3343e	265	(jem :abbrev j (unsafe :abbrev ju) (dmz :abbrev jd))
c3997955 MW	266	(jem (unsafe :addr jem.unsafe :sshfp "jem")
c3997955 MW	267	(dmz :addr jem.dmz :sshfp "jem"))
f5c3343e	268	(universe :abbrev u (unsafe :abbrev uu) (dmz :abbrev ud))
664e6cf9 MW	269	(universe (unsafe :addr universe.unsafe :sshfp "universe")
664e6cf9 MW	270	(dmz :addr universe.dmz :sshfp "universe"))
07fe1e43	271	(artist :abbrev a
f5c3343e	272	(unsafe :abbrev au) (dmz :abbrev ad) (untrusted :abbrev ax))
c3997955 MW	273	(artist (unsafe :addr artist.unsafe :sshfp "artist")
	274	(dmz :addr artist.dmz :sshfp "artist")
	275	(untrusted :addr artist.untrusted :sshfp "artist"))
25d23a91	276	(groove :abbrev gr
be5a78bf	277	(vpn :abbrev grv) (unsafe :abbrev gru))
bda4d30e	278	(groove (vpn :addr groove.vpn :sshfp "groove")
bda4d30e	279	(unsafe :addr groove.unsafe :sshfp "groove"))
ec4898f9	280
ff6c53ad	281	;; DHCP hosts.
07fe1e43	282	(gibson :cname gibson.dhcp :abbrev g)
4b5e05ad MW	283	(lespaul :cname lespaul.dhcp)
4b5e05ad MW	284	(firebird :cname firebird.dhcp)
aa4d55b1 MW	285	(marauder :cname marauder.dhcp)
aa4d55b1 MW	286	(invader :cname invader.dhcp)
098020ad	287	(gretsch :cname gretsch.dhcp)
ec4898f9	288
6ef39f28	289	;; Virtual network.
be5a78bf	290	(vpn :net vpn)
07fe1e43	291	(crybaby :abbrev cb)
df1d9fe1 MW	292	(crybaby (vpn :addr crybaby.vpn :sshfp "crybaby")
df1d9fe1 MW	293	(hippo :addr crybaby.hippo :sshfp "crybaby"))
e8d49c40 MW	294	(spirit (vpn :addr spirit.vpn :sshfp "spirit")
e8d49c40 MW	295	(hippo :addr spirit.hippo :sshfp "spirit"))
c3997955	296	(terror (vpn :addr terror.vpn :sshfp "terror"))
07fe1e43	297	(orange :abbrev o)
be5a78bf	298	(orange (vpn :addr orange.vpn :sshfp "orange"))
07fe1e43	299	(haze :abbrev h)
be5a78bf	300	(haze (vpn :addr haze.vpn :sshfp "haze"))
fc0ce2ed	301	(iodine :net iodine)
df1d9fe1	302	(hippo :net hippo)
ec4898f9	303
6ef39f28	304	;; ITS.
b1d5c6c2	305	(its :net its)
c3997955 MW	306	(gw (its :addr gw.its))
c3997955 MW	307	(mz (its :addr mz.its))
ec4898f9	308
c2118713	309	;; Strange things.
be5a78bf	310	(blackhole (dmz :addr blackhole.dmz))
c2118713	311
6ef39f28	312	;; Delegations.
f0209b9c MW	313	(dhcp :ns ((radius.ns.dhcp :ip radius)
f0209b9c MW	314	(precision.ns.dhcp :ip precision)
1a8dfbe2 MW	315	(telecaster.ns.dhcp :ip telecaster)
1a8dfbe2 MW	316	(national.ns.dhcp :ip national))
3f954bac MW	317	:ds ((55966 :rsasha256 :sha1
	318	"95b05c1f4e84f950f29630004bac447f8a87ca33")
	319	(55966 :rsasha256 :sha256
	320	#.(concatenate 'string "31696bf54b577362b2eb75793adeb9ec"
	321	"2e8440ec671371b35d8d978cd9ca3007"))))
49c5f8ff MW	322	(dyn :ns ((radius.ns.dyn :ip radius)
49c5f8ff MW	323	(precision.ns.dyn :ip precision)
1a8dfbe2 MW	324	(telecaster.ns.dyn :ip telecaster)
1a8dfbe2 MW	325	(national.ns.dyn :ip national))
3f954bac MW	326	:ds ((11335 :rsasha256 :sha1
	327	"7ed2b843b0bfb38ceca68617dfacbeafab1d1ea9")
	328	(11335 :rsasha256 :sha256
	329	#.(concatenate 'string "6eb15eb587c48f5b84ca128a656a4cce"
	330	"0a41cf040d3d0f15a44dffd6476b2b55"))))
0262908f	331	(dnserr :ns ((radius.ns.dnserr :ip radius.dmz)
be5a78bf MW	332	(precision.ns.dnserr :ip precision.dmz)
be5a78bf MW	333	(telecaster.ns.dnserr :ip telecaster.dmz)
2831cef5	334	(national.ns.dnserr :ip national.linode))
3f954bac MW	335	:ds ((40945 :rsasha256 :sha1
	336	"f35b5d0b877b940e63ad1b3afc21d6ba83cd1b3b")
	337	(40945 :rsasha256 :sha256
	338	#.(concatenate 'string "fb171d206d4d64c5a7a6c290ce6e20df"
	339	"44f1db7f41e2260f1fe8d7c55d524c11"))))
