~mdw / zones / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from: 6cf6d29)
keys/, distorted.lisp: Add SSHFP recortds for virtual servers. master
authorMark Wooding <mdw@distorted.org.uk>
Mon, 3 Jun 2024 21:57:39 +0000 (22:57 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Mon, 3 Jun 2024 21:57:39 +0000 (22:57 +0100)
Makefile patch | blob | blame | history
binswood.lisp patch | blob | blame | history
certs/distorted-ca.cert patch | blob | blame | history
distorted.lisp patch | blob | blame | history
escorted.lisp patch | blob | blame | history
hosts.lisp patch | blob | blame | history
keys/eggle.sshfp [new file with mode: 0644] patch | blob
keys/national.sshfp [new file with mode: 0644] patch | blob
odin.lisp patch | blob | blame | history

diff --git a/Makefile b/Makefile
index 10e0a31..29def38 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -63,21 +63,18 @@ ZONESETS            += distorted
 
 distorted_VIEWS                 = inside outside
 distorted_outside_NETS  = dmz
 
 distorted_VIEWS                 = inside outside
 distorted_outside_NETS  = dmz
-distorted_inside_NETS   = any unsafe colo vpn upn
+distorted_inside_NETS   = any unsafe vpn upn
 
 distorted_all_ZONES    += distorted.org.uk
 
 distorted_all_ZONES    += 195.113.2.81.in-addr.arpa
 distorted_all_ZONES    += 128-143.238.187.81.in-addr.arpa
 distorted_all_ZONES    += 64-79.12.169.217.in-addr.arpa
 
 distorted_all_ZONES    += distorted.org.uk
 
 distorted_all_ZONES    += 195.113.2.81.in-addr.arpa
 distorted_all_ZONES    += 128-143.238.187.81.in-addr.arpa
 distorted_all_ZONES    += 64-79.12.169.217.in-addr.arpa
-distorted_all_ZONES    += 64-79.198.13.212.in-addr.arpa
-
-distorted_all_ZONES    += 199.29.172.in-addr.arpa
-
-distorted_all_ZONES    += 9.d.1.0.0.0.0.0.8.a.b.0.1.0.0.2.ip6.arpa
 distorted_all_ZONES    += 2.9.c.0.0.b.8.0.1.0.0.2.ip6.arpa
 distorted_all_ZONES    += 9.d.1.0.8.a.b.0.1.0.0.2.ip6.arpa
 
 distorted_all_ZONES    += 2.9.c.0.0.b.8.0.1.0.0.2.ip6.arpa
 distorted_all_ZONES    += 9.d.1.0.8.a.b.0.1.0.0.2.ip6.arpa
 
+distorted_all_ZONES    += 199.29.172.in-addr.arpa
+
 distorted_outside_NSDIFF = -sradius.dmz.distorted.org.uk
 
 ###--------------------------------------------------------------------------
 distorted_outside_NSDIFF = -sradius.dmz.distorted.org.uk
 
 ###--------------------------------------------------------------------------
diff --git a/binswood.lisp b/binswood.lisp
index 322929d..12342ff 100644 (file)
--- a/binswood.lisp
+++ b/binswood.lisp
@@ -17,6 +17,7 @@
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (national.ns :ip national)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (national.ns :ip national)
+       (eggle.ns :ip eggle)
        (mythic-beasts-1.ns :ip mythic-ns1)
        (mythic-beasts-2.ns :ip mythic-ns2)
        (mythic-beasts-3.ns :ip mythic-ns3))
        (mythic-beasts-1.ns :ip mythic-ns1)
        (mythic-beasts-2.ns :ip mythic-ns2)
        (mythic-beasts-3.ns :ip mythic-ns3))
@@ -34,18 +35,18 @@
 
   ;; Dynamic addresses.
   (dyn :ns ((radius.ns.dyn :ip radius)
 
   ;; Dynamic addresses.
   (dyn :ns ((radius.ns.dyn :ip radius)
-           (vampire.ns.dyn :ip vampire)
            (precision.ns.dyn :ip precision)
            (telecaster.ns.dyn :ip telecaster)
            (precision.ns.dyn :ip precision)
            (telecaster.ns.dyn :ip telecaster)
-           (national.ns.dyn :ip national)))
+           (national.ns.dyn :ip national)
+           (eggle.ns.dyn :ip eggle)))
   (ext :cname ext.dyn))
 
   (ext :cname ext.dyn))
 
-(defzone dyn.binswood.org.uk
+(defzone (dyn.binswood.org.uk :source telecaster.distorted.org.uk.)
   :ns ((radius.ns :ip radius)
   :ns ((radius.ns :ip radius)
-       (vampire.ns :ip vampire)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
-       (national.ns :ip national)))
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)))
 
 (defrevzone binswood
   :ns ((radius.ns :ip radius)
 
