fix role name auth-dns -> auth_dns

This configuration does not yet do much but it provisions a knot
server that runs.

inventories/chaosknoten/host_vars/auth-dns.sops.yaml

@@ -1,4 +1,5 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:2kBG8j8JHa/dlXgWMdbSobulFdVunf052T1QQfm1X2vpEZx2HPCL87fWea+O0WOg7+eoMYbiShu0Vw1eTjb+687LjU8l4cj2JWIajnYfDGH+ipWXojxj613C3RZV3JfDOclVTwP8fCHu7z7P3fKrsKWb5d3t2ohTT+sGdVdimakAOf192CkufcVIthq2imiWbntiMTOdMGJxyIjqT2Io2H89nSbJXkONsuHCF/PbxhryB2LZbl8aZV32knk=,iv:hpscVc7iO4r/h31vS6Zno2pkEsgA2uR7wD/1PjH1znM=,tag:ypiwFtgeXuj4gOsgTCRTBw==,type:str]
+knot__dnssec_key_secret: ENC[AES256_GCM,data:WPFTLyJIttFtqqTZV2fGN0Tt1vRS318TGmd2YqNzYisE3TBi6Z2aClxuYh56Q+j7TUQwCvga3jd5w017sEz3kA==,iv:umaFHBCy9AZgNFv7uXLCtO0o/NZDAZ1QNg5DcGHWEW8=,tag:oR92C1Uj5iXU9L02MqzGSQ==,type:str]
 sops:
   age:
     - recipient: age18zgt4y2sd75hxnpe333zz39048ctxpr0q8a3uqh3jajjkyawsdrq8yg5ve
@@ -10,8 +11,8 @@ sops:
         MEZQTHZXNExsSnl0WW9Vb29sajE1YzAKoYU7rGuR+52+U02uf3eTH9hkIECWdcJv
         wN9JTwsUn0c6mi/d4AHgv5O04Uw7NxUyGVmFlDZzjxLwPzZyR73SvA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-04-29T19:21:55Z"
+  lastmodified: "2026-05-01T17:08:09Z"
-  mac: ENC[AES256_GCM,data:RLXsIsSdrCuElYQ3x2YpwYzQx0V0zoYP6h9FLD+RqmZ1pWhlk6Ijp9WxCAlEWps9n5rPYYyhZ3ldSJluTVeroPwpzrmwW+xXCGsCC0BFk6PuB4UynfHwWR/3jEK47nAdPbNfONhzGfOeTObYp22c3iHiKL8YochOSlBToA8mFr4=,iv:fZZEa3C/BsNKGdTKlR/hexrzhmLxiMVxgL9nXjX2Q1E=,tag:I5M8SNbSw4w1crsl0z/5+Q==,type:str]
+  mac: ENC[AES256_GCM,data:TaMWf1ESs8nYzxkElMYtsz+/Be0PtI7FA0q6IFK+ob4dl/EN+AeTD7Pp0MZF8zcRvZ4hF0Ybimet5bwVR+d7UIXlXz3qP//pX68JDCvcLMQuhNtm6Ws+mwVxkpxEvBr1PtxlSvcQ76vH3ryEsXkP84gmlCDEdX1GAZYZ9ZS3Cfk=,iv:g3tzUfTPNUQyOAxWJEFPHg0IAPAzQgwYABHm4mFOOrI=,tag:C6KE/bg/3jS7Wc56y6YOJQ==,type:str]
   pgp:
     - created_at: "2026-04-29T19:18:43Z"
       enc: |-

inventories/chaosknoten/host_vars/auth-dns.yaml

@@ -0,0 +1,19 @@
+---
+deploy_systemd_resolved_config__enable: false
+
+knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1"
+knot__remotes:
+  - id: ns-intern.hamburg.ccc.de
+    address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ]
+
+knot__catalog_zones:
+  - domain: "hamburg.ccc.de.catalog."
+
+knot__zones:
+  # - domain: "hamburg.ccc.de."
+  #   catalog_member: "hamburg.ccc.de.catalog."
+  #   content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}"
+  - domain: "hh.ccc.de."
+    catalog_member: "hamburg.ccc.de.catalog."
+    notify_targets: [ "ns-intern.hamburg.ccc.de" ]
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}"

playbooks/deploy.yaml

@@ -101,3 +101,8 @@
 
 - name: Run ensure_eh22_styleguide_dir Playbook
   ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml
+
+- name: Setup authoritative dns servers
+  hosts: auth-dns
+  roles:
+    - auth_dns

resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2

@@ -0,0 +1,13 @@
+# Links & Resources
+# https://www.knot-dns.cz/docs/latest/html/index.html
+
+services:
+  knot:
+    image: docker.io/cznic/knot:v3.5.4
+    restart: unless-stopped
+    command: "knotd"
+    network_mode: host
+    volumes:
+      - ./configs:/config:ro
+      - ./storage:/storage
+

resources/chaosknoten/auth-dns/zones/0.0.127.in-addr.arpa.zone

@@ -0,0 +1,12 @@
+$ORIGIN 0.0.127.in-addr.arpa.
+$TTL 7200
+
+@			1D IN SOA	localhost. root.localhost. (
+					42		; serial (d. adams)
+					3H		; refresh
+					15M		; retry
+					1W		; expiry
+					1D )		; minimum
+
+			1D IN NS	localhost.
+1			1D IN PTR	localhost.

resources/chaosknoten/auth-dns/zones/127.0.0.zone

@@ -0,0 +1,11 @@
+$ORIGIN 0.0.127.in-addr.arpa.
+
+@			1D IN SOA	localhost. root.localhost. (
+					42		; serial (d. adams)
+					3H		; refresh
+					15M		; retry
+					1W		; expiry
+					1D )		; minimum
+
+			1D IN NS	localhost.
+1			1D IN PTR	localhost.

resources/chaosknoten/auth-dns/zones/168.192.in-addr.arpa.zone

@@ -0,0 +1,10 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. hostmaster.ccc.de. (
+                2016111701
+                10800
+                3600
+                3600000
+                86400 )
+
+                IN      NS      ns.hamburg.ccc.de.

