]> git.openstreetmap.org Git - dns.git/blob - src/openstreetmap.js
projects / dns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add atproto verification for operations.openstreetmap.org
[dns.git] / src / openstreetmap.js
1 D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER),
2
3   // Publish CAA records indicating that only letsencrypt and globalsign (Fastly) should issue certificates
4
5   CAA_BUILDER({
6     label: "@",
7     ttl: "1h",
8     iodef: "mailto:hostmaster@openstreetmap.org",
9     issue: [
10       "letsencrypt.org",
11       "globalsign.com",   // Used by Fastly for CDN certificates
12     ],
13     issuewild: [
14       "letsencrypt.org",
15       "globalsign.com",   // Used by Fastly for CDN certificates
16     ],
17   }),
18
19   // Mail service
20
21   MX("@", 10, QUALIFY("a.mx")),
22   MX("messages", 10, QUALIFY("a.mx")),
23   MX("noreply", 10, QUALIFY("a.mx")),
24   MX("otrs", 10, QUALIFY("a.mx")),
25   MX("community", 10, QUALIFY("a.mx")),
26   MX("supporting", 10, QUALIFY("a.mx")),
27
28   A("a.mx", IPV4["fafnir"]),
29   AAAA("a.mx", IPV6["fafnir"]),
30   A("mail", IPV4["fafnir"]),
31   AAAA("mail", IPV6["fafnir"]),
32   A("mta-sts", IPV4["fafnir"]),
33   AAAA("mta-sts", IPV6["fafnir"]),
34
35   // Publish SPF records indicating that only shenron sends mail
36
37   SPF_BUILDER({
38     label: "@",
39     parts: [
40       "v=spf1",
41       "ip4:184.104.226.98",         // fafnir ipv4 (he.net)
42       "ip6:2001:470:1:b3b::2",      // fafnir ipv6 (he.net)
43       "ip4:87.252.214.98",          // fafnir ipv4 (equinix)
44       "ip6:2001:4d78:fe03:1c::2",   // fafnir ipv6 (equinix)
45       "ip4:193.60.236.0/24",        // ucl external
46       "ip4:82.199.86.96/27",        // amsterdam external (equinix)
47       "ip6:2001:4d78:500:5e3::/64", // amsterdam external (equinix)
48       "ip4:87.252.214.96/27",       // dublin external (equinix)
49       "ip6:2001:4d78:fe03:1c::/64", // dublin external (equinix)
50       "ip4:184.104.179.128/27",     // amsterdam external (he.net)
51       "ip6:2001:470:1:fa1::/64",    // amsterdam external (he.net)
52       "ip4:184.104.226.96/27",      // dublin external (he.net)
53       "ip6:2001:470:1:b3b::/64",    // dublin external (he.net)
54       "mx",                         // safety net if we change mx
55       "-all"
56     ]
57   }),
58
59   SPF_BUILDER({
60     label: "messages",
61     parts: [
62       "v=spf1",
63       "include:openstreetmap.org",  // main openstreetmap.org spf record
64       "-all"
65     ]
66   }),
67
68   SPF_BUILDER({
69     label: "noreply",
70     parts: [
71       "v=spf1",
72       "include:openstreetmap.org",  // main openstreetmap.org spf record
73       "-all"
74     ]
75   }),
76
77   SPF_BUILDER({
78     label: "otrs",
79     parts: [
80       "v=spf1",
81       "include:openstreetmap.org",  // main openstreetmap.org spf record
82       "-all"
83     ]
84   }),
85
86   SPF_BUILDER({
87     label: "community",
88     parts: [
89       "v=spf1",
90       "include:openstreetmap.org",  // main openstreetmap.org spf record
91       "-all"
92     ]
93   }),
94
95   SPF_BUILDER({
96     label: "supporting",
97     parts: [
98       "v=spf1",
99       "include:openstreetmap.org",  // main openstreetmap.org spf record
100       "-all"
101     ]
102   }),
103
104   // Publish DKIM public key
105
106   TXT("20200301._domainkey", "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzvoNZVOGfw1V4A171hxHMhzVTAnIUQVJ8iX3wbqCld8A5iIaXeTGYvBmewymax/cYJS4QqzbpUzkgrrTA9avuZhd+QGJDgjADgx4VyMOaOS6FwAxS0uXtLrt+lsixRDx/feKyZHaxjzJAQy46ok77xXL4UXIaaovw6G6eZpIScMzZQ2zkKNJxTICzzSOduIilHhMWte4XP+/2PdRmD7Ge9jb0U4bZjswX0AqKSGzDKYw+yxVna9l53adeCnklqg2ofoXu+ResiH+kt05aCUOMo8en3em6yBnRCMalgi1E3Tt7I5BWcYFRkT/8agUGW4gGC6XMV9IskOsYL0emG0kGwIDAQAB", AUTOSPLIT),
107
108   // Publish DMARC report-only policy
109
110   DMARC_BUILDER({
111     policy: "none",
112     rua: [
113       "mailto:openstreetmap-d@dmarc.report-uri.com"
114     ],
115     failureOptions: 1