aa420955 MW	340	(stratocaster.dkim
	341	:ns ((radius.ns.stratocaster.dkim :ip radius.dmz)
	342	(precision.ns.stratocaster.dkim :ip precision.dmz)
	343	(telecaster.ns.stratocaster.dkim :ip telecaster.dmz)
	344	(national.ns.stratocaster.dkim :ip national.linode)
	345	#+later (mythic-beasts-1.ns.stratocaster.dkim :ip mythic-ns1)
	346	#+later (mythic-beasts-2.ns.stratocaster.dkim :ip mythic-ns2)
	347	#+later (mythic-beasts-3.ns.stratocaster.dkim :ip mythic-ns3))
	348	:ds ((24577 :rsasha256 :sha1
	349	"d06847c01e19098509a8d07a9aafaceff532c9c7")
	350	(24577 :rsasha256 :sha256
	351	#.(concatenate 'string "a40cdb1c633041cfbc1b80a400cff527"
	352	"2cad051915fc0cd40296a2d4590b9d2b"))))
	353	(telecaster.dkim
	354	:ns ((radius.ns.telecaster.dkim :ip radius.dmz)
	355	(precision.ns.telecaster.dkim :ip precision.dmz)
	356	(telecaster.ns.telecaster.dkim :ip telecaster.dmz)
	357	(national.ns.telecaster.dkim :ip national.linode)
	358	#+later (mythic-beasts-1.ns.telecaster.dkim :ip mythic-ns1)
	359	#+later (mythic-beasts-2.ns.telecaster.dkim :ip mythic-ns2)
	360	#+later (mythic-beasts-3.ns.telecaster.dkim :ip mythic-ns3))
	361	:ds ((38896 :rsasha256 :sha1
	362	"2c2daea658784e22c46bf9e86da67def1e34cf40")
	363	(38896 :rsasha256 :sha256
	364	#.(concatenate 'string "66997571c7d47f912caa65f2154ecd37"
	365	"5b9d391e3ed44d79ac35eef59264e521"))))
5b39cda9 MW	366	(io :ns ((ns.io :ip jazz.dmz)))
5b39cda9 MW	367	(play :ns (radius.ns precision.ns telecaster.ns national.ns)))
b1d5c6c2 MW	368
	369	;;;--------------------------------------------------------------------------
	370	;;; Other subsidiary zones.
e80b4c2d	371
d21175f4	372	#+view/outside
55f161b6	373	(defzone dhcp.distorted.org.uk
a1ab9d7e	374	:ns ((radius.ns :ip radius.dmz)
be5a78bf MW	375	(precision.ns :ip precision.dmz)
be5a78bf MW	376	(telecaster.ns :ip telecaster.dmz)
1a8dfbe2	377	(national.ns :ip national.linode))
55f161b6	378	(gibson :addr gibson.unsafe)
812706bd	379	(crybaby :addr crybaby.unsafe)
2d7b9fe6	380	(lespaul :addr lespaul.unsafe)
3e38779f	381	(gretsch :addr gretsch.unsafe)
e8d49c40	382	(spirit :addr spirit.unsafe)
3e38779f	383	(haze :addr haze.unsafe)
55f161b6	384	(invader :addr invader.safe)
3e38779f	385	(marauder :addr marauder.safe))
55f161b6	386
d21175f4	387	#+view/outside
8b063560	388	(defzone (dyn.distorted.org.uk :source telecaster.distorted.org.uk.)
424ccd8a	389	:ns ((radius.ns :ip radius)
424ccd8a MW	390	(precision.ns :ip precision)
	391	(telecaster.ns :ip telecaster)
	392	(national.ns :ip national)))
	393
d21175f4	394	#+view/outside
c1f47051	395	(defzone nicko.org
be5a78bf	396	(richmond :addr richmond.dmz))
c1f47051	397
aa420955 MW	398	#+view/outside
	399	(defzone stratocaster.dkim.distorted.org.uk
	400	:ns ((radius.ns :ip radius.dmz)
	401	(precision.ns :ip precision.dmz)
	402	(telecaster.ns :ip telecaster.dmz)
	403	(national.ns :ip national.linode)
	404	#+later (mythic-beasts-1.ns :ip mythic-ns1)
	405	#+later (mythic-beasts-2.ns :ip mythic-ns2)
	406	#+later (mythic-beasts-3.ns :ip mythic-ns3)))
	407	#+view/outside
	408	(defzone telecaster.dkim.distorted.org.uk
	409	:ns ((radius.ns :ip radius.dmz)
	410	(precision.ns :ip precision.dmz)
	411	(telecaster.ns :ip telecaster.dmz)
	412	(national.ns :ip national.linode)
	413	#+later (mythic-beasts-1.ns :ip mythic-ns1)
	414	#+later (mythic-beasts-2.ns :ip mythic-ns2)
	415	#+later (mythic-beasts-3.ns :ip mythic-ns3)))
	416
e80b4c2d	417	(defrevzone trusted
8aa87005 MW	418	:ns (radius.distorted.org.uk.