resources/chaosknoten/auth-dns/zones/17.31.172.in-addr.arpa.zone

@@ -0,0 +1,49 @@
+$TTL 7200
+
+@               IN      SOA     ns-intern.hamburg.ccc.de. haegar.ccc.de. (
+		2025020101
+		10800
+		3600
+		3600000
+		86400 )
+
+		IN      NS      ns-intern.hamburg.ccc.de.
+
+1		IN	PTR	turing-vzhost.hamburg.ccc.de.
+14		IN	PTR	attraktor-intern.hamburg.ccc.de.
+53		IN	PTR	ns-intern.hamburg.ccc.de.
+122		IN	PTR	oldturing.hamburg.ccc.de.
+129		IN	PTR	turing-router.hamburg.ccc.de.
+131		IN	PTR	officemail.hh.ccc.de.
+132		IN	PTR	turing-new.hamburg.ccc.de.
+133		IN	PTR	gitlab-intern.hamburg.ccc.de.
+134		IN	PTR	jabber-intern.hamburg.ccc.de.
+135		IN	PTR	turing-db.hamburg.ccc.de.
+136		IN	PTR	chaosvpn-dns.hamburg.ccc.de.
+137		IN	PTR	attraktor-intern2.hamburg.ccc.de.
+138		IN	PTR	gitlab-test-intern.hamburg.ccc.de.
+139		IN	PTR	gitlab-runner.hamburg.ccc.de.
+142		IN	PTR	turing-intern2.hamburg.ccc.de.
+143		IN	PTR	cloud-intern.hamburg.ccc.de.
+144		IN	PTR	keycloak-intern.hamburg.ccc.de.
+145		IN	PTR	grafana-intern.hamburg.ccc.de.
+146		IN	PTR	wiki-intern.hamburg.ccc.de.
+147		IN	PTR	onlyoffice-intern.hamburg.ccc.de.
+148		IN	PTR	tickets-intern.hamburg.ccc.de.
+149		IN	PTR	netbox-intern.hamburg.ccc.de.
+150		IN	PTR	matrix-intern.hamburg.ccc.de.
+151		IN	PTR	public-web-static-intern.hamburg.ccc.de.
+152		IN	PTR	zammad-intern.hamburg.ccc.de.
+153		IN	PTR	ns-intern2.hamburg.ccc.de.
+156		IN	PTR	ccchoir-intern.hamburg.ccc.de.
+157		IN	PTR	pretalx-intern.hamburg.ccc.de.
+163		IN	PTR	renovate-forgejo.hamburg.ccc.de
+180		IN	PTR	rproxy-intern.hamburg.ccc.de.
+199		IN	PTR	template.hamburg.ccc.de.
+201		IN	PTR	cow-intern.hamburg.ccc.de.
+202		IN	PTR	forgejo-runner-builder.hamburg.ccc.de.
+202		IN	PTR	forgejo-runner-ubuntu.hamburg.ccc.de.
+204		IN	PTR	eh22hub-intern.hamburg.ccc.de.
+212		IN	PTR	eh20-intern.hamburg.ccc.de.
+213		IN	PTR	cryptoparty-intern.hamburg.ccc.de.
+254		IN	PTR	chaosknoten.hamburg.ccc.de.

resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone

@@ -0,0 +1,16 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. haegar.ccc.de. (
+                2023073001
+                10800
+                3600
+                3600000
+                86400 )
+
+                IN      NS      ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+; 2a00:14b0:4200:3000:122::1
+
+1.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	turing.hamburg.ccc.de.
+

resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone

@@ -0,0 +1,43 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. haegar.ccc.de. (
+                2025020102
+                10800
+                3600
+                3600000
+                86400 )
+
+                IN      NS      ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+; ccchh firewall / tunnelendpunkte:
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	fwhh.hamburg.ccc.de.
+
+6.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	jabber.hamburg.ccc.de.
+3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	ns.hamburg.ccc.de.
+0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	rproxy.hamburg.ccc.de.
+2.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	oldturing.hamburg.ccc.de.
+3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	gitlab-intern.hamburg.ccc.de.
+5.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	fftest.hamburg.ccc.de.
+4.1.0.0.0.0.0.0.0.0.0.0.8.4.0.0	IN	PTR	wiki.attraktor.org.
+1.0.0.0.0.0.0.0.0.1.2.0.0.5.0.0	IN	PTR	lokal.ccc.de.
+1.0.0.0.0.0.0.0.2.1.2.0.0.5.0.0	IN	PTR	eh20.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.3.1.2.0.0.5.0.0	IN	PTR	cryptoparty.hamburg.ccc.de.
+
+1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0	IN	PTR	shellhost.hamburg.ccc.de.
+
+1.0.0.0.0.0.0.0.0.3.1.0.1.5.0.0	IN	PTR	unallocated.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.1.3.1.0.1.5.0.0	IN	PTR	cms.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.2.3.1.0.1.5.0.0	IN	PTR	lists.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.3.3.1.0.1.5.0.0	IN	PTR	cow.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.4.3.1.0.1.5.0.0	IN	PTR	srv01.hamburg.freifunk.net.
+1.0.0.0.0.0.0.0.5.3.1.0.1.5.0.0	IN	PTR	fftest.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.6.3.1.0.1.5.0.0	IN	PTR	git.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.7.3.1.0.1.5.0.0	IN	PTR	unallocated.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.8.3.1.0.1.5.0.0	IN	PTR	unallocated.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.9.3.1.0.1.5.0.0	IN	PTR	jitsi.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0	IN	PTR	shells.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.1.4.1.0.1.5.0.0	IN	PTR	mumble.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.2.4.1.0.1.5.0.0	IN	PTR	regio-stage.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.4.0.2.0.1.5.0.0	IN	PTR	eh22hub.hamburg.ccc.de.
+1.0.0.0.0.0.0.0.5.0.2.0.1.5.0.0	IN	PTR	eh22hub-meta.hamburg.ccc.de.

resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone

@@ -0,0 +1,15 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. haegar.ccc.de. (
+                2023072900
+                10800
+                3600
+                3600000
+                86400 )
+
+                IN      NS      ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+; 2a00:14b0:4200:3000:123::1
+
+1.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	unused.hamburg.ccc.de.

resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone

@@ -0,0 +1,15 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. haegar.ccc.de. (
+                2023072900
+                10800
+                3600
+                3600000
+                86400 )
+
+                IN      NS      ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+; 2a00:14b0:4200:3000:124::1
+
+1.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	unused.hamburg.ccc.de.

resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone

@@ -0,0 +1,15 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. haegar.ccc.de. (
+                2023072900
+                10800
+                3600
+                3600000
+                86400 )
+
+                IN      NS      ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+; 2a00:14b0:4200:3000:125::1
+
+1.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	public-reverse-proxy.hamburg.ccc.de.

resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone

@@ -0,0 +1,15 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. haegar.ccc.de. (
+                2023073001
+                10800
+                3600
+                3600000
+                86400 )
+
+                IN      NS      ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+; 2a00:14b0:4200:3000:126::1
+
+1.0.0.0.0.0.0.0.0.0.0.0	IN	PTR	chaosknoten.hamburg.ccc.de.

resources/chaosknoten/auth-dns/zones/Makefile

@@ -0,0 +1,93 @@
+
+CHANGED = $(shell git diff --name-only --relative -- '*.zone' )
+
+export GIT_AUTHOR_NAME = "Bind Makefile"
+#export GIT_AUTHOR_EMAIL = "$(shell whoami)@$(shell hostname -f)"
+#export GIT_COMMITTER_NAME = $(GIT_AUTHOR_NAME)
+#export GIT_COMMITTER_EMAIL = $(GIT_AUTHOR_EMAIL)
+
+all: rollover
+install: rollover
+
+rollover: autoserial diff check reload eof
+
+
+diff:
+	@echo "Diff Zones... "
+	@git diff -U0 -- $(CHANGED) \
+	| grep -a -v -E '^(diff |index |---|@@)' \
+	| sed -e 's/^[+]* .\/\([^ 	]*\).*/=> \1/'
+
+autoserial:
+	@for file in $(CHANGED); do \
+		perl -p -i -e 'if ($$p =~ /[\t\s]+IN[\t\s]+SOA[\t\s]+/) { $$stamp = sprintf("%4.4d%02.2d%02.2d", (localtime)[5]+1900, (localtime)[4]+1, (localtime)[3]); $$count = (/$$stamp([0-9]{2})/)? $$1 + 1: 1; s/[0-9]+/sprintf("%s%02.2d", $$stamp, $$count)/e; } $$p = $$_;' $$file; \
+	done
+
+check:
+	@echo "Checking Configs... "
+	@if ! named-checkconf /etc/bind/named.conf; then \
+		echo "FIX THE ERROR AND TRY AGAIN"; \
+		exit 1 ; \
+	fi
+
+	@echo "Checking Zones... "
+	@named-checkconf -j -p /etc/bind/named.conf \
+	| perl -e 'my $$zone = ""; while (<>) { if (/^\s+zone\s+\"(.*)\"/) { $$zone = $$1; } elsif (($$zone ne "") && /^\s+file\s+\"(.*?)\"/) { print "$$zone $$1\n"; $$zone = ""; } }' \
+	| sort \
+	| uniq \
+	| while read zone file; do \
+		echo "FOO: zone: $$zone file: $$file"; \
+		if [ -z "$$file" -o "$$zone" = "key" ] ; then \
+			continue ; \
+		fi ; \
+		if echo -n "$$zone" | grep -q -E '(sc-eur.com|db.root|named.dump|named.stats)'; then \
+			continue; \
+		fi; \
+		if ! named-checkzone -q -i "full" $$zone $$file; then \
+			named-checkzone -i "full" $$zone $$file; \
+			echo "FIX THE ERROR AND TRY AGAIN"; \
+			exit 1 ; \
+		fi; \
+	done
+
+#@echo "Checking CNAMEs and PTRs... "
+#@grep -l -E '.*(PTR|CNAME).*[^.]*[.][^.]*[^.]$$' *.* \
+#| grep -v '\.sh$$' \
+#| while read file; do \
+#	echo "$$file: DO NOT FORGET THE LAST DOT"; \
+#	grep -E '.*(PTR|CNAME).*[^.]*[.][^.]*[^.]$$' $$file; \
+#	exit 1 ; \
+#done
+
+reload:
+	@while [ "$$answer" = "" ]; do \
+		echo -n "Do you want to reload all zones ? [yes] "; \
+		read answer; \
+		case $$answer in \
+			[Yy]|[Yy][Ee][Ss]) \
+				answer="yes"; \
+				break; \
+				;; \
+			[Nn]|[Nn][Oo]) \
+				answer="no"; \
+				break; \
+				;; \
+			"") \
+				answer="yes"; \
+				break; \
+				;; \
+			*) \
+				answer=""; \
+				;; \
+		esac; \
+	done; \
+	if [ "$$answer" = "yes" ]; then \
+		etckeeper commit "Changed DNS Zones: $(CHANGED)" ; \
+		rndc reload;  \
+	else \
+		echo "Server reload aborted"; \
+		exit 1 ; \
+	fi
+
+eof:
+	@echo "DONE -- That's all folks!"