116   }),
117
118   // Announce MTA-STS policy and TLSRPT policy for error reports
119
120   TXT("_mta-sts", "v=STSv1; id=202001291805Z"),
121   TXT("_smtp._tls", "v=TLSRPTv1; rua=mailto:openstreetmap-d@tlsrpt.report-uri.com"),
122
123   // Fastly cert domain ownership confirmation
124
125   TXT("@", "_globalsign-domain-verification=ps00GlW1BzY9c2_cwH_pFqRkvzZyaCVZ-3RLssRG6S"),
126   TXT("@", "_globalsign-domain-verification=W0buKB5ZmL-VwwHw2oQyQImk3I1q3hSemf2qmB1hjP"),
127
128   // Facebook Business domain verification
129
130   TXT("@", "facebook-domain-verification=j5hix5i8r0kortfugqf2p9wx9x9by0"),
131
132   // Bluesky domain verification
133
134   TXT("_atproto", "did=did:plc:i6llv7iwybeipknl57v4dalb"),
135   TXT("_atproto.operations", "did=did:plc:eikdzxaxo3gjyebugkn6za5w"),
136
137   // Delegate MTA-STS policy for subdomains
138
139   CNAME("_mta-sts.messages", QUALIFY("_mta-sts")),
140   CNAME("_mta-sts.noreply", QUALIFY("_mta-sts")),
141   CNAME("_mta-sts.otrs", QUALIFY("_mta-sts")),
142   CNAME("_mta-sts.community", QUALIFY("_mta-sts")),
143   CNAME("_mta-sts.supporting", QUALIFY("_mta-sts")),
144
145   // Google postmaster tools verification
146
147   CNAME("af323lytato5", "gv-o4v3qh5pfayqex.dv.googlehosted.com."),
148   CNAME("irzdddnmh465", "gv-cwr6bvt7xsgact.dv.googlehosted.com."),
149
150   // Main web servers and their aliases
151
152   osm_web_service("@", [ "spike-06",
153                          "spike-07",
154                          "spike-08"
155                        ], { cfproxy: true }),
156
157   osm_web_service("www", [ "spike-06",
158                            "spike-07",
159                            "spike-08"
160                          ], { cfproxy: true }),
161
162   osm_web_service("api", [ "spike-06",
163                            "spike-07",
164                            "spike-08"
165                          ], { cfproxy: true }),
166
167   osm_web_service("maps", [ "spike-06",
168                             "spike-07",
169                             "spike-08"
170                           ], { cfproxy: true }),
171
172   osm_web_service("mapz", [ "spike-06",
173                             "spike-07",
174                              "spike-08"
175                           ], { cfproxy: true }),
176
177   // Nominatim servers
178
179   CNAME("nominatim", "nominatim.geo.openstreetmap.org."),
180   CNAME("qgis.nominatim", "nominatim.geo.openstreetmap.org."),
181   CNAME("qa-tile.nominatim", "longma.openstreetmap.org."),
182
183   // Tile servers
184
185   CNAME("tile", "dualstack.n.sni.global.fastly.net."),
186   CNAME("a.tile", "dualstack.n.sni.global.fastly.net."),
187   CNAME("b.tile", "dualstack.n.sni.global.fastly.net."),
188   CNAME("c.tile", "dualstack.n.sni.global.fastly.net."),
189
190   osm_web_service("render", [ "culebre",
191                               "nidhogg"
192                             ]),
193
194   // Vector tile servers
195
196   CNAME("vector", "dualstack.n.sni.global.fastly.net."),
197
198   // Planet servers
199
200   A("backup", IPV4["norbert"]),
201   AAAA("backup", IPV6["norbert"]),
202   // A("backup", IPV4["horntail"]),
203   // AAAA("backup", IPV6["horntail"]),
204
205   osm_web_service("planet", "norbert"),
206   // osm_web_service("planet", "horntail"),
207
208   // Development server with wildcard alias for user sites
209
210   osm_web_service("dev", "faffy"),
211   osm_web_service("*.dev", "faffy"),
212
213   osm_web_service("ooc", "faffy"),
214   osm_web_service("a.ooc", "faffy"),
215   osm_web_service("b.ooc", "faffy"),
216   osm_web_service("c.ooc", "faffy"),
217
218   osm_web_service("npe", "faffy"),
219
220   // Foundation server
221
222   osm_web_service("blog", "ridley"),
223   osm_web_service("foundation", "ridley"),
224
225   // Matomo server
226
227   osm_web_service("matomo", "smaug"),
228   osm_web_service("piwik", "smaug"),
229
230   // Imagery servers
231
232   osm_web_service("agri", "lockheed"),
233   osm_web_service("a.agri", "lockheed"),
