X-Git-Url: https://git.distorted.org.uk/~mdw/zones/blobdiff_plain/8336c8ffc302e36077d0f7b4488baed0d6cf4a31..7c0d176164ee07b13e5c861a95a44c3c7ae6dfe9:/distorted.lisp

diff --git a/distorted.lisp b/distorted.lisp
index 0289a8b..4b17c24 100644
--- a/distorted.lisp
+++ b/distorted.lisp
@@ -79,17 +79,9 @@
 		     (chiark.ns :ip chiark.greenend.org.uk))
 
   ;; Mail servers.
-  ((@ mail blackhole)
-   :mx mail
-   :srv ((:smtp mail)))
-  ((lists)
-   :ttl 300
-   :mx lists
-   :srv ((:smtp lists)))
-  ((bugs cryptomail)
-   :ttl 300
-   :mx mail
-   :srv ((:smtp old-mail)))
+  ((@ mail blackhole) :mx mail :srv ((:smtp mail)))
+  ((bugs) :ttl 300 :mx lists :srv ((:smtp bugs)))
+  ((lists) :ttl 300 :mx lists :srv ((:smtp lists)))
 
   (stratocaster.20140403._domainkey
    :dkim ("stratocaster-20140403"
@@ -99,10 +91,12 @@
   (dns0 :anycast ((any dns0.any)
 		  (jump precision.jump)
 		  (colo precision.colo)
+		  (aaisp radius.aaisp)
 		  (dmz radius.dmz)
 		  (unsafe radius.unsafe)))
   (dns1 :anycast ((any dns1.any)
 		  (jump telecaster.jump)
+		  (aaisp vampire.aaisp)
 		  (dmz vampire.dmz)
 		  (unsafe vampire.unsafe)
 		  (colo telecaster.colo)))
@@ -110,16 +104,19 @@
 
   (ntp0 :anycast ((any ntp0.any)
 		  (jump fender.jump)
+		  (aaisp ibanez.aaisp)
 		  (dmz ibanez.dmz)
 		  (unsafe ibanez.unsafe)
 		  (colo  fender.colo)))
   (ntp1 :anycast ((any ntp1.any)
+		  (aaisp vampire.aaisp)
 		  (dmz vampire.dmz)
 		  (unsafe vampire.unsafe)))
   (ntp :cname ntp0)
 
   (www-cache :anycast ((any www-cache.any)
 		       (jump telecaster.jump)
+		       (aaisp roadstar.aaisp)
 		       (dmz roadstar.dmz)
 		       (unsafe roadstar.unsafe)
 		       (colo telecaster.colo)))
@@ -128,13 +125,16 @@
   (_kerberos :txt "DISTORTED.ORG.UK")
   (krb0 :anycast ((any krb0.any)
 		  (jump precision.jump)
+		  (aaisp radius.aaisp)
 		  (dmz radius.dmz)
 		  (unsafe radius.unsafe)
 		  (colo precision.colo)))
   (krb1 :anycast ((any krb1.any)
+		  (aaisp vampire.aaisp)
 		  (dmz vampire.dmz)
 		  (unsafe vampire.unsafe)))
   (krb-master (unsafe :svc radius.unsafe)
+	      (aaisp :svc radius.aaisp)
 	      (dmz :svc radius.dmz))
   :srv (((:kerberos :protocol :udp)
 	 krb0
@@ -149,36 +149,36 @@
 	(:ftp ftp))
 
