From 99a5b167910c19e0de1fa408923298b4c37f7728 Mon Sep 17 00:00:00 2001
From: Alex Dehnert <alex@dehnerts.com>
Date: Mon, 31 Jul 2023 21:54:27 +0000
Subject: [PATCH] Migrate zulip to chankillo and fix DNS issues

- Update `zulip` DNS to point at chankillo and support the DNS-01 challenge for
  wildcard certs
- MxToolbox identifies some issues, and they mostly seem fairly harmless, but
  also fairly harmless to fix, and making MxToolbox alerting more useful is
  good:
  - Use ns1, not ns, as the primary nameserver in the zone
  - Remove Linode nameserver that shares a subnet with another one
  - Remove ns3 (olinda), which isn't running right now and is on the same
    subnet as ns1 (chankillo)
---
 named.conf.chankillo       |  1 +
 pri/combined-dehnerts.zone | 13 +++++++------
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/named.conf.chankillo b/named.conf.chankillo
index 0786a25..26de59e 100644
--- a/named.conf.chankillo
+++ b/named.conf.chankillo
@@ -13,6 +13,7 @@ zone "dynamic.dehnerts.com" IN {
             grant chankillo.dynamic.dehnerts.com name _acme-challenge.smtp.dynamic.dehnerts.com TXT;
             grant chankillo.dynamic.dehnerts.com name _acme-challenge.imap.dynamic.dehnerts.com TXT;
             grant chankillo.dynamic.dehnerts.com name _acme-challenge.pop.dynamic.dehnerts.com TXT;
+            grant chankillo.dynamic.dehnerts.com name _acme-challenge.zulip.dynamic.dehnerts.com TXT;
         };
 	allow-transfer { "transfer-allowed"; };
 	allow-query { any; };
diff --git a/pri/combined-dehnerts.zone b/pri/combined-dehnerts.zone
index 109a01d..e89c191 100644
--- a/pri/combined-dehnerts.zone
+++ b/pri/combined-dehnerts.zone
@@ -1,19 +1,19 @@
 $TTL 300
-@       IN      SOA     ns root (
-                                    2023072706 ; Serial
+@       IN      SOA     ns1 root (
+                                    2023073101 ; Serial
                                     4h         ; slave refresh
                                     15m        ; slave retry time in case of a problem
                                     4w         ; slave expiration time
                                     300        ; maximum caching time in case of failed lookups (5 minutes)
                                 )
 	IN	NS	ns1.dehnerts.com.
-	IN	NS	ns3.dehnerts.com.
 	IN	NS	ns1.sipb.org.
 	IN	NS	ns1.linode.com.
 	IN	NS	ns2.linode.com.
 	IN	NS	ns3.linode.com.
 	IN	NS	ns4.linode.com.
-	IN	NS	ns5.linode.com.
+        ; Same subnet as ns2, which mxtoolbox.com thinks is bad
+	;IN	NS	ns5.linode.com.
 	IN	A	18.18.208.22
 	IN	MX	10	smtp
 ;	IN	MX	20	adehnert3.xvm.mit.edu.
@@ -116,8 +116,9 @@ adehnert-test-d IN  CNAME   adehnert-test-d.mit.edu.
 _acme-challenge.adehnert-test-d IN  CNAME _acme-challenge.adehnert-test-d.dynamic
 
 ; Zulip
-zulip	IN	CNAME	olinda
-*.zulip	IN	CNAME	olinda
+zulip	IN	CNAME	chankillo
+_acme-challenge.zulip    IN  CNAME _acme-challenge.zulip.dynamic
+*.zulip	IN	CNAME	chankillo
 em3230.zulip    IN  CNAME   u22946278.wl029.sendgrid.net.
 s1._domainkey.zulip IN CNAME    s1.domainkey.u22946278.wl029.sendgrid.net.
 s2._domainkey.zulip IN CNAME    s2.domainkey.u22946278.wl029.sendgrid.net.
-- 
2.34.1