resources/chaosknoten/auth-dns/zones/ccchh.net.zone

@@ -0,0 +1,72 @@
+$ORIGIN .
+$TTL 900	; 15 minutes
+ccchh.net		IN SOA	ns1.ccchh.net. noreply.ccchh.net. (
+				2026042801 ; serial
+				86400      ; refresh (1 day)
+				7200       ; retry (2 hours)
+				3600000    ; expire (5 weeks 6 days 16 hours)
+				7200       ; minimum (2 hours)
+				)
+			NS	ns.vie.ccc.de.
+			NS	ns.hamburg.ccc.de.
+$ORIGIN ccchh.net.
+aes			A	212.12.48.125
+club-assistant		AAAA	2a07:c481:1:d0::a
+;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de
+club-assistant.z9	AAAA	2a07:c481:1:d0::a
+;_acme-challenge.club-assistant.z9 CNAME 0efa74d1-7dcd-478b-bdc5-5b76d0f07642.auth.acmedns.hamburg.ccc.de
+esphome			AAAA	2a07:c481:1:d0::66
+esphome.z9		AAAA	2a07:c481:1:d0::66
+zigbee2mqtt		A	185.161.129.132
+light			AAAA	2a07:c481:1:d0::16
+_acme-challenge.light	CNAME	e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de.
+light.z9		AAAA	2a07:c481:1:d0::16
+_acme-challenge.light.z9 CNAME	3bc9e7ce-03dd-4533-a059-b5d38407eaa5.auth.acmedns.hamburg.ccc.de.
+light-werkstatt		AAAA	2a07:c481:1:d0::16
+_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de.
+mailserver-endpoint	A	82.165.121.46
+ns1			A	185.161.129.133
+send-only-mail		MX	10 send-only-mailserver
+			TXT	"v=spf1 mx -all"
+send-only-mailserver	A	82.165.121.46
+send-only-mailserver-access A	185.161.129.132
+thinkcccore0		AAAA	2a07:c481:1:f2::3
+thinkcccore0.z9		AAAA	2a07:c481:1:f2::3
+thinkcccore1		AAAA	2a07:c481:1:f2::4
+thinkcccore1.z9		AAAA	2a07:c481:1:f2::4
+opnsense		AAAA	2a07:c481:1:f2::1
+opnsense.z9		AAAA	2a07:c481:1:f2::1
+pbs			AAAA	2a07:c481:1:f2::4
+thinkcccore2		AAAA	2a07:c481:1:f2::5
+thinkcccore2.z9		AAAA	2a07:c481:1:f2::5
+thinkcccore3		AAAA	2a07:c481:1:f2::6
+thinkcccore3.z9		AAAA	2a07:c481:1:f2::6
+miniscccore0		AAAA	2a07:c481:1:f2::9
+miniscccore0.z9		AAAA	2a07:c481:1:f2::9
+uptime-kuma		A	185.161.129.132
+status			AAAA	2a07:c481:1:ce::a
+status.z9		AAAA	2a07:c481:1:ce::a
+wiki			A	212.12.48.125
+hmdooris-ccu		A	10.31.208.202
+buba			A	10.31.211.137
+buba.z9			A	10.31.211.137
+dooris			AAAA	2a07:c481:1:d0::1c
+_acme-challenge.dooris	CNAME	37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de
+waybackproxy		A	10.31.208.99
+yate			A	10.31.208.12
+staubiv2		A	10.31.210.233
+staubiv2.z9		A	10.31.210.233
+; Mail: hosts.z9.ccchh.net
+hosts.z9			MX	10 cow.hamburg.ccc.de
+				TXT	"v=spf1 mx -all"
+dkim._domainkey.hosts.z9	TXT	("v=DKIM1;k=rsa;t=s;s=email;"
+	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsdypQ/tlrzto5KVP"
+	"5o7tEblXK/hOVRFB683uODzo26XTFMSRGjumMuo/tej59GMePdUu0uIsdq8hfj8"
+	"ot0R2OQNazdyp4NW4TUWfFGJ4S2f6LR3lE3I5Lw7fHiYHz0GnCGTqZIItkHK+xQ"
+	"i5Fdhwd1YbFJtO0XiZ0jY5w6pvny6pEH8WaKX85rEmz2zqCtpiYPRPmoK/Tn+rV"
+	"2e8fVioMRm9W8E4PU42WLds66qOkFR0KjKIavE6y7JahESEoVGcVnSPdtMOX0Ln"
+	"KbSMQNrTvNbBoPdLYvNaXOw7TmVPKjDV+FRCIIdK+m0fL82/vm5jPBvDr5+WlM1"
+	"xV/P/KlSnQIDAQAB")
+$ORIGIN send-only-mail.ccchh.net.
+_dmarc			TXT	"v=DMARC1;p=quarantine;"
+key._domainkey		TXT	"v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqduM4+SQ+IQ2uAxbjFkd+0hAjohTgT3nM76jyrWGHJ8TizNU2PGkta0NjCq+m9VLBZUjIJphW2vrnlJsnN0JkGAdoLBL3Qs0kShT6V+xsxslZG2KHApihnJUp34tPSMES+aTnD+jEPGyxFLeoiK+3gywNhCGalHSQ+G88Z2n59wIDAQAB"

resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone

@@ -0,0 +1,27 @@
+$TTL 7200
+
+@               IN      SOA     ns.hamburg.ccc.de. mail.hamburg.ccc.de. (
+		2025021101
+                10800
+                3600
+                3600000
+                86400 )
+
+		IN	NS	ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+		IN	MX	5 nomail.ccc.de.
+		;IN	MX	10 local-mail.hamburg.ccc.de.
+		IN	MX	10 vworker02.irz42.net.
+		IN	MX	23 nomail2.ccc.de.
+		IN	MX	42 nomail3.ccc.de.
+
+		IN	TXT	"v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all"
+
+		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+
+localhost	IN	A	127.0.0.1
+
+*		IN	CNAME	@
+www		IN	CNAME	@

resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone

@@ -0,0 +1,45 @@
+$TTL 600
+
+@               IN      SOA     ns.hamburg.ccc.de. mail.hamburg.ccc.de. (
+		2026033101
+                10800
+                3600
+                3600000
+                86400 )
+
+		IN	NS	ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+
+		IN	MX	10 cow.hamburg.ccc.de.
+;autodiscover	IN	CNAME	cow.hamburg.ccc.de.
+;_autodiscover._tcp	IN	SRV	10 cow.hamburg.ccc.de. 443
+;autoconfig	IN	CNAME	cow.hamburg.ccc.de
+
+		IN	TXT	"v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all"
+;_dmarc		IN	TXT	**TODO**
+
+dkim._domainkey	IN	TXT	( "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhk"
+	"iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqoWo7mbis3REqBURP3ZQZwOY7RSsS7"
+	"TY9eFHvW/O83YseEHoIQmeKkHj1lRrP+6Jhow2XngveBzt/m5AQclLVMURt5"
+	"2zsLCtiXxOYMLIIAgFOfxGjMdfqh9+X0wuOqHgoZiP2uBfAWLKfV/CZcovI/"
+	"0d2d7vQvc+7PJwZ9htoIu3NesasOFsrhv1yfFJidC87focQdaVKfD9cF68/w"
+	"2Ri2TGzcSQHAiIxJq3MgawSJZiyVD+psZdzZDB1YIw8NJxmDskzFicTLrYyH"
+	"8XOf5f5lOWjRYrfe0H8sAe1NBb/OP2T7Qs3S9DQosMSPwyALC3FPZKsVMbtI"
+	"mr8F+J+M/H9QIDAQAB" )
+
+localhost	IN	A	127.0.0.1
+
+intern		IN	A	172.31.17.212
+cfp		IN	CNAME	public-reverse-proxy.hamburg.ccc.de.
+_acme-challenge.cfp	CNAME	295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns.hamburg.ccc.de.
+netbox		IN	CNAME	public-reverse-proxy.hamburg.ccc.de.
+presale		IN	A	78.47.203.122
+		IN	AAAA	2a01:4f8:1c17:b147::2
+pretix		IN	A	78.47.203.122
+		IN	AAAA	2a01:4f8:1c17:b147::2
+engel		IN	A	167.235.129.15
+		IN	AAAA	2a01:4f8:1c1b:e967::1
+radius		IN	A	94.45.254.130

resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone

@@ -0,0 +1,590 @@
+; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr
+; verwendet, sondern statt dessen local-mail.hamburg.ccc.de
+; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de
+; angesprochen, und nimmt daher keine mails mit absender-adressen
+; die sie nicht kennt an.
+; ich hoffe diese aenderung arbeitet um diesen bug herum.
+; - haegar 2001.11.14
+
+$TTL 7200
+@               IN      SOA     ns.hamburg.ccc.de. haegar.ccc.de. (
+		2026042903
+                10800
+                3600
+                3600000
+                86400 )
+
+		IN	NS	ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+$TTL 60
+		IN	MX	10 cow.hamburg.ccc.de.
+;		IN	MX	10 local-mail.hamburg.ccc.de.
+$TTL 7200
+		IN	TXT	"v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all"
+
+		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+
+dkim._domainkey	IN	TXT ("v=DKIM1;k=rsa;t=s;s=email;"
+	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4wZRajtsQTrVgXco7"
+	"1E2T+UDRxzzXJ+0F7m1UHiPpsjGQJ4Njs4Zc6qC21FLxhUIRFURy9mZ2mGk6hnL"
+	"w6wi0xm0N3MOH8BG/omPfWJcH4C1XXMk6trYSjhKQb4FzNbusAFoldIdwtt/aa/"
+	"GJBvRD+XYulvuyqolD2SGY62tAiXqls4ik2ZiDrIv+Dglg8b8fD4kzqe/aXlUvD"
+	"j3hCMHmyjE8mn8lYnS0QfSnV8NlqKwOhF+iwqfrhMI2bZFCQ+td03RtQjaXw5W+"
+	"30NMcOv6Se4vPDl4nUIBJZ/wP3CBz1k66VShHB+un7SxoUQuW0+oDqN4QHH338b"
+	"2dDOoBJndwIDAQAB")
+_dmarc		IN	TXT	"v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarc-report@hamburg.ccc.de;ruf=mailto:dmarc-report@hamburg.ccc.de;ri=86400;aspf=r;adkim=r;fo=1"
+
+
+;_sip._udp	IN	SRV	10 0 5060 vermittlung
+;_sip._tcp	IN	SRV	10 4 5060 vermittlung
+;_sips._tcp	IN	SRV	10 4 5060 vermittlung
+
+_xmpp-client._tcp IN    SRV     10 0 5222 jabber
+_xmpp-server._tcp IN    SRV     10 0 5269 jabber
+_xmpp-client._tcp.jabber IN SRV 10 0 5222 jabber
+_xmpp-server._tcp.jabber IN SRV 10 0 5269 jabber
+
+localhost	IN	A	127.0.0.1
+
+dante._domainkey	IN	TXT	( "v=DKIM1;k=rsa;t=s;s=email;"
+	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzMLFoEXbD/IgP6TIz2KDZudbnYtcJ4QjdWiwEP5NMvugymzDCiLaKTwNUFycKA1TvW0Y7/x0EEgqcSjfV87GU8xs6qsArgbQWBCs9gPBInbA8LBX9RN/JX30pESh+jGfdNWl7mWkkyVuONUgy/vFHWswJZ72Lg96gyBBCAR1ABC7qM8PYjoFFlRR76PfZNV8YHRBM/1ypQthtjPf"
+	"NKhV8MksNIXPKhcQwy6/JAVpkUunVpOrsuf2K6RFVMrVNUEtEYkpZUPtnoTYwaB0rRLg0f+InHzKZx2uv6JexyWZOwxsv8Bv1I+jdiEkQMw9kORZ81sv2mcUO+0PubeYVpvWAwIDAQAB" )
+hansenerd._domainkey    IN      TXT     ( "v=DKIM1; k=rsa; "
+        "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlxTgmc5Fe2aQc5razQYlk3OBGNePuevJQ7YVp5j5IM0ukBLM1erTR6DLZZvoGd2puKvfjlvejR3GRY4YXeZkCJoS0ZjwpR3Tfy8PzUbPNMt5e/buHGK1v+9E9zrl4vrxgYYYlYqjl1HF1K9oE5yPI1AIeUxzZpduheJASlxr9VwIDAQAB" ) ;
+
+
+; VMWare ESXi Host:
+worker		IN	A	212.12.48.123
+worker-ipmi	IN	A	212.12.51.136
+; Proxmox Host:
+chaosknoten	IN	A	212.12.48.126
+		IN	AAAA	2a00:14b0:4200:3000::126:1
+;chaosknoten-ipmi IN	A	212.12.51.137; unused public IP
+chaosknoten-ipmi	IN	A	44.128.124.4
+
+; DMZ-Server:
+dmz-net		IN	A	212.12.50.208
+
+turing		IN	A	212.12.48.122
+		IN	AAAA	2a00:14b0:4200:3000:122::1
+		IN	MX	10 cow.hamburg.ccc.de.
+turing-chaosvpn	IN	AAAA	2001:6f8:126f:11::3
+		IN	A	172.31.17.1
+turing-vpn	IN	CNAME	turing-chaosvpn
+turing-vpngw	IN	A	212.12.48.122
+		IN	AAAA	2a00:14b0:4200:3000:122::1
+turing-vzhost	IN	A	172.31.17.1
+		IN	AAAA	2a00:14b0:4200:3000:122::1
+		IN	MX	10 cow.hamburg.ccc.de.
+turing-vzhost2	IN	CNAME	turing-vzhost
+turing-router	IN	A	172.31.17.129
+
+turing-new	IN	A	172.31.17.132
+
+oldturing	IN	A	172.31.17.122
+		IN	AAAA	2a00:14b0:f000:23::122
+		IN	MX	10 cow.hamburg.ccc.de.
+turing-intern	IN	CNAME	oldturing
+turing-intern2	IN	A	172.31.17.142
+		IN	AAAA	2a00:14b0:f000:23::122
+
+ns		IN	A	212.12.48.122
+		IN	AAAA	2a00:14b0:f000:23::53
+		IN	MX	10 cow.hamburg.ccc.de.
+ns-intern	IN	A	172.31.17.53
+		IN	AAAA	2a00:14b0:f000:23::53
+ns-intern2	IN	A	172.31.17.153
+		IN	AAAA	2a00:14b0:f000:23::53
+
+vpn		IN	A	212.12.48.122
+		; ipv4 only!
+www.vpn		IN	CNAME	vpn
+cvpn-dns	IN	A	172.31.0.5
+chaosvpn-dns	IN	A	172.31.17.136
+
+turing-db	IN	A	172.31.17.135
+		IN	MX	10 cow.hamburg.ccc.de.
+
+jabber		IN	A	212.12.48.122
+		IN	AAAA	2a00:14b0:f000:23::26
+		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 cow.hamburg.ccc.de.
+jabber-intern	IN	A	172.31.17.134
+		IN	AAAA	2a00:14b0:f000:23::26
+		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 cow.hamburg.ccc.de.
+
+gitlab		IN	A	212.12.48.122
+		IN	AAAA	2a00:14b0:4200:3000:122::1
+		; ipv6 also has DNAT rules
+gitlab-intern	IN	A	172.31.17.133
+		IN	AAAA	2a00:14b0:f000:23::133
+		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 cow.hamburg.ccc.de.
+
+gitlab-cr	IN	CNAME	gitlab
+
+gitlab-test	IN	A	212.12.48.122
+		IN	AAAA	2a00:14b0:4200:3000:122::1
+		; ipv6 also has DNAT rules
+gitlab-test-intern	IN	A	172.31.17.138
+		IN	AAAA	2a00:14b0:f000:23::138
+		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 cow.hamburg.ccc.de.