8aa87005 MW	419	precision.distorted.org.uk.
1a8dfbe2 MW	420	telecaster.distorted.org.uk.
1a8dfbe2 MW	421	national.distorted.org.uk.)
b59ce50d MW	422	:reverse unsafe
b59ce50d MW	423	:reverse vpn
b59ce50d	424	:reverse its
345c0f69	425	:reverse any
8aa87005 MW	426	(dhcp :ns (radius.distorted.org.uk.
8aa87005 MW	427	precision.distorted.org.uk.
1a8dfbe2 MW	428	telecaster.distorted.org.uk.
1a8dfbe2 MW	429	national.distorted.org.uk.))
3503589d	430	:multi (((dhcp safe) :family :ipv4 :suffix "199.29.172.dhcp") :cname *))
b3f75214	431
d21175f4	432	#+view/outside
f5c3343e	433	(defzone dhcp.199.29.172.in-addr.arpa
8aa87005 MW	434	:ns (radius.distorted.org.uk.
8aa87005 MW	435	precision.distorted.org.uk.
1a8dfbe2 MW	436	telecaster.distorted.org.uk.
1a8dfbe2 MW	437	national.distorted.org.uk.))
b29264c5	438
f5c3343e	439	(defrevzone untrusted
b29264c5 MW	440	:ns (radius.distorted.org.uk.
b29264c5 MW	441	precision.distorted.org.uk.
1a8dfbe2 MW	442	telecaster.distorted.org.uk.
1a8dfbe2 MW	443	national.distorted.org.uk.))
b29264c5	444
7c0d1761 MW	445	(defzone 128-143.238.187.81.in-addr.arpa
	446	:ns (radius.distorted.org.uk.
	447	precision.distorted.org.uk.
1a8dfbe2 MW	448	telecaster.distorted.org.uk.
	449	national.distorted.org.uk.
	450	secondary-dns.co.uk.)
f5c3343e	451	:reverse ((((:ipv4 dmz)))))
7c0d1761	452
bda4d30e MW	453	(defzone 64-79.12.169.217.in-addr.arpa
bda4d30e MW	454	:ns (radius.distorted.org.uk.
bda4d30e MW	455	precision.distorted.org.uk.
	456	telecaster.distorted.org.uk.
	457	national.distorted.org.uk.
	458	secondary-dns.co.uk.)
	459	:reverse ((((:ipv4 dmz1)))))
	460
7c0d1761 MW	461	(defzone 195.113.2.81.in-addr.arpa
	462	:ns (radius.distorted.org.uk.
	463	precision.distorted.org.uk.
1a8dfbe2 MW	464	telecaster.distorted.org.uk.
	465	national.distorted.org.uk.
	466	secondary-dns.co.uk.)
f5c3343e	467	:reverse ((((:ipv4 gw)))))
7c0d1761	468
f5c3343e	469	(defrevzone (distorted.org.uk-aaisp :family :ipv6)
7c0d1761 MW	470	:ns (radius.distorted.org.uk.
7c0d1761 MW	471	precision.distorted.org.uk.
1a8dfbe2 MW	472	telecaster.distorted.org.uk.
	473	national.distorted.org.uk.
	474	secondary-dns.co.uk.)
b0eb5b79	475	(0.7.3.6.8.6.4.6.1.0.0.0 :ns (radius.distorted.org.uk.
b0eb5b79 MW	476	precision.distorted.org.uk.
	477	telecaster.distorted.org.uk.
	478	national.distorted.org.uk.))
f5c3343e	479	:reverse ((((:ipv6 distorted.org.uk-aaisp)))))
7c0d1761	480
b0eb5b79 MW	481	(defrevzone (dhcp :family :ipv6)
b0eb5b79 MW	482	:ns (radius.distorted.org.uk.
b0eb5b79 MW	483	precision.distorted.org.uk.
	484	telecaster.distorted.org.uk.
	485	national.distorted.org.uk.))
	486
d21175f4	487	#+view/outside
995d75b4	488	(defzone io.distorted.org.uk
be5a78bf	489	:ns ((ns :ip jazz.dmz))
995d75b4 MW	490	(about :txt "Fake zone used for IP-over-DNS tunnelling."))
995d75b4 MW	491
b1d5c6c2	492	;;;----- That's all, folks --------------------------------------------------