   ;; Colocated services.
-  ((irc vox keys) (colo :svc jazz.colo :sshfp "jazz")
-		  (jump :svc jazz.jump :sshfp "jazz"))
-  (lists (colo :svc telecaster.colo :sshfp "telecaster")
-	 (jump :svc telecaster.jump :sshfp "telecaster"))
+  ((irc vox keys wiki) (colo :svc jazz.colo :sshfp "jazz")
+		       (jump :svc jazz.jump :sshfp "jazz"))
+  ((irc vox keys wiki) :tlsa (:https (:service-certificate-constraint
+				      :public-key :sha-256 #p"https-jazz")))
+  ((bugs lists db ftp) (colo :svc telecaster.colo :sshfp "telecaster")
+		       (jump :svc telecaster.jump :sshfp "telecaster"))
+  ((bugs lists ftp) :tlsa (:https (:service-certificate-constraint
+				   :public-key :sha-256
+				   #p"https-telecaster")))
+  (dyndns :svc telecaster.jump :sshfp "telecaster")
   ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster")
 		  (jump :svc stratocaster.jump :sshfp "stratocaster"))
-  ((www @) :tlsa (:https (:service-certificate-constraint
-			  :certificate :sha-256 #p"http-server-www#1")))
-  (git :tlsa (:https (:trust-anchor-assertion
-		      :certificate :sha-256 #p"distorted-ca")))
-  (www-cache :tlsa (3127 (:trust-anchor-assertion
-			  :certificate :sha-256 #p"distorted-ca")))
-  (lists :tlsa ((:smtp :https) (:trust-anchor-assertion
-				:certificate :sha-256 #p"distorted-ca")))
-  (mail :tlsa ((:smtp :submission :imap)
-	       (:trust-anchor-assertion
-		:certificate :sha-256 #p"distorted-ca")))
+  ((www git mail @) :tlsa (:https (:service-certificate-constraint
+				   :public-key :sha-256
+				   #p"https-stratocaster")))
+  (www-cache :tlsa (3127 #1=(:trust-anchor-assertion
+			     :certificate :sha-256 #p"distorted-ca")))
+  ((bugs lists) :tlsa (:smtp #1#))
+  (mail :tlsa ((:smtp :submission :imap :imaps) #1#))
   :svc #+view/inside stratocaster.colo
        #-view/inside stratocaster.jump
   (cabal :svc stratocaster.colo :sshfp "stratocaster")
-  ((db ftp) (colo :svc telecaster.colo :sshfp "telecaster")
-	    (jump :svc telecaster.jump :sshfp "telecaster"))
-  (dyndns :svc telecaster.jump :sshfp "telecaster")
 
   ;; Local services.
   ((rawk pifi) (unsafe :svc artist.unsafe)
+	       (aaisp :svc artist.aaisp)
 	       (dmz :svc artist.dmz))
-  (mirror (dmz :svc roadstar.dmz :sshfp "roadstar")
+  (mirror (aasip :svc roadstar.aaisp :sshfp "roadstar")
+	  (dmz :svc roadstar.dmz :sshfp "roadstar")
 	  (unsafe :svc roadstar.unsafe :sshfp "roadstar"))
-  ((wiki bugs old-mail i2p) :svc vampire :sshfp "vampire")
 
   ;; Internal services.
   #+view/inside ((news lpr) :svc vampire.unsafe :sshfp "vampire")
@@ -187,6 +187,7 @@
   (anon (colo :svc jazz.colo)
 	(unsafe :svc vampire.unsafe)
 	(jump :addr anon.jump)
+	(aaisp :addr anon.aaisp)
 	(dmz :addr anon.dmz))
 
   ;; Fancy connectivity.
@@ -219,6 +220,11 @@
 	(vpn :addr jazz.vpn :sshfp "jazz")
 	(iodine :addr jazz.iodine :sshfp "jazz"))
 
+  ;; Virtual hosts.
+  (national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
+  (national (linode :addr national.linode)
+	    (upn :addr national.upn))
+
   ;; Media server (on loan to Good Technology HSTG).
   (jaguar :abbrev jag)
   (jaguar (jump :addr jaguar.jump :sshfp "jaguar"))
@@ -227,9 +233,12 @@
   (richmond (jump :svc richmond.jump))
 
   ;; Entry is via little router box.
+  (aaisp :net aaisp)
   (dmz :net dmz)
-  (guvnor (dmz :addr guvnor.dmz))
-  (nat (dmz :addr nat.dmz))
+  (guvnor (dmz :addr guvnor.dmz)
+	  (aaisp :addr guvnor.aaisp))
+  (nat (dmz :addr nat.dmz)
+       (aaisp :addr nat.aaisp))
 
