coredns/zones/qubeseptic.com.zone
Ryan Malloy f8363e5ea7 zones: add explicit CNAME-to-apex for RFC 4592 empty-non-terminals
Wildcards in DNS only synthesize for names that don't already exist
in the zone tree. A `_acme-challenge.<sub>` TXT record makes <sub>
an "empty non-terminal" — exists in the tree (as a parent node) but
has no records of its own. Per RFC 4592 §2.2.3, wildcards skip these,
so RFC-compliant resolvers (HE, BIND) return NODATA for <sub> even
when the zone has `* CNAME @`.

Fix: for each <sub> that's an empty non-terminal in a zone with a
wildcard, add an explicit `<sub> CNAME @` so the resolution outcome
matches what the wildcard would have produced. Zero-knowledge — no
need to identify the specific service IP per name.

30 records added across 14 zones:
  acrazy.org (langfuse.dootie)
  context.bet (studio)
  copper-springs.online (docs.butler.dev)
  demostar.io (cw.cw, doom, meet)
  home-inspector.store (api, dashboard, mailpit)
  inspect.pics (admin)
  log.doctor (app, docs)
  malloys.us (cp, cp-sandbox, mary)
  nielsen-inspections.com (calendar, cw, files, v2-calendar)
  qubeseptic.com (api.dispatch, dispatch, leads, mail.dispatch,
                  rentcache.dispatch)
  ryanmalloy.com (c4ai)
  sidejob.pro (api)
  upc.llc (catalog, minio.or, or, s3)

CoreDNS (lenient) was returning the wildcard CNAME for these names
anyway; HE (strict RFC-compliant) was returning empty. After this
change, both behave identically.
2026-05-18 18:34:51 -06:00

