$ORIGIN cnx.network.
$TTL 3600

@   IN  SOA ns1.cnx.network. hostmaster.cnx.network. (
        2026061402  ; serial   (ignored: Knot auto-assigns a dateserial on signing)
        3600        ; refresh
        900         ; retry
        604800      ; expire
        300 )       ; negative-cache TTL

; ---- Nameservers (used by every zone we serve) ----
@       IN  NS      ns1.cnx.network.
@       IN  NS      ns2.cnx.network.

; ---- Glue for the nameservers ----
ns1     IN  A       46.224.170.206
ns1     IN  AAAA    2a01:4f8:c014:b5c5::1
ns2     IN  A       157.180.70.82
ns2     IN  AAAA    2a01:4f9:c014:6d87::1

; ---- control (ZeroTier controller) ----
control IN  AAAA    fd06:1bad:ece2:92ad:ba99:9306:1bad:ece2

; ---- Web / apex (fill in once you have a web host) ----
;@      IN  A       <web-ipv4>
;www    IN  CNAME   cnx.network.
monitor IN  A       5.223.66.36

; ---- web01 (public reverse proxy / TLS termination) ----
; Serves a wildcard *.cnx.network TLS cert (ACME DNS-01) and forwards to internal
; services over the mesh. Add a vhost in modules/web-proxy.nix and a CNAME here.
web01   IN  A       5.223.55.246
web01   IN  AAAA    2a01:4ff:2f0:2d8f::1
grafana IN  CNAME   web01.cnx.network.