+
+gitlab-runner	IN	A	172.31.17.139
+		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 cow.hamburg.ccc.de.
+
+lists		IN	A	212.12.51.132
+		IN	AAAA	2a00:14b0:f000:23:51:132:0:1
+		IN	MX	10 lists
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.lists	IN	TXT	( "v=DKIM1; h=sha256; k=rsa; "
+	"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvNlbGPBluV3q3eT1C6nJ"
+	"8KuSNAx9ycTO0urNkz4In1I2srmK8qPTfqfPU7y5kjHM1oC31+LwVNiyzeIQl"
+	"cdW00DMTHfzkQAjtdDXgKG5db4Dqw+2wtZfLGvBFOSfV0RspZmSDSN6ON81dk"
+	"lVABMMOA7Vd8wwIj0ms/gb/+AB0IQIDAQAB" )
+ccchoir-intern		IN	A	172.31.17.156
+
+cow		IN	A	212.12.51.133
+		IN	AAAA	2a00:14b0:f000:23:51:133:0:1
+		IN	MX	10 cow
+cow-intern	IN	A	172.31.17.201
+auth-dns        IN      A       212.12.48.124
+auth-dns        IN      AAAA    2a00:14b0:4200:3000:124::1
+
+cowtest		IN	MX	10 cow
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.cowtest	IN	TXT	("v=DKIM1;k=rsa;t=s;s=email;p="
+	"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy5aAMRgFdGdG+Ewmn"
+	"OZb8gdCjSSoFjTxu/GW9edVWU0zsRRQT9r6oF82Cn05jEKNra3D8tE48jBaDQ"
+	"GOAFa4BgjxiIfP/D36CaN2JT5sno3faSBkqaKoBG0zRD2UsNj/ROfHB844BOf"
+	"AUt4KFMMHUfO03Gu6ps9nq/QBsrR5Iq6sMv9WiftKjh4twS4S+Wz7ZXymY3yd"
+	"jRLI8r48pASg6IoiByV8kR3r7OZw9dzmNgbTCOEyKaicB4KJDjgJvQut8af8g"
+	"sYQYTCSPVqkwb5Y+yJNKhQmsYBwUX23x5Yng2gDBY/pjGeWl28SxdGhm8C23a"
+	"0wVCz4kQGNvcULnrzifwIDAQAB")
+_autodiscover._tcp.cowtest	IN	SRV	0 1 443 cow
+_caldavs._tcp.cowtest	IN	SRV	0 1 443 cow
+_caldavs._tcp.cowtest	IN	TXT	"path=/SOGo/dav/"
+_carddavs._tcp.cowtest	IN	SRV	0 1 443 cow
+_carddavs._tcp.cowtest	IN	TXT	"path=/SOGo/dav/"
+_imap._tcp.cowtest	IN	SRV	0 1 143 cow
+_imaps._tcp.cowtest	IN	SRV	0 1 993 cow
+_pop3._tcp.cowtest	IN	SRV	0 1 110 cow
+_pop3s._tcp.cowtest	IN	SRV	0 1 995 cow
+_sieve._tcp.cowtest	IN	SRV	0 1 4190 cow
+_smtps._tcp.cowtest	IN	SRV	0 1 465 cow
+_submission._tcp.cowtest	IN	SRV	0 1 587 cow
+
+
+mail		IN	A	212.12.48.122
+		IN	MX	10 cow.hamburg.ccc.de.
+local-mail	IN	A	172.31.17.201 ; make hosts with relayhost=local-mail work
+;local-mail	IN	A	212.12.48.122
+;		IN	AAAA	2a00:14b0:f000:23::122
+;		IN	MX	10 cow.hamburg.ccc.de.
+
+jitsi-old	IN	A	49.12.8.103
+		IN	AAAA	2a01:4f8:c17:392f::1
+jitsi		IN	A	212.12.51.139
+		IN	AAAA	2a00:14b0:f000:23:51:139:0:1
+
+mumble		IN	A	212.12.51.141
+		IN	AAAA	2a00:14b0:f000:23:51:141:0:1
+
+
+id		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+keycloak-admin	IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+invite		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+id		IN	MX	10 cow
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.id	IN	TXT	("v=DKIM1;k=rsa;t=s;s=email;p="
+	"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6wcQjo7qgb1CMOv5"
+	"6odc7Ef8rocu3bv3JKBIqL/msuoEFOiXGpPZrwcWQJc7lS5tLTxR5XuP02D3D"
+	"Vif+8D3R8YzLsNMdLZ5moQacdJK2OFFiet2G3kWjBdKH1em9FwMa0MBWlk6LR"
+	"YWRgsByFBMNIItwkBmqmNrmrPRneRprLYQCf34McDmkzpzUpFdF5sgmbmDpdX"
+	"genmqXgBopvmnTeXa+kQnoVgrMyWE41zdWaXrDAtoYye3e31j0Nxhnfg+I7vO"
+	"XPfmatTH7yieDaLG+3kHjbA3WFyAkb/ZAqZaFM8k6cQJEZb7jDzdKlm1fuPrk"
+	"YUrfZ1V3pglzdm0QbM4wIDAQAB")
+
+aes-intern	IN	A	172.31.17.145
+tickets-intern	IN	A	172.31.17.148
+grafana-intern	IN	A	172.31.17.145
+loki-intern	IN	A	172.31.17.145
+eh22-netbox-intern	IN	A	172.31.17.166
+sunders-intern	IN	A	172.31.17.170
+renovate-intern	IN	A	172.31.17.171
+netbox-intern	IN	A	172.31.17.167
+matrix-intern	IN	A	172.31.17.150
+; have this for compatibility (like references in CI)
+public-web-static-intern      	IN      AAAA    2a00:14b0:42:102::17
+pretalx-intern	IN	A	172.31.17.157
+zammad-intern	IN	A	172.31.17.152
+nixos-template-intern	IN	A	172.31.17.200
+git-intern	IN	A	172.31.17.154
+forgejo-actions-runner-intern	IN	A	172.31.17.155
+nix-box-june-intern	IN	A	172.31.17.158
+woodpecker-intern	IN	A	172.31.17.160
+mjolnir-intern	IN	A	172.31.17.161
+mjolnir-ng-intern	IN	A	172.31.17.169
+penpot-intern	IN	A	172.31.17.162
+penpot-ng-intern	IN	A	172.31.17.168
+hydra-intern	IN	A	172.31.17.163
+forgejo-runner-builder	IN	A	172.31.17.202
+renovate-forgejo	IN	A	172.31.17.163
+ansible-testing-intern	IN	A	172.31.17.164
+ntfy-intern	IN	A	172.31.17.149	
+status		IN	AAAA	2a00:14b0:f001:100::fd
+status		IN	A	212.12.50.253
+design	IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+		IN	MX	10 cow
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.design	IN	TXT	("v=DKIM1;k=rsa;t=s;s=email;p="
+	"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtod7q+mkIcZFe512v"
+	"jzXF0UfGmo8R6UxeJ/MCi/qjjN+sSqn4dohQx3NBhK3UF9/8Ze7FT5znTxeWj"
+	"Ks+le/dSS4CKxjSFAV1FjcaAqrUaxO1V8+fxcUSVzAQZXUVyNqqv+SAFUVJSE"
+	"3zZIuJim4F1HVVLvwbLJZ450ns8KQ7n3RNY2+mqQoxo8xmMg2QFOoQKlSYspC"
+	"TRTV4LM/n5Jm7Mm1F5DwJ+7Ie9s/WvTWKKKUExmoa5SNheGcfybC+sqnJu7L0"
+	"F5dWFwk0zzQDcVSY2m9qFWPEuO2fZmiB4IoG4yXkooSY2sH9Z8eX2+6i3k/ub"
+	"qx58Mav6VlkTxsOAdbbQIDAQAB")
+hydra		IN	A	212.12.48.125
+regio-stage	IN	A	212.12.51.142