 (defrevzone binswood
   :ns ((radius.ns :ip radius)
diff --git a/certs/distorted-ca.cert b/certs/distorted-ca.cert
index 4aff3dd..3827424 100644 (file)
--- a/certs/distorted-ca.cert
+++ b/certs/distorted-ca.cert
@@ -1,43 +1,44 @@
 Certificate:
     Data:
         Version: 3 (0x2)
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 16570956933538312940 (0xe5f7dd88cbd8f2ec)
+        Serial Number:
+            91:ae:25:64:67:a2:25:75
     Signature Algorithm: sha256WithRSAEncryption
     Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk
+        Issuer: C = GB, ST = Cambridgeshire, L = Cambridge, O = distorted.org.uk, CN = distorted.org.uk Certificate Authority, emailAddress = ca@distorted.org.uk
         Validity
         Validity
-            Not Before: Dec  1 14:27:13 2012 GMT
-            Not After : Nov 29 14:27:13 2022 GMT
-        Subject: C=GB, ST=Cambridgeshire, L=Cambridge, O=distorted.org.uk, CN=distorted.org.uk Certificate Authority/emailAddress=ca@distorted.org.uk
+            Not Before: Nov 30 10:52:47 2022 GMT
+            Not After : Nov 27 10:52:47 2032 GMT
+        Subject: C = GB, ST = Cambridgeshire, L = Cambridge, O = distorted.org.uk, CN = distorted.org.uk Certificate Authority, emailAddress = ca@distorted.org.uk
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (3072 bit)
                 Modulus:
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (3072 bit)
                 Modulus:
-                    00:ba:88:24:78:37:a2:42:8b:1a:03:88:28:46:d8:
-                    dc:ad:3a:20:ba:2e:d0:fd:3b:b1:09:64:4a:63:35:
-                    cb:ff:ab:c4:b3:31:19:80:00:ca:67:b8:90:86:3d:
-                    fd:2c:72:c4:31:40:99:00:e8:cf:4e:72:54:9a:6e:
-                    b1:11:ed:0b:c5:de:9d:88:f2:03:93:f1:ee:3a:d9:
-                    56:4e:cb:c7:5c:2e:c3:41:e4:d8:d3:a9:cd:54:b1:
-                    43:e4:4f:24:f4:1c:d6:3d:11:f1:12:b4:a5:89:4a:
-                    d5:8e:99:6c:ef:85:ca:64:23:07:3b:f6:91:fa:86:
-                    e9:db:55:5f:8d:2c:5f:8b:dd:0e:02:49:59:4a:31:
-                    b9:57:6a:97:f9:50:e4:5a:f6:df:20:53:4f:53:bb:
-                    01:08:f6:2c:59:08:db:6b:ee:b9:e2:ef:db:f6:35:
-                    24:12:29:e7:10:49:52:80:8e:9f:d3:16:96:94:ae:
-                    68:bc:40:c9:a7:9a:08:9c:7e:4f:d0:c1:ae:45:b0:
-                    8a:da:a6:60:5d:29:06:8f:a3:af:ed:72:1a:ef:c6:
-                    cf:bf:2b:3f:c0:2f:26:30:85:63:04:4b:61:8c:20:
-                    da:0a:f9:c1:4a:10:66:bf:ab:fe:ef:41:55:d3:c9:
-                    ab:29:a9:03:94:f0:13:08:a2:14:f3:e8:50:c4:01:
-                    31:41:61:06:e9:14:13:3b:52:bb:01:ef:09:40:4f:
-                    27:78:7b:6e:13:61:6c:24:ce:bf:60:c0:06:eb:87:
-                    31:ac:00:b0:f1:0a:5c:3b:72:92:3a:3c:ee:8a:69:
-                    22:25:af:87:21:5e:47:98:62:86:0e:2b:72:87:ad:
-                    7d:a9:79:5f:80:3b:52:1c:f8:9b:09:72:ce:9a:e9:
-                    d2:07:3e:1e:58:d9:1c:5b:3f:e3:cc:4e:ef:9d:54:
-                    45:91:83:6a:99:92:9a:42:b1:54:ff:67:9d:fc:49:
-                    02:9f:b0:cd:7d:3a:d1:8f:5b:d3:69:dd:ba:eb:08:
-                    c6:7e:4a:80:58:d6:0f:10:c5:3f
+                    00:ca:0b:24:52:39:56:de:ea:7f:9a:55:e4:0b:28:
+                    64:de:ff:07:b4:0e:b2:75:b2:ae:04:4c:01:4b:b2:
+                    9a:24:c3:41:cd:fb:a7:d2:9c:24:c9:51:c4:60:7c:
+                    41:31:e4:b9:d9:6e:1c:40:f3:c1:fb:5c:c3:a0:1d:
+                    ee:41:4b:ef:8c:6a:a7:9b:3b:33:f1:25:84:f6:63:
+                    28:eb:66:84:14:b6:68:82:a4:e4:c4:3f:28:ad:f4:
+                    37:8d:1c:21:32:42:f1:2b:c8:d7:45:eb:3b:76:c3:
+                    3a:f3:f7:f8:02:66:87:6f:48:0a:56:57:2b:41:70:
+                    07:04:fd:7a:48:0d:2b:7e:fb:f3:64:e5:cf:45:86:
+                    e1:96:08:52:b6:f9:f9:7d:5b:48:5d:83:e1:75:9a:
+                    7f:20:6d:d1:06:bc:6c:5f:3c:13:98:57:97:b3:17:
+                    81:0a:e4:7f:c8:3e:f0:47:27:14:23:f1:3b:1e:4a:
+                    79:53:5c:a1:15:c6:49:a8:f6:e6:9f:05:23:fb:de:
+                    aa:46:23:4c:b6:72:c9:70:36:82:ef:aa:08:e0:af:
+                    3c:90:f8:da:54:7d:5a:0a:de:67:37:4a:a3:98:32:
+                    a0:b4:78:06:b4:9f:ab:76:a2:8b:3d:dc:dc:92:a9:
+                    09:5b:a4:d5:39:bb:21:d8:32:bf:2e:8c:9f:e8:97:
+                    a1:57:b9:18:60:87:be:cb:3c:ad:d4:a8:ef:b4:9d:
+                    55:26:62:9e:1e:1b:a7:d9:d8:d4:39:18:64:38:f9:
+                    66:62:bd:b5:54:4e:5a:f6:c3:b6:a2:d8:71:a5:bf:
+                    c8:40:0e:ee:f3:de:c0:2e:8b:2b:b7:53:cd:eb:b6:
+                    d2:2c:e6:9c:d8:92:3d:8d:e9:e1:49:63:58:81:4a:
+                    a7:ef:fc:03:03:aa:77:33:dd:78:28:90:39:4a:af:
+                    fc:12:f8:39:a7:36:c7:b7:91:00:99:4c:70:5c:43:
+                    46:ab:61:be:ad:9e:40:5c:ac:27:4b:a1:1b:f3:39:
+                    f7:81:41:35:53:21:bd:1b:f0:57
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
@@ -45,7 +46,7 @@ Certificate:
             X509v3 Key Usage: critical
                 Certificate Sign
             X509v3 Subject Key Identifier: 
             X509v3 Key Usage: critical
                 Certificate Sign
             X509v3 Subject Key Identifier: 
-                73:9C:A1:60:E2:B2:1B:D0:F2:10:33:C1:11:97:73:9A:6E:5B:AB:CA
+                52:E5:9C:B1:F5:DB:78:FD:64:94:3B:01:99:21:27:BD:8F:88:16:6F
             X509v3 Subject Alternative Name: 
                 email:ca@distorted.org.uk
             X509v3 CRL Distribution Points: 
             X509v3 Subject Alternative Name: 
                 email:ca@distorted.org.uk
             X509v3 CRL Distribution Points: 
@@ -54,57 +55,57 @@ Certificate:
                   URI:http://www.distorted.org.uk/ca/crl
 
     Signature Algorithm: sha256WithRSAEncryption
                   URI:http://www.distorted.org.uk/ca/crl
 