   ;; Wireless gateway.
   (wireless :net wireless)
@@ -249,33 +258,45 @@
   (safe :net safe)
   (untrusted :net untrusted)
   (vampire :abbrev v
-	   (unsafe :abbrev vu) (dmz :abbrev vd) (vpn :abbrev vv)
-	   (safe :abbrev vs) (untrusted :abbrev vx))
+	   (unsafe :abbrev vu) (aaisp :abbrev va) (dmz :abbrev vd)
+	   (vpn :abbrev vv) (safe :abbrev vs) (untrusted :abbrev vx))
   (vampire (unsafe :addr vampire.unsafe :sshfp "vampire")
+	   (aaisp :addr vampire.aaisp :sshfp "vampire")
 	   (dmz :addr vampire.dmz :sshfp "vampire")
 	   (vpn :addr vampire.vpn :sshfp "vampire")
 	   (safe :addr vampire.safe :sshfp "vampire")
 	   (untrusted :addr vampire.untrusted :sshfp "vampire"))
-  (ibanez :abbrev i (unsafe :abbrev iu) (dmz :abbrev id))
+  (ibanez :abbrev i (unsafe :abbrev iu) (aaisp :abbrev ia) (dmz :abbrev id))
   (ibanez (unsafe :addr ibanez.unsafe :sshfp "ibanez")
+	  (aaisp :addr ibanez.aaisp :sshfp "ibanez")
 	  (dmz :addr ibanez.dmz :sshfp "ibanez"))
   (radius :abbrev r
-	  (unsafe :abbrev ru) (dmz :abbrev rd) (vpn :abbrev rv)
-	  (safe :abbrev rs) (untrusted :abbrev rx))
+	  (unsafe :abbrev ru) (aaisp :abbrev ra) (dmz :abbrev rd)
+	  (vpn :abbrev rv) (safe :abbrev rs) (untrusted :abbrev rx))
   (radius (unsafe :addr radius.unsafe :sshfp "radius")
+	  (aaisp :addr radius.aaisp :sshfp "radius")
 	  (dmz :addr radius.dmz :sshfp "radius")
 	  (vpn :addr radius.vpn :sshfp "radius")
 	  (safe :addr radius.safe :sshfp "radius")
 	  (untrusted :addr radius.untrusted :sshfp "radius"))
-  (roadstar :abbrev rg (unsafe :abbrev rgu) (dmz :abbrev rgd))
+  (roadstar :abbrev rg (unsafe :abbrev rgu)
+	    (aaisp :abbrev rga) (dmz :abbrev rgd))
   (roadstar (unsafe :addr roadstar.unsafe :sshfp "roadstar")
+	    (aaisp :addr roadstar.aaisp :sshfp "roadstar")
 	    (dmz :addr roadstar.dmz :sshfp "roadstar"))
-  (jem :abbrev j (unsafe :abbrev ju) (dmz :abbrev jd))
+  (jem :abbrev j (unsafe :abbrev ju) (aaisp :abbrev ja) (dmz :abbrev jd))
   (jem (unsafe :addr jem.unsafe :sshfp "jem")
+       (aaisp :addr jem.aaisp :sshfp "jem")
        (dmz :addr jem.dmz :sshfp "jem"))
+  (universe :abbrev u (unsafe :abbrev uu) (aaisp :abbrev ua) (dmz :abbrev ud))
+  (universe (unsafe :addr universe.unsafe :sshfp "universe")
+	    (aaisp :addr universe.aaisp :sshfp "universe")
+	    (dmz :addr universe.dmz :sshfp "universe"))
   (artist :abbrev a
-	  (unsafe :abbrev au) (dmz :abbrev ad) (untrusted :abbrev ax))
+	  (unsafe :abbrev au) (aaisp :abbrev aa) (dmz :abbrev ad)
+	  (untrusted :abbrev ax))
   (artist (unsafe :addr artist.unsafe :sshfp "artist")
+	  (aaisp :addr artist.aaisp :sshfp "artist")
 	  (dmz :addr artist.dmz :sshfp "artist")
 	  (untrusted :addr artist.untrusted :sshfp "artist"))
   (groove :abbrev gr)
@@ -394,6 +415,20 @@
        vampire.distorted.org.uk.)
   :reverse ((((:ipv4 dmz)))))
 
+(defzone 128-143.238.187.81.in-addr.arpa
+  :ns (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       vampire.distorted.org.uk.)
+  :reverse ((((:ipv4 aaisp)))))
+
+(defzone 195.113.2.81.in-addr.arpa
+  :ns (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       vampire.distorted.org.uk.)
+  :reverse ((((:ipv4 aaisp-gw)))))
+
 (defrevzone (jump :family :ipv6)
   :ns (radius.distorted.org.uk.
        precision.distorted.org.uk.
@@ -422,6 +457,13 @@
        vampire.distorted.org.uk.)
   :reverse distorted.org.uk-he)
 
+(defrevzone (aaisp :family :ipv6)
+  :ns (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       vampire.distorted.org.uk.)
+  :reverse ((((:ipv6 aaisp)))))
+
 (defrevzone distorted.org.uk-jump
   :ns (radius.distorted.org.uk.
        precision.distorted.org.uk.