60 lines
4.4 KiB
Dns

; Zone file for qubeseptic.com
; Generated by mcp-vultr
$ORIGIN qubeseptic.com.
$TTL 3600
300 IN NS ns1.vultr.com
300 IN NS ns2.vultr.com
300 IN A 108.61.229.209
l 300 IN CNAME rpm-bullet.mer.idahomuellers.net
* 300 IN A 108.61.229.209
autoconfig 600 IN A 66.42.75.247
*.l 300 IN CNAME rpm-bullet.mer.idahomuellers.net
tw 300 IN CNAME lsct.ashburn.us1.twilio.com
300 IN MX 10 mail.supported.systems
jobs 300 IN MX 10 mail.supported.systems
300 IN TXT "google-site-verification=TPaiTqkSCw0vRKrgXVBTua7kyIOHsJkfCf1RHfGTEWY"
300 IN TXT "v=spf1 mx a:mail.supported.systems ~all"
dkim._domainkey 300 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuVZGFAou8+E8B7wpmc6ck4Y8Ydewp3uppPnvGVxeTpU9g7XtuUHH74iQiVxwkaW6Rx6/3LMPdkYQ9vjAy9TVYNVuBamVrzmVh0SQKv5oqxZPk6yP5gCD40G20fx0NvUwWadkfnMI8/vlCZ6W68WFxCrS+zi6AJl3sIbFZ4bEXlAAGZu2MihhVOryo3CBY80m8ksH1XuujK8MuiReJjhsYtA39/zQGm2D5xMKFrp+JtOU2U8kzCz+DZ63H3iOE3BuKkhMtsABrmrOfEc0LrayF0YRIjtERYOWGMulVy7vuriCztLSoV0dLLyNlvDBTQGrZcICq8zFX40BiBQyGebtSQIDAQAB"
_acme-challenge.pdfs.idaho.data.l 300 IN TXT "w2i5gOZBpprmIG4BT4qfhtZ5lyxroV_tIPGBQRx0h7U"
_acme-challenge.idaho.data.l 300 IN TXT "SZ4U7rs6InsuAUqo31RBlvsvJQO8rsnw4UAMD9ilir0"
_acme-challenge.idaho.data.l 300 IN TXT "bGf7a1zxcVPSPWjj_xik_Xk1EOc5mrNdy9Y6igC7sa0"
_acme-challenge.pdfs.idaho.data.l 300 IN TXT "ia5jwWwj2LB8u6Irboju1zE5Xgo7oW4C2EKZJ4AgdSk"
_acme-challenge.pdfs.idaho.data.l 300 IN TXT "0L13v3MqQt6JzvHBYXFpHr-71ZM-YcgHmysx4wy70M4"
_acme-challenge.pdfs.idaho.data.l 300 IN TXT "bGHSQ8kr0BxXP4kjpsTzR-NPQZ1z9SSbEbZyc4xmn3c"
_acme-challenge.pdfs.idaho.data.l 300 IN TXT "Yt4IOlPK1vdy5Q-s2TGNKA5e-fuEJQuomxjyS3vq9kM"
_acme-challenge.pdfs.idaho.data.l 300 IN TXT "8lJVr9anqgOeASfCeYZmkDACiRWmNlF6C39f1LQAj7s"
_acme-challenge.api.l 300 IN TXT "RGKdh-Sscvtlm1IF22RjeHFll2RnusLxRYEY523ab_k"
_acme-challenge.api.l 300 IN TXT "DFE62Que-naq_f8EHi6KMWMQ2KgMb-kIHrGwpgQ4VJU"
_acme-challenge.auth.leads.l 300 IN TXT "BM6OXZ0O1ehuOJsW9qiXKBVA4U_i9PIxpXOa85lxObc"
_acme-challenge.api.dispatch 300 IN TXT "FYfNYJleW7GF_B0TuSa7jRKy0UwWLRQr2vgbNzVmYRQ"
_acme-challenge.api.dispatch 300 IN TXT "0TI1UgqUV8RYPa7WJ922L_lueJOMfB9B9W0Ci06tMu8"
_acme-challenge.api.dispatch 300 IN TXT "RwzpAIDzF3gRaoffic8BjyAsIwfPiDkRR9FURcEZlAw"
_acme-challenge.mail.dispatch 300 IN TXT "IMu1pPsrsndOLGPHaIGk-d87UWdZ2XEOx5nB1TIC5V4"
_acme-challenge.mail.dispatch 300 IN TXT "YIEbEC-2HMVupAkqMzTfpoHGdxawh8mtlrNuu9uQo_U"
_acme-challenge.mail.dispatch 300 IN TXT "Ju-EKSL-csMJ5YtOD4tN_Xfzd4Dr8-Lr8GpYacxXsU4"
_acme-challenge.dispatch 300 IN TXT "FgyBNrpL75bXhU6VYhnGxA1nEIx66i87z1MrjrbwkvE"
_twilio 300 IN TXT "twilio-domain-verification=90d2b1c2eb2f73eaadd26dcf19548886"
_twilio.tw 300 IN TXT "twilio-domain-verification=90d2b1c2eb2f73eaadd26dcf19548886"
_acme-challenge.rentcache.dispatch 300 IN TXT "K_KbhgTrWk18emFEHdDP9dLR276uU0a0US2I-MyutTo"
_dmarc 3600 IN TXT "v=DMARC1;p=reject;sp=reject;rua=mailto:dmarc-report@qubeseptic.com;ruf=mailto:dmarc-failures@qubeseptic.com;aspf=s;adkim=s;fo=1;"
jobs 300 IN TXT "v=spf1 mx a:mail.supported.systems ~all"
dkim._domainkey.jobs 300 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuVZGFAou8+E8B7wpmc6ck4Y8Ydewp3uppPnvGVxeTpU9g7XtuUHH74iQiVxwkaW6Rx6/3LMPdkYQ9vjAy9TVYNVuBamVrzmVh0SQKv5oqxZPk6yP5gCD40G20fx0NvUwWadkfnMI8/vlCZ6W68WFxCrS+zi6AJl3sIbFZ4bEXlAAGZu2MihhVOryo3CBY80m8ksH1XuujK8MuiReJjhsYtA39/zQGm2D5xMKFrp+JtOU2U8kzCz+DZ63H3iOE3BuKkhMtsABrmrOfEc0LrayF0YRIjtERYOWGMulVy7vuriCztLSoV0dLLyNlvDBTQGrZcICq8zFX40BiBQyGebtSQIDAQAB"
_acme-challenge.leads 300 IN TXT "b24y9q6jcLxVc3E3ItxJBAmd1G1yClQ6kf-vYhzzkhk"
_acme-challenge.leads 300 IN TXT "0MwwP6kHZhTRdxpYs6SP5l2xvKWYKXJvhwP_UsYg8kg"
_acme-challenge 300 IN TXT "IUHPs530qhNQgx9IYh9uyg12hSLE4-IWXVVa35QHvdA"
_imap._tcp 600 IN SRV 20 0 143 mail.supported.systems
_pop3._tcp 600 IN SRV 20 0 110 mail.supported.systems
_submission._tcp 600 IN SRV 20 0 587 mail.supported.systems
_autodiscover._tcp 600 IN SRV 10 0 443 mail.supported.systems
_submissions._tcp 600 IN SRV 10 0 465 mail.supported.systems
_imaps._tcp 600 IN SRV 10 0 993 mail.supported.systems
_pop3s._tcp 600 IN SRV 10 0 995 mail.supported.systems
; Explicit CNAMEs added to fix RFC 4592 empty-non-terminal cases
; (parent name has _acme-challenge children, so wildcard would skip it)
api.dispatch 300 IN CNAME qubeseptic.com
dispatch 300 IN CNAME qubeseptic.com
leads 300 IN CNAME qubeseptic.com
mail.dispatch 300 IN CNAME qubeseptic.com
rentcache.dispatch 300 IN CNAME qubeseptic.com