     Signature Algorithm: sha256WithRSAEncryption
-         6b:1f:b0:49:bc:07:25:8a:75:47:03:b4:85:47:c8:b6:9b:93:
-         6b:7c:aa:c9:15:74:eb:d2:81:57:10:e2:6c:b6:42:4a:4b:18:
-         11:80:04:1b:1e:67:63:41:70:a1:b3:2a:6c:e6:82:77:9d:a4:
-         83:9e:f0:e4:c7:0e:56:0f:f1:1e:61:ff:a3:27:f1:4b:aa:9a:
-         fd:27:a7:ba:13:f9:9a:b6:b8:e6:6d:78:fc:2b:21:5f:62:b7:
-         73:3a:38:94:30:4e:80:b7:1f:84:dc:1a:68:da:fa:99:19:08:
-         c3:e0:7f:d2:08:8b:25:c1:69:e5:d5:24:5e:33:4c:5c:cc:d2:
-         a7:27:2b:01:da:3c:50:c3:58:64:73:f7:7f:88:12:b5:6e:41:
-         eb:07:8e:c5:79:e7:3d:e1:da:e6:9b:3c:c8:c4:b9:92:71:a1:
-         5d:01:95:4e:92:9e:e5:7f:ed:71:e4:27:3e:97:10:de:5d:1a:
-         a1:37:a3:1f:f0:fe:09:fe:ce:72:e7:f5:a0:5c:54:19:6f:f7:
-         62:a8:c8:66:09:77:6c:d8:73:d9:1d:c0:cd:65:c9:bd:27:9a:
-         8a:10:dc:0b:1e:08:ec:39:99:50:89:2f:bc:ca:a2:13:55:c6:
-         7f:2c:96:f1:2b:46:cf:9c:70:31:9d:7f:11:72:18:67:5d:a7:
-         c9:03:a7:1f:6b:cc:ac:a3:ae:e2:2e:01:bd:7f:a3:8d:ca:aa:
-         20:72:9c:81:84:5b:34:c5:93:1a:bd:e7:52:4f:00:9a:dd:c3:
-         af:0a:a1:e4:64:aa:d9:62:80:ce:b9:c8:57:38:03:54:d0:e1:
-         ae:0c:a9:09:da:44:88:32:58:0d:58:1f:6d:f5:c8:9b:65:fe:
-         02:57:44:ea:e1:ae:42:5f:63:24:b6:f2:99:d8:e0:3d:35:6c:
-         64:da:f7:7f:1c:f7:31:96:a4:38:93:ca:10:bc:e6:bf:d8:92:
-         ae:bc:e2:c1:df:57:45:6b:71:7b:d0:ea:43:8e:c7:87:61:77:
-         16:17:10:01:ef:6b
+         94:d4:bd:34:10:6f:cb:80:2c:ad:44:c8:ae:4a:b7:61:d9:5c:
+         5e:0b:be:2d:bd:01:b4:4f:f5:a4:b1:a5:57:b4:73:29:96:67:
+         2b:a6:98:b1:ea:ff:2a:ad:bf:1a:7a:e8:18:29:3f:42:49:a1:
+         9c:ca:33:70:f3:4e:59:ea:32:c1:3d:57:0a:c0:84:a1:eb:e2:
+         71:f1:8f:92:df:36:11:df:27:71:68:19:c2:71:68:ef:bd:c7:
+         a8:60:12:23:54:69:69:09:e5:69:e6:5c:09:42:07:cb:6c:d7:
+         19:c3:c1:84:b5:1b:f9:fa:ce:4e:d9:bd:67:d5:08:8d:d0:d9:
+         2b:0c:d9:c8:db:e5:5c:be:fe:5d:12:7c:64:3e:d4:5e:0c:05:
+         1d:81:6f:b7:4b:12:ef:a6:20:b0:ac:86:8f:06:0c:dd:c6:44:
+         64:f6:c4:d9:8b:6e:d0:27:ba:72:dc:f6:18:5c:a4:d3:44:67:
+         2f:d8:67:91:0a:cf:e1:20:43:27:dc:f6:2f:df:30:85:db:56:
+         64:53:bb:d7:86:7a:b0:10:ff:b3:3b:29:11:36:ea:47:e9:1d:
+         a4:d1:e0:28:d7:4f:0b:58:35:b0:5c:ec:0d:72:a3:65:ac:cb:
+         73:02:bc:86:ca:ca:b6:c6:00:94:66:90:bf:4d:e5:65:ff:ff:
+         cc:05:5b:57:8e:05:9d:8c:aa:42:db:c7:48:19:70:fb:33:6c:
+         b4:e6:05:37:52:68:8c:54:b3:42:93:8b:58:f0:06:4f:45:f0:
+         4c:6a:6e:7b:cd:da:de:28:5c:80:63:54:4b:28:af:8a:66:94:
+         47:5b:34:d4:a9:7c:b8:9e:f3:af:9a:af:c8:e1:4a:56:d0:ba:
+         06:bd:39:02:93:44:74:05:af:32:76:9b:b3:3b:26:67:91:96:
+         31:1d:60:18:70:ba:24:7a:57:4a:6d:8a:69:e6:ff:cf:ad:ea:
+         c4:15:da:17:98:2d:df:9d:2f:96:bc:31:a9:86:4c:5e:54:7d:
+         09:81:72:d8:1e:21
 -----BEGIN CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIFcjCCA9qgAwIBAgIJAOX33YjL2PLsMA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD
-VQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdlc2hpcmUxEjAQBgNVBAcTCUNhbWJy
-aWRnZTEZMBcGA1UEChMQZGlzdG9ydGVkLm9yZy51azEvMC0GA1UEAxMmZGlzdG9y
+MIIFcjCCA9qgAwIBAgIJAJGuJWRnoiV1MA0GCSqGSIb3DQEBCwUAMIGqMQswCQYD
+VQQGEwJHQjEXMBUGA1UECAwOQ2FtYnJpZGdlc2hpcmUxEjAQBgNVBAcMCUNhbWJy
+aWRnZTEZMBcGA1UECgwQZGlzdG9ydGVkLm9yZy51azEvMC0GA1UEAwwmZGlzdG9y
 dGVkLm9yZy51ayBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW
 dGVkLm9yZy51ayBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxIjAgBgkqhkiG9w0BCQEW
-E2NhQGRpc3RvcnRlZC5vcmcudWswHhcNMTIxMjAxMTQyNzEzWhcNMjIxMTI5MTQy
-NzEzWjCBqjELMAkGA1UEBhMCR0IxFzAVBgNVBAgTDkNhbWJyaWRnZXNoaXJlMRIw
-EAYDVQQHEwlDYW1icmlkZ2UxGTAXBgNVBAoTEGRpc3RvcnRlZC5vcmcudWsxLzAt
-BgNVBAMTJmRpc3RvcnRlZC5vcmcudWsgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSIw
+E2NhQGRpc3RvcnRlZC5vcmcudWswHhcNMjIxMTMwMTA1MjQ3WhcNMzIxMTI3MTA1
+MjQ3WjCBqjELMAkGA1UEBhMCR0IxFzAVBgNVBAgMDkNhbWJyaWRnZXNoaXJlMRIw
+EAYDVQQHDAlDYW1icmlkZ2UxGTAXBgNVBAoMEGRpc3RvcnRlZC5vcmcudWsxLzAt
+BgNVBAMMJmRpc3RvcnRlZC5vcmcudWsgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSIw
 IAYJKoZIhvcNAQkBFhNjYUBkaXN0b3J0ZWQub3JnLnVrMIIBojANBgkqhkiG9w0B
 IAYJKoZIhvcNAQkBFhNjYUBkaXN0b3J0ZWQub3JnLnVrMIIBojANBgkqhkiG9w0B
-AQEFAAOCAY8AMIIBigKCAYEAuogkeDeiQosaA4goRtjcrTogui7Q/TuxCWRKYzXL
-/6vEszEZgADKZ7iQhj39LHLEMUCZAOjPTnJUmm6xEe0Lxd6diPIDk/HuOtlWTsvH
-XC7DQeTY06nNVLFD5E8k9BzWPRHxErSliUrVjpls74XKZCMHO/aR+obp21VfjSxf
-i90OAklZSjG5V2qX+VDkWvbfIFNPU7sBCPYsWQjba+654u/b9jUkEinnEElSgI6f
-0xaWlK5ovEDJp5oInH5P0MGuRbCK2qZgXSkGj6Ov7XIa78bPvys/wC8mMIVjBEth
-jCDaCvnBShBmv6v+70FV08mrKakDlPATCKIU8+hQxAExQWEG6RQTO1K7Ae8JQE8n
-eHtuE2FsJM6/YMAG64cxrACw8QpcO3KSOjzuimkiJa+HIV5HmGKGDityh619qXlf
-gDtSHPibCXLOmunSBz4eWNkcWz/jzE7vnVRFkYNqmZKaQrFU/2ed/EkCn7DNfTrR
-j1vTad266wjGfkqAWNYPEMU/AgMBAAGjgZgwgZUwDwYDVR0TAQH/BAUwAwEB/zAO
-BgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFHOcoWDishvQ8hAzwRGXc5puW6vKMB4G
+AQEFAAOCAY8AMIIBigKCAYEAygskUjlW3up/mlXkCyhk3v8HtA6ydbKuBEwBS7Ka
+JMNBzfun0pwkyVHEYHxBMeS52W4cQPPB+1zDoB3uQUvvjGqnmzsz8SWE9mMo62aE
+FLZogqTkxD8orfQ3jRwhMkLxK8jXRes7dsM68/f4AmaHb0gKVlcrQXAHBP16SA0r
+fvvzZOXPRYbhlghStvn5fVtIXYPhdZp/IG3RBrxsXzwTmFeXsxeBCuR/yD7wRycU
+I/E7Hkp5U1yhFcZJqPbmnwUj+96qRiNMtnLJcDaC76oI4K88kPjaVH1aCt5nN0qj
+mDKgtHgGtJ+rdqKLPdzckqkJW6TVObsh2DK/Loyf6JehV7kYYIe+yzyt1KjvtJ1V
+JmKeHhun2djUORhkOPlmYr21VE5a9sO2othxpb/IQA7u897ALosrt1PN67bSLOac
+2JI9jenhSWNYgUqn7/wDA6p3M914KJA5Sq/8Evg5pzbHt5EAmUxwXENGq2G+rZ5A
+XKwnS6Eb8zn3gUE1UyG9G/BXAgMBAAGjgZgwgZUwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFFLlnLH123j9ZJQ7AZkhJ72PiBZvMB4G
 A1UdEQQXMBWBE2NhQGRpc3RvcnRlZC5vcmcudWswMwYDVR0fBCwwKjAooCagJIYi
 aHR0cDovL3d3dy5kaXN0b3J0ZWQub3JnLnVrL2NhL2NybDANBgkqhkiG9w0BAQsF
 A1UdEQQXMBWBE2NhQGRpc3RvcnRlZC5vcmcudWswMwYDVR0fBCwwKjAooCagJIYi
 aHR0cDovL3d3dy5kaXN0b3J0ZWQub3JnLnVrL2NhL2NybDANBgkqhkiG9w0BAQsF
-AAOCAYEAax+wSbwHJYp1RwO0hUfItpuTa3yqyRV069KBVxDibLZCSksYEYAEGx5n
-Y0FwobMqbOaCd52kg57w5McOVg/xHmH/oyfxS6qa/SenuhP5mra45m14/CshX2K3
-czo4lDBOgLcfhNwaaNr6mRkIw+B/0giLJcFp5dUkXjNMXMzSpycrAdo8UMNYZHP3
-f4gStW5B6weOxXnnPeHa5ps8yMS5knGhXQGVTpKe5X/tceQnPpcQ3l0aoTejH/D+
-Cf7Ocuf1oFxUGW/3YqjIZgl3bNhz2R3AzWXJvSeaihDcCx4I7DmZUIkvvMqiE1XG
-fyyW8StGz5xwMZ1/EXIYZ12nyQOnH2vMrKOu4i4BvX+jjcqqIHKcgYRbNMWTGr3n
-Uk8Amt3Drwqh5GSq2WKAzrnIVzgDVNDhrgypCdpEiDJYDVgfbfXIm2X+AldE6uGu
-Ql9jJLbymdjgPTVsZNr3fxz3MZakOJPKELzmv9iSrrziwd9XRWtxe9DqQ47Hh2F3
-FhcQAe9r
+AAOCAYEAlNS9NBBvy4AsrUTIrkq3YdlcXgu+Lb0BtE/1pLGlV7RzKZZnK6aYser/
+Kq2/GnroGCk/QkmhnMozcPNOWeoywT1XCsCEoevicfGPkt82Ed8ncWgZwnFo773H
+qGASI1RpaQnlaeZcCUIHy2zXGcPBhLUb+frOTtm9Z9UIjdDZKwzZyNvlXL7+XRJ8
+ZD7UXgwFHYFvt0sS76YgsKyGjwYM3cZEZPbE2Ytu0Ce6ctz2GFyk00RnL9hnkQrP
+4SBDJ9z2L98whdtWZFO714Z6sBD/szspETbqR+kdpNHgKNdPC1g1sFzsDXKjZazL
+cwK8hsrKtsYAlGaQv03lZf//zAVbV44FnYyqQtvHSBlw+zNstOYFN1JojFSzQpOL
+WPAGT0XwTGpue83a3ihcgGNUSyivimaUR1s01Kl8uJ7zr5qvyOFKVtC6Br05ApNE
+dAWvMnabszsmZ5GWMR1gGHC6JHpXSm2Kaeb/z63qxBXaF5gt350vlrwxqYZMXlR9
+CYFy2B4h
 -----END CERTIFICATE-----
 -----END CERTIFICATE-----
diff --git a/distorted.lisp b/distorted.lisp
index 8201bc3..f255913 100644 (file)
--- a/distorted.lisp
+++ b/distorted.lisp
@@ -71,6 +71,7 @@
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (national.ns :ip national)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (national.ns :ip national)
+       (eggle.ns :ip eggle)
        #-view/inside (mythic-beasts-1.ns :ip mythic-ns1)
        #-view/inside (mythic-beasts-2.ns :ip mythic-ns2)
        #-view/inside (mythic-beasts-3.ns :ip mythic-ns3)
        #-view/inside (mythic-beasts-1.ns :ip mythic-ns1)
        #-view/inside (mythic-beasts-2.ns :ip mythic-ns2)
        #-view/inside (mythic-beasts-3.ns :ip mythic-ns3)
@@ -82,12 +83,19 @@
 
