deploy: enable rfc2136 plugin for all 84 production zones

Wires the custom CoreDNS image (built via coredns/Dockerfile, source
includes git.supported.systems/rsp2k/coredns-rfc2136) into production:

- docker-compose.yml: switch coredns service from upstream image pin
  to a build target. New `image: coredns-rfc2136:${COREDNS_IMAGE_TAG}`
  is locally-built; `up -d coredns` triggers the build.
- .env: COREDNS_IMAGE_TAG=2026.05.21 (CalVer). Old COREDNS_IMAGE kept
  as a comment for emergency rollback to upstream 1.11.3.
- Corefile: new rfc2136 directive inside (common) snippet enumerating
  all 84 zones currently in zones/. Plugin is now in the chain for
  every server block (plain DNS, DoT, DoH). UPDATE opcode lands in
  the plugin handler; auto-commit on, CalVer SOA serial bumping on,
  zones-dir /zones matches the existing bind-mount.

TSIG key is read from ${ACME_TSIG_SECRET} which lives in .env.local
(gitignored). Production deployment needs that file synced to dell01
separately.

This commit DOESN'T trigger the deployment by itself -- the image
must be built on dell01 and the container recreated to apply.

.env

@@ -1,6 +1,11 @@
 COMPOSE_PROJECT_NAME=coredns
 
-# CoreDNS image pin — use a digest in real deploys
+# Custom CoreDNS image tag (CalVer). Built locally via `docker compose
+# build coredns` using ./coredns/Dockerfile; pulls plugins from the
+# referenced git repos at build time. Bump this when re-rolling.
+COREDNS_IMAGE_TAG=2026.05.21
+# Legacy pin (no longer the active image; kept for emergency rollback
+# to upstream CoreDNS if the custom build needs to be reverted).
 COREDNS_IMAGE=coredns/coredns:1.11.3
 
 # Host ports. systemd-resolved usually binds 53, so default to 5353.

Corefile

@@ -24,6 +24,19 @@
         to *
     }
 
+    # RFC 2136 dynamic DNS updates (TSIG-authenticated). Accepts UPDATE
+    # opcode messages from authorised clients (e.g. caddy-dns/rfc2136
+    # for ACME DNS-01) and applies them to the source zone files.
+    # SOA serial bumped automatically (CalVer); changes auto-committed
+    # to git. Plugin source: git.supported.systems/rsp2k/coredns-rfc2136
+    rfc2136 acrazy.org automaton.global automaton.host blender.bet blender.cam blender.partners blender.quest blender.systems cloud-dine.com context.bet coopermalloy.com copper-springs.online cyberinsuranceapp.com demostar.app demostar.click demostar.io demostar.net demo-tube.com dignity.ink dope.team encom.cash encom.ink encom.website encom.wtf enls.us enls.video freemyradicals.com garage.ceo garage.christmas garage.doctor garage.dog garage.engineering garage.makeup garage.rocks garage.supply glennsferry.site home-inspector.app home-inspector.pics home-inspector.site home-inspector.store home-inspector.website homestar.ink inpect.pro inspect.monster inspect.pics inspects.homes inspect.systems jobsite.homes kg7q.cc log.doctor lukascrockett.com malloys.us mcpdash.wtf mcp.website myhood.us nielsen-inspections.com nielsens.world ourjob.site paigemalloy.com paythatway.com powdercoatedcabinents.com powdercoatedcabinet.com powdercotedcabinets.com prezhub.com reviewr.guru rsvp-for.de ryanmalloy.com screencast.systems septic.report sidejob.pro spencernewbolt.com supported.systems supportedsystems.com supportedsystems.net syslog.chat tatemalloy.com tateorrtot.games timber.ink trackfeeds.cloud tuckermalloy.com upc.llc warehack.ing westboise.org zmesh.systems {
+        zones-dir /zones
+        tsig-key acme-update-key. hmac-sha256 {$ACME_TSIG_SECRET}
+        ttl 60
+        auto-commit true
+        git-author "coredns-rfc2136" "rfc2136@coredns.supported.systems"
+    }
+
     forward . 1.1.1.1 1.0.0.1 9.9.9.9 {
         max_concurrent 1000
     }

docker-compose.yml

@@ -43,7 +43,14 @@ services:
       start_period: 5s
 
   coredns:
-    image: ${COREDNS_IMAGE}
+    # Custom build with the rfc2136 plugin baked in. The image tag is
+    # CalVer (set in .env COREDNS_IMAGE_TAG) so we can pin specific
+    # builds; `docker compose build coredns` produces the locally-tagged
+    # image, then up -d picks it up.
+    build:
+      context: .
+      dockerfile: coredns/Dockerfile
+    image: coredns-rfc2136:${COREDNS_IMAGE_TAG}
     container_name: coredns
     restart: unless-stopped
     command: ["-conf", "/etc/coredns/Corefile"]