234   osm_web_service("b.agri", "lockheed"),
235   osm_web_service("c.agri", "lockheed"),
236
237   osm_web_service("act-imagery", "lockheed"),
238   osm_web_service("a.act-imagery", "lockheed"),
239   osm_web_service("b.act-imagery", "lockheed"),
240   osm_web_service("c.act-imagery", "lockheed"),
241
242   osm_web_service("au-vic-melbourne-imagery", "lockheed"),
243   osm_web_service("a.au-vic-melbourne-imagery", "lockheed"),
244   osm_web_service("b.au-vic-melbourne-imagery", "lockheed"),
245   osm_web_service("c.au-vic-melbourne-imagery", "lockheed"),
246
247   osm_web_service("os", "lockheed"),
248   osm_web_service("a.os", "lockheed"),
249   osm_web_service("b.os", "lockheed"),
250   osm_web_service("c.os", "lockheed"),
251
252   osm_web_service("tiler", "lockheed"),
253
254   osm_web_service("us-imagery", "lockheed"),
255   osm_web_service("a.us-imagery", "lockheed"),
256   osm_web_service("b.us-imagery", "lockheed"),
257   osm_web_service("c.us-imagery", "lockheed"),
258
259   osm_web_service("bg-imagery", "lockheed"),
260   osm_web_service("a.bg-imagery", "lockheed"),
261   osm_web_service("b.bg-imagery", "lockheed"),
262   osm_web_service("c.bg-imagery", "lockheed"),
263
264   osm_web_service("br-imagery", "lockheed"),
265   osm_web_service("a.br-imagery", "lockheed"),
266   osm_web_service("b.br-imagery", "lockheed"),
267   osm_web_service("c.br-imagery", "lockheed"),
268
269   // Prometheus server and munin redirect
270
271   osm_web_service("prometheus", "stormfly-03"),
272   osm_web_service("munin", "stormfly-03"),
273
274   // Management server
275
276   osm_web_service("acme", "idris"),
277   osm_web_service("apt", "idris"),
278   osm_web_service("chef", "idris"),
279   osm_web_service("dns", "idris"),
280   osm_web_service("git", "idris"),
281   osm_web_service("hardware", "idris"),
282
283   // Bytemark machine, and the services which operate from it
284
285   osm_web_service("lists", "shenron"),
286
287   // Naga services
288
289   osm_web_service("svn", "naga"),
290   osm_web_service("trac", "naga"),
291   osm_web_service("irc", "naga"),
292   osm_web_service("blogs", "naga"),
293   osm_web_service("welcome", "naga"),
294   osm_web_service("operations", "naga"),
295   osm_web_service("hot", "naga"),
296   osm_web_service("dmca", "naga"),
297   osm_web_service("otrs", "naga", { h1: true, h2: false }), // OTRS is not available using HTTPS/2
298   osm_web_service("birthday20", "naga"),
299   osm_web_service("help", "naga"),
300
301   // Wiki servers
302
303   osm_web_service("wiki", "konqi"),
304   osm_web_service("test.wiki", "muirdris"),
305
306   // Overpass server
307
308   osm_web_service("query", "grisu"),
309
310   // GPS tile server
311
312   osm_web_service("gps-tile", "muirdris"),
313   osm_web_service("a.gps-tile", "muirdris"),
314   osm_web_service("b.gps-tile", "muirdris"),
315   osm_web_service("c.gps-tile", "muirdris"),
316   osm_web_service("gps.tile", "muirdris"),
317   osm_web_service("gps-a.tile", "muirdris"),
318   osm_web_service("gps-b.tile", "muirdris"),
319   osm_web_service("gps-c.tile", "muirdris"),
320
321   // Donation site and new OSMF crm site
322
323   osm_web_service("donate", "ridley"),
324   osm_web_service("support", "ridley"),
325   osm_web_service("supporting", "ridley"),
326
327   osm_web_service("test.civicrm", "muirdris"),
328
329   // Discourse server ("community")
330
331   osm_web_service("community", "fume"),
332   osm_web_service("communities", "fume"),
333   osm_web_service("c", "fume"),
334   osm_web_service("forum", "fume"),
335
336   CNAME("community-cdn", "dualstack.n.sni.global.fastly.net."),
337   TXT("community", "google-site-verification=hQ8GZyj4KwnPqAX2oAzpbLrh6I5dfR08PSdL3icVkfg"),
338
339   // Taginfo and Staging Blog Server
340
341   osm_web_service("taginfo", "tabaluga"),
342
343   // Staging Blog Server
344
345   osm_web_service("staging.blog", "tabaluga"),
346
347   // Awards (external - Ilya Zverev)
348   ALIAS("awards", "awards.osmz.ee."),
349
350 );
OpenStreetMap DNS