   ;; Mail servers.
   ((@ mail blackhole) :mx mail :srv ((:smtp mail)))
 
   ;; Mail servers.
   ((@ mail blackhole) :mx mail :srv ((:smtp mail)))
-  ((bugs) :ttl 300 :mx lists :srv ((:smtp bugs)))
-  ((lists) :ttl 300 :mx lists :srv ((:smtp lists)))
-
-  (stratocaster.20140403._domainkey
-   :dkim ("stratocaster-20140403"
-         :v "DKIM1" :k "rsa" :h "sha256" :s "email"))
+  (bugs :mx lists :srv ((:smtp bugs)))
+  (lists :mx lists :srv ((:smtp lists)))
+  (_dmarc :dmarc (:v "DMARC1"
+                 :p "quarantine" :sp "quarantine"
+                 :adkim "s" :aspf "s"))
+  ((_domainkey _domainkey.mail) :dname stratocaster.dkim)
+  ((stratocaster @ mail) :spf ((:version "spf1")
+                              (:pass :ip stratocaster.dmz)
+                              (:soft :all)))
+  ((_domainkey.bugs _domainkey.lists) :dname telecaster.dkim)
+  ((telecaster bugs lists) :spf ((:version "spf1")
+                                (:pass :ip telecaster.dmz)
+                                (:soft :all)))
 
   ;; Anycast services.
   (dns0 :anycast ((any dns0.any) (dmz radius.dmz)
 
   ;; Anycast services.
   (dns0 :anycast ((any dns0.any) (dmz radius.dmz)
@@ -204,8 +212,11 @@
 
   ;; Virtual hosts.
   (national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
 
   ;; Virtual hosts.
   (national :abbrev n (linode :abbrev nl) (upn :abbrev ny))
-  (national (linode :addr national.linode)
-           (upn :addr national.upn))
+  (national (linode :addr national.linode :sshfp "national")
+           (upn :addr national.upn :sshfp "national"))
+  (eggle :abbrev e (jump :abbrev ej) (upn :abbrev ey))
+  (eggle (jump :addr eggle.jump :sshfp "eggle")
+        (upn :addr eggle.upn :sshfp "eggle"))
   (mdwdev (upn :addr mdwdev.upn))
 
   ;; Nicko's servers.
   (mdwdev (upn :addr mdwdev.upn))
 
   ;; Nicko's servers.
@@ -226,9 +237,11 @@
   (lunch :alias ap1)
   (lunch (safe :addr lunch.safe))
 
   (lunch :alias ap1)
   (lunch (safe :addr lunch.safe))
 
-  ;; Printer.
+  ;; Printer and scanner.
   (burntaxe :alias lp0)
   (burntaxe (safe :addr burntaxe.safe))
   (burntaxe :alias lp0)
   (burntaxe (safe :addr burntaxe.safe))
+  (unicorn :alias scan0)
+  (unicorn (safe :addr unicorn.safe))
 
   ;; Switches.
   (grigsby :alias tp0)
 
   ;; Switches.
   (grigsby :alias tp0)
@@ -313,20 +326,20 @@
 
   ;; Delegations.
   (dhcp :ns ((radius.ns.dhcp :ip radius)
 
   ;; Delegations.
   (dhcp :ns ((radius.ns.dhcp :ip radius)
-            (vampire.ns.dhcp :ip vampire)
             (precision.ns.dhcp :ip precision)
             (telecaster.ns.dhcp :ip telecaster)
             (precision.ns.dhcp :ip precision)
             (telecaster.ns.dhcp :ip telecaster)
-            (national.ns.dhcp :ip national))
+            (national.ns.dhcp :ip national)
+            (eggle.ns.dhcp :ip eggle))
        :ds ((55966 :rsasha256 :sha1
             "95b05c1f4e84f950f29630004bac447f8a87ca33")
             (55966 :rsasha256 :sha256
              #.(concatenate 'string "31696bf54b577362b2eb75793adeb9ec"
                                     "2e8440ec671371b35d8d978cd9ca3007"))))
   (dyn :ns ((radius.ns.dyn :ip radius)
        :ds ((55966 :rsasha256 :sha1
             "95b05c1f4e84f950f29630004bac447f8a87ca33")
             (55966 :rsasha256 :sha256
              #.(concatenate 'string "31696bf54b577362b2eb75793adeb9ec"
                                     "2e8440ec671371b35d8d978cd9ca3007"))))
   (dyn :ns ((radius.ns.dyn :ip radius)
-           (vampire.ns.dyn :ip vampire)
            (precision.ns.dyn :ip precision)
            (telecaster.ns.dyn :ip telecaster)
            (precision.ns.dyn :ip precision)
            (telecaster.ns.dyn :ip telecaster)
-           (national.ns.dyn :ip national))
+           (national.ns.dyn :ip national)
+           (eggle.ns.dyn :ip eggle))
        :ds ((11335 :rsasha256 :sha1
            "7ed2b843b0bfb38ceca68617dfacbeafab1d1ea9")
            (11335 :rsasha256 :sha256
        :ds ((11335 :rsasha256 :sha1
            "7ed2b843b0bfb38ceca68617dfacbeafab1d1ea9")
            (11335 :rsasha256 :sha256
@@ -335,22 +348,54 @@
   (dnserr :ns ((radius.ns.dnserr :ip radius.dmz)
               (precision.ns.dnserr :ip precision.dmz)
               (telecaster.ns.dnserr :ip telecaster.dmz)
   (dnserr :ns ((radius.ns.dnserr :ip radius.dmz)
               (precision.ns.dnserr :ip precision.dmz)
               (telecaster.ns.dnserr :ip telecaster.dmz)
-              (national.ns.dnserr :ip national.linode))
+              (national.ns.dnserr :ip national.linode)
+              (eggle.ns.dnserr :ip eggle.jump))
          :ds ((40945 :rsasha256 :sha1
                "f35b5d0b877b940e63ad1b3afc21d6ba83cd1b3b")
               (40945 :rsasha256 :sha256
                #.(concatenate 'string "fb171d206d4d64c5a7a6c290ce6e20df"
                                       "44f1db7f41e2260f1fe8d7c55d524c11"))))
          :ds ((40945 :rsasha256 :sha1
                "f35b5d0b877b940e63ad1b3afc21d6ba83cd1b3b")
               (40945 :rsasha256 :sha256
                #.(concatenate 'string "fb171d206d4d64c5a7a6c290ce6e20df"
                                       "44f1db7f41e2260f1fe8d7c55d524c11"))))
-  (io :ns ((ns.io :ip jazz.dmz))))
+  (stratocaster.dkim
+   :ns ((radius.ns.stratocaster.dkim :ip radius.dmz)
+       (precision.ns.stratocaster.dkim :ip precision.dmz)
+       (telecaster.ns.stratocaster.dkim :ip telecaster.dmz)
+       (national.ns.stratocaster.dkim :ip national.linode)
+       (eggle.ns.stratocaster.dkim :ip eggle.jump)
+       (mythic-beasts-1.ns.stratocaster.dkim :ip mythic-ns1)
+       (mythic-beasts-2.ns.stratocaster.dkim :ip mythic-ns2)
+       (mythic-beasts-3.ns.stratocaster.dkim :ip mythic-ns3))
+   :ds ((24577 :rsasha256 :sha1
+        "d06847c01e19098509a8d07a9aafaceff532c9c7")
+       (24577 :rsasha256 :sha256
+        #.(concatenate 'string "a40cdb1c633041cfbc1b80a400cff527"
+                               "2cad051915fc0cd40296a2d4590b9d2b"))))
+  (telecaster.dkim
+   :ns ((radius.ns.telecaster.dkim :ip radius.dmz)
+       (precision.ns.telecaster.dkim :ip precision.dmz)
+       (telecaster.ns.telecaster.dkim :ip telecaster.dmz)
+       (national.ns.telecaster.dkim :ip national.linode)
+       (eggle.ns.telecaster.dkim :ip eggle.jump)
+       (mythic-beasts-1.ns.telecaster.dkim :ip mythic-ns1)
+       (mythic-beasts-2.ns.telecaster.dkim :ip mythic-ns2)
+       (mythic-beasts-3.ns.telecaster.dkim :ip mythic-ns3))
+   :ds ((38896 :rsasha256 :sha1
+        "2c2daea658784e22c46bf9e86da67def1e34cf40")
+       (38896 :rsasha256 :sha256
+        #.(concatenate 'string "66997571c7d47f912caa65f2154ecd37"
+                               "5b9d391e3ed44d79ac35eef59264e521"))))
+  (io :ns ((ns.io :ip jazz.dmz)))
+  (play :ns (radius.ns precision.ns telecaster.ns national.ns eggle.jump)))
 
