$ORIGIN cnx.email.
$TTL 3600

@   IN  SOA ns1.cnx.network. hostmaster.cnx.network. (
        2026061401  ; serial   (ignored: Knot auto-assigns a dateserial on signing)
        3600        ; refresh
        900         ; retry
        604800      ; expire
        300 )       ; negative-cache TTL

@       IN  NS      ns1.cnx.network.
@       IN  NS      ns2.cnx.network.

; ---- Mail ----
mx1     IN  A       5.223.65.38
mx1     IN  AAAA    2a01:4ff:2f0:1963::1
; Client-facing alias for IMAP/submission (Thunderbird etc.); the cert carries
; mail.cnx.email as a SAN. The MX must never point here (CNAMEs are illegal MX
; targets) — server-to-server delivery and DANE stay on mx1.cnx.email.
mail    IN  CNAME   mx1.cnx.email.
@       IN  MX 10   mx1.cnx.email.
@       IN  TXT     "v=spf1 mx -all"
; Aggregate (rua) + forensic (ruf) reports go to the dmarc@cnx.email mailbox,
; which parsedmarc on control polls and feeds into Grafana. fo=1 asks reporters
; to send a forensic report on any SPF/DKIM failure.
_dmarc  IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:dmarc@cnx.email; ruf=mailto:dmarc@cnx.email; fo=1"

; ---- DANE / TLSA ----
; "3 1 1" = DANE-EE, SPKI, SHA-256: the digest of mx1's certificate public key.
; Valid because the zone is DNSSEC-signed and the lego cert uses --reuse-key, so
; the key (and thus this digest) is stable across renewals. Compute it AFTER the
; first issuance and paste the hex below:
;   ssh mx1 'openssl x509 -in /var/lib/acme/mx1.cnx.email/cert.pem -noout -pubkey \
;     | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | xxd -p -c256'
_25._tcp.mx1  IN  TLSA  3 1 1  bd9a51f60b6d2dd20f18b3553d2795053ac52f87567a46bc892006bb58506404

; ---- MTA-STS ----
; Policy host (A/AAAA point at mx1); the _mta-sts TXT id MUST be bumped whenever
; the policy file in modules/mail.nix changes, or senders keep the cached policy.
mta-sts   IN  A       5.223.65.38
mta-sts   IN  AAAA    2a01:4ff:2f0:1963::1
_mta-sts  IN  TXT     "v=STSv1; id=2026061801"
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
        "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr9QxTs5dLtY76bo156+Tp0GUoE554rMwIooIYa2MMYHNs8zPb0thFmaCKGAINdHKNIq2phXAlk51iBTfdqXjx7gVWSrs+ftykqO3b5hUjgImsgqPWGUTzy5/bUgcDELiD9KKEyKYD3+ebZEw6d0uvBvEsA6a1CPzOsufoCDtyKjByCuQzkCBrK25TUHFolGvEYcZexR0LSF+8hMss"
        "xyw9NYiPpTXVCWQJnrZZpuOBiX0K2l5CAXVyuT/B5RcBXlAUhBTp3390VEhL0wAZMTOnvtvBYK3NnsTIh96fkh6MfWmre7Fi9hEq//xGf40N5/aomMjJrJdqFZJLZpDotb/XwIDAQAB"
        )