 ;;;--------------------------------------------------------------------------
 ;;; Other subsidiary zones.
 
 
 ;;;--------------------------------------------------------------------------
 ;;; Other subsidiary zones.
 
+#+view/outside
 (defzone dhcp.distorted.org.uk
 (defzone dhcp.distorted.org.uk
-  :ns ((radius.ns :ip radius.dmz)
-       (precision.ns :ip precision.dmz)
-       (telecaster.ns :ip telecaster.dmz)
-       (national.ns :ip national.linode))
+  :ns ((radius.ns :ip radius)
+       (precision.ns :ip precision)
+       (telecaster.ns :ip telecaster)
+       (national.ns :ip national)
+       (eggle.ns :ip eggle))
   (gibson :addr gibson.unsafe)
   (crybaby :addr crybaby.unsafe)
   (lespaul :addr lespaul.unsafe)
   (gibson :addr gibson.unsafe)
   (crybaby :addr crybaby.unsafe)
   (lespaul :addr lespaul.unsafe)
@@ -360,95 +405,136 @@
   (invader :addr invader.safe)
   (marauder :addr marauder.safe))
 
   (invader :addr invader.safe)
   (marauder :addr marauder.safe))
 
-(defzone dyn.distorted.org.uk
+#+view/outside
+(defzone (dyn.distorted.org.uk :source telecaster.distorted.org.uk.)
   :ns ((radius.ns :ip radius)
   :ns ((radius.ns :ip radius)
-       (vampire.ns :ip vampire)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
-       (national.ns :ip national)))
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)))
 
 (defzone nicko.org
 
 (defzone nicko.org
-  (richmond :addr richmond.dmz))
+  (richmond :addr richmond.dmz)
+  (marshall :addr marshall.dmz))
+
+#+view/outside
+(defzone stratocaster.dkim.distorted.org.uk
+  :ns ((radius.ns :ip radius)
+       (precision.ns :ip precision)
+       (telecaster.ns :ip telecaster)
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)
+       (mythic-beasts-1.ns :ip mythic-ns1)
+       (mythic-beasts-2.ns :ip mythic-ns2)
+       (mythic-beasts-3.ns :ip mythic-ns3)))
+#+view/outside
+(defzone telecaster.dkim.distorted.org.uk
+  :ns ((radius.ns :ip radius)
+       (precision.ns :ip precision)
+       (telecaster.ns :ip telecaster)
+       (national.ns :ip national)
+       (eggle.ns :ip eggle)
+       (mythic-beasts-1.ns :ip mythic-ns1)
+       (mythic-beasts-2.ns :ip mythic-ns2)
+       (mythic-beasts-3.ns :ip mythic-ns3)))
 
 (defrevzone trusted
   :ns (radius.distorted.org.uk.
 
 (defrevzone trusted
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.)
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.)
   :reverse unsafe
   :reverse unsafe
+  :reverse safe
   :reverse vpn
   :reverse its
   :reverse any
   (dhcp :ns (radius.distorted.org.uk.
   :reverse vpn
   :reverse its
   :reverse any
   (dhcp :ns (radius.distorted.org.uk.
-            vampire.distorted.org.uk.
             precision.distorted.org.uk.
             telecaster.distorted.org.uk.
             national.distorted.org.uk.))
             precision.distorted.org.uk.
             telecaster.distorted.org.uk.
             national.distorted.org.uk.))
-  :multi (((dhcp safe) :family :ipv4 :suffix "199.29.172.dhcp") :cname *))
+  :multi (((unsafe-dhcp01 unsafe-dhcp1x safe-dhcp011 safe-dhcp1xx)
+          :family :ipv4 :suffix "199.29.172.dhcp") :cname *))
 
 
+#+view/outside
 (defzone dhcp.199.29.172.in-addr.arpa
   :ns (radius.distorted.org.uk.
 (defzone dhcp.199.29.172.in-addr.arpa
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.))
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
 
 (defrevzone untrusted
   :ns (radius.distorted.org.uk.
 
 (defrevzone untrusted
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.))
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
 
 (defzone 128-143.238.187.81.in-addr.arpa
   :ns (radius.distorted.org.uk.
 
 (defzone 128-143.238.187.81.in-addr.arpa
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 dmz)))))
 
 (defzone 64-79.12.169.217.in-addr.arpa
   :ns (radius.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 dmz)))))
 
 (defzone 64-79.12.169.217.in-addr.arpa
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 dmz1)))))
 
 (defzone 195.113.2.81.in-addr.arpa
   :ns (radius.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 dmz1)))))
 
 (defzone 195.113.2.81.in-addr.arpa
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 gw)))))
 
 (defrevzone (distorted.org.uk-aaisp :family :ipv6)
   :ns (radius.distorted.org.uk.
        secondary-dns.co.uk.)
   :reverse ((((:ipv4 gw)))))
 
 (defrevzone (distorted.org.uk-aaisp :family :ipv6)
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        national.distorted.org.uk.
+       eggle.distorted.org.uk.
        secondary-dns.co.uk.)
   (0.7.3.6.8.6.4.6.1.0.0.0 :ns (radius.distorted.org.uk.
        secondary-dns.co.uk.)
   (0.7.3.6.8.6.4.6.1.0.0.0 :ns (radius.distorted.org.uk.
-                               vampire.distorted.org.uk.
                                precision.distorted.org.uk.
                                telecaster.distorted.org.uk.
                                precision.distorted.org.uk.
                                telecaster.distorted.org.uk.
-                               national.distorted.org.uk.))
+                               national.distorted.org.uk.
+                               eggle.distorted.org.uk.))
   :reverse ((((:ipv6 distorted.org.uk-aaisp)))))
 
   :reverse ((((:ipv6 distorted.org.uk-aaisp)))))
 
-(defrevzone (dhcp :family :ipv6)
+(defrevzone jump-ipv6
+  :ns (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.)
+  :reverse ((((:ipv6 jump-ipv6)))))
+
+(defrevzone (unsafe-dhcp :family :ipv6)
   :ns (radius.distorted.org.uk.
   :ns (radius.distorted.org.uk.
-       vampire.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
        precision.distorted.org.uk.
        telecaster.distorted.org.uk.
-       national.distorted.org.uk.))
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
+
+(defrevzone (safe-dhcp :family :ipv6)
+  :ns (radius.distorted.org.uk.
+       precision.distorted.org.uk.
+       telecaster.distorted.org.uk.
+       national.distorted.org.uk.
+       eggle.distorted.org.uk.))
 
 
+#+view/outside
 (defzone io.distorted.org.uk
   :ns ((ns :ip jazz.dmz))
   (about :txt "Fake zone used for IP-over-DNS tunnelling."))
 (defzone io.distorted.org.uk
   :ns ((ns :ip jazz.dmz))
   (about :txt "Fake zone used for IP-over-DNS tunnelling."))
diff --git a/escorted.lisp b/escorted.lisp
index e2f542d..99641bf 100644 (file)
--- a/escorted.lisp
+++ b/escorted.lisp
@@ -13,6 +13,7 @@
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (national.ns :ip national)
        (precision.ns :ip precision)
        (telecaster.ns :ip telecaster)
        (national.ns :ip national)
+       (eggle.ns :ip eggle)
        (mythic-beasts-1.ns :ip mythic-ns1)
        (mythic-beasts-2.ns :ip mythic-ns2)
        (mythic-beasts-3.ns :ip mythic-ns3))
        (mythic-beasts-1.ns :ip mythic-ns1)
        (mythic-beasts-2.ns :ip mythic-ns2)
        (mythic-beasts-3.ns :ip mythic-ns3))
@@ -27,7 +28,10 @@
   ;; Mail servers
   :mx ((mail :ip stratocaster))
   :srv ((:smtp mail))
   ;; Mail servers
   :mx ((mail :ip stratocaster))
   :srv ((:smtp mail))
-
-  (stratocaster.20140403._domainkey
-   :dkim ("stratocaster-20140403"
-         :v "DKIM1" :k "rsa" :h "sha256" :s "email")))
+  :spf ((:version "spf1")
+       (:pass :ip stratocaster.dmz)
+       (:soft :all))
+  (_dmarc :dmarc (:v "DMARC1"
+                 :p "quarantine" :sp "quarantine"
+                 :adkim "s" :aspf "s"))
+  (_domainkey :dname stratocaster.dkim.distorted.org.uk.))
diff --git a/hosts.lisp b/hosts.lisp
index 66c3f46..ceb3ae7 100644 (file)
--- a/hosts.lisp
+++ b/hosts.lisp
@@ -28,12 +28,17 @@
     (hippo "144/28")
     (upn "160/27"))
   (trusted "199.0/24"
     (hippo "144/28")
     (upn "160/27"))
   (trusted "199.0/24"
-    (wired "0/25"
-      (unsafe "0/27")
-      (dhcp "32/27"))
+    (unsafe "0/25"
+      (unsafe-static00 "0/27")
+      (unsafe-dhcp01 "32/27")
+      (unsafe-dhcp1x "64/26"))
     (vpn "128/27")
     (its "160/30")
     (vpn "128/27")
     (its "160/30")
-    (safe "192/27")
+    (safe "192/27"
+      (safe-static00x "192/29")
+      (safe-static010 "200/30")
+      (safe-dhcp011 "204/30")
+      (safe-dhcp1xx "208/28"))
     (any "224/27")))
 
 ;; Externally routable DMZ from Andrews and Arnold.
     (any "224/27")))
 
 ;; Externally routable DMZ from Andrews and Arnold.
@@ -42,14 +47,17 @@
 (defnet dmz1 "217.169.12.64/28")
 (defnet distorted.org.uk-aaisp "2001:8b0:c92/48"
   (unsafe "1/64"
 (defnet dmz1 "217.169.12.64/28")
 (defnet distorted.org.uk-aaisp "2001:8b0:c92/48"
   (unsafe "1/64"
-    (dhcp "6468:6370/96"))
+    (unsafe-dhcp "6468:6370/96"))
   (any "0/64")
   (dmz "fff/64")
   (any "0/64")
   (dmz "fff/64")
-  (safe "4001/64")
+  (safe "4001/64"
+    (safe-dhcp "6468:6370/96"))
   (vpn "6000/64")
   (untrusted "8001/64")
   (upn "a000/64"))
 
   (vpn "6000/64")
   (untrusted "8001/64")
   (upn "a000/64"))
 
+(defnet jump-ipv6 "2001:ba8:1d9/48")
+
 ;;;--------------------------------------------------------------------------
 ;;; Host allocations
 
 ;;;--------------------------------------------------------------------------
 ;;; Host allocations
 
@@ -75,6 +83,10 @@
 (defhost richmond.dmz ((:ipv4 dmz1 12) (:ipv6 dmz "::1:1")))
 (defhost blackhole.dmz ((:ipv4 dmz1 14) (:ipv6 dmz "::ffff")))
 
 (defhost richmond.dmz ((:ipv4 dmz1 12) (:ipv6 dmz "::1:1")))
 (defhost blackhole.dmz ((:ipv4 dmz1 14) (:ipv6 dmz "::ffff")))
 
+;; Jump virtual hosts.
+(defhost eggle.jump ((:ipv4 "185.73.44.143")
+                    (:ipv6 jump-ipv6 "8002::1")))
+
 ;; Linode virtual hosts.
 (defhost national.linode ((:ipv4 "45.33.118.239")
                          (:ipv6 "2600:3c00::f03c:91ff:fe3b:d7c1")))
 ;; Linode virtual hosts.
 (defhost national.linode ((:ipv4 "45.33.118.239")
                          (:ipv6 "2600:3c00::f03c:91ff:fe3b:d7c1")))
@@ -100,9 +112,10 @@
 (defhost lespaul.unsafe ((:ipv6 unsafe "a00:27ff:fef5:aaef")))
 (defhost haze.unsafe ((:ipv6 unsafe "5056:a8ff:fe01:5654")))
 (defhost gretsch.unsafe ((:ipv6 unsafe "3a2c:4aff:fe6d:e768")))
 (defhost lespaul.unsafe ((:ipv6 unsafe "a00:27ff:fef5:aaef")))
 (defhost haze.unsafe ((:ipv6 unsafe "5056:a8ff:fe01:5654")))
 (defhost gretsch.unsafe ((:ipv6 unsafe "3a2c:4aff:fe6d:e768")))
+(defhost spirit.unsafe ((:ipv6 unsafe "568d:5aff:fed9:18b8")))
 (defhost invader.safe ((:ipv6 safe "a00:27ff:fe94:a5d7")))
 (defhost marauder.safe ((:ipv6 safe "a00:27ff:fe6a:7846")))
 (defhost invader.safe ((:ipv6 safe "a00:27ff:fe94:a5d7")))
 (defhost marauder.safe ((:ipv6 safe "a00:27ff:fe6a:7846")))
-(defhost spirit.unsafe ((:ipv6 unsafe "568d:5aff:fed9:18b8")))
+(defhost unicorn.safe ((:ipv6 safe "20e:c6ff:fe90:a926")))
 
 ;; Safe network.
 (defhost radius.safe (safe 1))
 
 ;; Safe network.
 (defhost radius.safe (safe 1))
@@ -114,6 +127,7 @@
 (defhost kitkat.safe (safe 7))
 (defhost lunch.safe (safe 8))
 (defhost burntaxe.safe (safe 9))
 (defhost kitkat.safe (safe 7))
 (defhost lunch.safe (safe 8))
 (defhost burntaxe.safe (safe 9))
+(defhost unicorn.safe ((:ipv4 safe 10)))
 
 ;; Wireless network.
 (defhost radius.untrusted (untrusted 1))
 
 ;; Wireless network.
 (defhost radius.untrusted (untrusted 1))
@@ -136,6 +150,7 @@
 ;; Untrusted private network.
 (defhost national.upn ((:ipv4 upn 1) (:ipv6 upn "::1:1")))
 (defhost mdwdev.upn ((:ipv4 upn 2) (:ipv6 upn "::2:1")))
 ;; Untrusted private network.
 (defhost national.upn ((:ipv4 upn 1) (:ipv6 upn "::1:1")))
 (defhost mdwdev.upn ((:ipv4 upn 2) (:ipv6 upn "::2:1")))
+(defhost eggle.upn ((:ipv4 upn 3) (:ipv6 upn "::3:1")))
 
 ;; Iodine network.
 (defhost jazz.iodine (iodine 1))
 
 ;; Iodine network.
 (defhost jazz.iodine (iodine 1))
@@ -169,14 +184,16 @@
    (defhost precision precision.unsafe)
    (defhost telecaster telecaster.unsafe)
    (defhost stratocaster stratocaster.unsafe)
    (defhost precision precision.unsafe)
    (defhost telecaster telecaster.unsafe)
    (defhost stratocaster stratocaster.unsafe)
-   (defhost national national.upn))
+   (defhost national national.upn)
+   (defhost eggle eggle.upn))
   (t
    (defhost radius radius.dmz)
    (defhost vampire vampire.dmz)
    (defhost precision precision.dmz)
    (defhost telecaster telecaster.dmz)
    (defhost stratocaster stratocaster.dmz)
   (t
    (defhost radius radius.dmz)
    (defhost vampire vampire.dmz)
    (defhost precision precision.dmz)
    (defhost telecaster telecaster.dmz)
    (defhost stratocaster stratocaster.dmz)
-   (defhost national national.linode)))
+   (defhost national national.linode)
+   (defhost eggle eggle.jump)))
 
 (defhost marshall marshall.dmz)
 (defhost mdwdev mdwdev.upn)
 
 (defhost marshall marshall.dmz)
 (defhost mdwdev mdwdev.upn)
diff --git a/keys/eggle.sshfp b/keys/eggle.sshfp
new file mode 100644 (file)
index 0000000..49d1df7
--- /dev/null
+++ b/keys/eggle.sshfp
@@ -0,0 +1,6 @@
+eggle.distorted.org.uk IN SSHFP 1 1 5ef4af37b665742bc38106d47ec15bc2e458a877
+eggle.distorted.org.uk IN SSHFP 1 2 b1a0b8d04063fb534a8f4e288180022764177f36b1a0fd7fe2c73609e200f8ef
+eggle.distorted.org.uk IN SSHFP 3 1 838184b51c58bb63744214b2adbda987a6a109ba
+eggle.distorted.org.uk IN SSHFP 3 2 2f7aba6476fdda44c08a4837563daa27eb423f922669d31cc85044ddc4e6cece
+eggle.distorted.org.uk IN SSHFP 4 1 881ea2d8f9f7586343bbeaaeb39e0ea8403fcf6f
+eggle.distorted.org.uk IN SSHFP 4 2 cddaa38cfe619b37ea72eb6f67a9efb216756f096a57e1cb9655da9df74a3589
diff --git a/keys/national.sshfp b/keys/national.sshfp
new file mode 100644 (file)
index 0000000..a1160e8
--- /dev/null
+++ b/keys/national.sshfp
@@ -0,0 +1,6 @@
+eggle.distorted.org.uk IN SSHFP 1 1 28722d97ca14f828209913c209c98c180faf2621
+eggle.distorted.org.uk IN SSHFP 1 2 5545af15ff0fc48125f07bc918940b029fb45f3fc191f78862b7540d2fb5efc3
+eggle.distorted.org.uk IN SSHFP 3 1 8c5e4ca17f08ce022453e275824f249792cdd0fe
+eggle.distorted.org.uk IN SSHFP 3 2 009383f5f15123d6bec391251b0e27e62825657826eac34552c2829c923566ac
+eggle.distorted.org.uk IN SSHFP 4 1 466f6c190513497c590b91eea1050bd0cc478ac4
+eggle.distorted.org.uk IN SSHFP 4 2 c3d35c3eb5515a02d34ce57d22df7cd77cc7077f89b52f2339dd2cd3fdd94407
diff --git a/odin.lisp b/odin.lisp
index f17fc24..fc921ca 100644 (file)
--- a/odin.lisp
+++ b/odin.lisp
@@ -12,7 +12,8 @@
   :ns ((radius-ns :ip radius)
        (precision-ns :ip precision)
        (telecaster-ns :ip telecaster)
   :ns ((radius-ns :ip radius)
        (precision-ns :ip precision)
        (telecaster-ns :ip telecaster)
-       (national-ns :ip national))
+       (national-ns :ip national)
+       (eggle-ns :ip eggle))
 
   ;; Web service.
   ((@ www) :svc stratocaster
 
   ;; Web service.
   ((@ www) :svc stratocaster
@@ -26,7 +27,10 @@
   ;; Mail servers
   :mx ((mail :ip stratocaster))
   :srv ((:smtp mail))
   ;; Mail servers
   :mx ((mail :ip stratocaster))
   :srv ((:smtp mail))
-
-  (stratocaster.20140403._domainkey
-   :dkim ("stratocaster-20140403"
-         :v "DKIM1" :k "rsa" :h "sha256" :s "email")))
+  :spf ((:version "spf1")
+       (:pass :ip stratocaster.dmz)
+       (:soft :all))
+  (_dmarc :dmarc (:v "DMARC1"
+                 :p "quarantine" :sp "quarantine"
+                 :adkim "s" :aspf "s"))
+  (_domainkey :dname stratocaster.dkim.distorted.org.uk.))
Zone files for the DNS zones I administer