+			AAAA	2a00:14b0:f000:23:51:142:0:1
+
+public-reverse-proxy	IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+public-reverse-proxy-intern	IN	A	172.31.17.140
+router		IN	A	212.12.48.123
+
+rproxy		IN	A	212.12.48.122
+		IN	AAAA	2a00:14b0:4200:3000:122::1
+		IN	MX	10 cow.hamburg.ccc.de.
+rproxy-intern	IN	A	172.31.17.180
+		IN	AAAA	2a00:14b0:f000:23::80
+		IN	MX	10 cow.hamburg.ccc.de.
+
+bildungsurlaub	IN	CNAME	rproxy
+doku		IN	CNAME	rproxy
+test		IN	CNAME	rproxy
+www.test	IN	CNAME	rproxy
+eh2003		IN	CNAME	public-reverse-proxy
+www.eh2003	IN	CNAME	public-reverse-proxy
+easterhegg2003	IN	CNAME	public-reverse-proxy
+www.easterhegg2003 IN	CNAME	public-reverse-proxy
+eh2005		IN	CNAME	public-reverse-proxy
+www.eh2005	IN	CNAME	public-reverse-proxy
+easterhegg2005	IN	CNAME	public-reverse-proxy
+www.easterhegg2005 IN	CNAME	public-reverse-proxy
+eh2007		IN	CNAME	public-reverse-proxy
+www.eh2007	IN	CNAME	public-reverse-proxy
+eh07		IN	CNAME	public-reverse-proxy
+www.eh07	IN	CNAME	public-reverse-proxy
+easterhegg2007	IN	CNAME	public-reverse-proxy
+www.easterhegg2007 IN	CNAME	public-reverse-proxy
+eh2009		IN	CNAME	public-reverse-proxy
+www.eh2009	IN	CNAME	public-reverse-proxy
+eh09		IN	CNAME	public-reverse-proxy
+www.eh09	IN	CNAME	public-reverse-proxy
+easterhegg2009	IN	CNAME	public-reverse-proxy
+www.easterhegg2009 IN	CNAME	public-reverse-proxy
+eh2011		IN	CNAME	public-reverse-proxy
+www.eh2011	IN	CNAME	public-reverse-proxy
+eh11		IN	CNAME	public-reverse-proxy
+www.eh11	IN	CNAME	public-reverse-proxy
+easterhegg2011	IN	CNAME	public-reverse-proxy
+www.easterhegg2011 IN	CNAME	public-reverse-proxy
+eh20		IN	CNAME	public-reverse-proxy
+
+oldwiki	IN	CNAME	rproxy
+nonpublic.wiki	IN	CNAME	rproxy
+www.nonpublic.wiki IN	CNAME	rproxy
+planet		IN	CNAME	rproxy
+www.planet	IN	CNAME	rproxy
+chaos-macht-schule IN	CNAME	rproxy
+www.chaos-macht-schule IN CNAME rproxy
+
+branding-resources	IN	CNAME public-reverse-proxy
+element		IN	CNAME	public-reverse-proxy
+matrix		IN	CNAME	public-reverse-proxy
+mas		IN	CNAME	public-reverse-proxy
+element-admin	IN	CNAME	public-reverse-proxy
+netbox		IN	CNAME	public-reverse-proxy
+woodpecker	IN	CNAME	public-reverse-proxy
+onlyoffice	IN	CNAME	public-reverse-proxy
+pad		IN	CNAME	public-reverse-proxy
+pretalx		IN	CNAME	public-reverse-proxy
+spaceapi	IN	CNAME	public-reverse-proxy
+staging		IN	CNAME	public-reverse-proxy
+wiki		IN	CNAME	public-reverse-proxy
+www		IN	CNAME	public-reverse-proxy
+ntfy		IN	CNAME	public-reverse-proxy
+sunders		IN	CNAME	public-reverse-proxy
+spaceapiccc	IN	CNAME	public-reverse-proxy
+acmedns		IN	CNAME	public-reverse-proxy
+cpuccc		IN	CNAME	public-reverse-proxy
+did		IN	CNAME	public-reverse-proxy	
+
+
+auth.acmedns	IN	NS	acmedns.hosts.hamburg.ccc.de.
+
+git		IN	A	212.12.51.136
+		IN	AAAA	2a00:14b0:f000:23:51:136::1
+git		IN	MX	10 cow
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.git	IN	TXT	("v=DKIM1;k=rsa;t=s;s=email;p="
+	"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsUGmKDns/qokxyz2u"
+	"lcyKIcs/S+zf+0wHCfhSOK4lLnws8U/wIny5FAW3zM/7TliqIftzZ2B0Cz8W6"
+	"YvmtgLyKqBzvCSG0dNYyy9TVeGM4HyrmLBbUkQdGGQwmoJTnCe9gT9z6GO9k2"
+	"uFfHJsk/iffU75x9iXqLXPGL/CGmLKuBmkYGda2rQ9ATUIpQhIxnerZvVc3RA"
+	"qwD8/pYvMLOqvCStVHM5Zi+j1Jr0BC8mxU8pIY6rfOVt+h/V3wh0F6dL0z9nw"
+	"ZhDE53K8frGp2CC5dW/A37FrfMJv+ODw2tX8EdyL2hDBshBQ4r8WiYJTtIMPL"
+	"50A9UzZndyiLAHoeLrZQIDAQAB")
+hackertours	IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+		MX	10 cow.hamburg.ccc.de.
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.hackertours	IN	TXT ("v=DKIM1;k=rsa;t=s;s=email;"
+	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnG5J6rMvbOy7mmV4mKfN"
+	"7SSrtxKP/jI0XWwO2njO3jM6DkAGDpmRH69B5sOW/53/yg7MMdGytGfNAk61YJknP+"
+	"NGZNSk7F2p2aB+zoksLVcIKdY1YwicYS7l6Q7qWBfv8ctmGTzcwO0UEAizD6xdINN8"
+	"YmhHorgnxR3HbHeUmaxIe4WM2wWRYiD+9tpY1f0O/NEEoHxmFecRhU9SVmuhLgiOyF"
+	"AWpPYBMOsKEHoKREENc+4VBj6H2GYTKIs+dYKDNEmVVdnRkgtAVO3FrjCkedBJ7RbR"
+	"RNHIqdt9u8AF+Vrs1Oq72ZQrNVR0ezEyBScJaxy5JphvBWkMSYSoDpvXLwIDAQAB")
+staging.hackertours	IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+grafana		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+tickets		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+zammad		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+
+loki		IN	CNAME	grafana.hosts
+metrics		IN	CNAME	grafana.hosts
+
+; attraktor openvz vm
+attraktor	IN	A	172.31.17.14
+		IN	AAAA	2a00:14b0:f000:23:48::14
+		IN	MX	10 cow.hamburg.ccc.de.
+attraktor-intern IN	A	172.31.17.14
+		IN	AAAA	2a00:14b0:f000:23:48::14
+		IN	MX	10 cow.hamburg.ccc.de.
+attraktor-intern2 IN	A	172.31.17.137
+		IN	MX	10 cow.hamburg.ccc.de.
+
+erfafoo		IN	A	212.12.51.138
+		IN	AAAA	2a00:14b0:f000:23:50:210::1
+		IN	MX	10 cow.hamburg.ccc.de.
+local		IN	CNAME	erfafoo
+lokal		IN	CNAME	erfafoo
+
+; fuer vollkorn:
+;webfoo		IN	A	212.12.51.138
+;		IN	AAAA	2a00:14b0:4200:3380:138::1
+;		IN	MX	5 nomail.ccc.de.
+;		IN	MX	10 cow.hamburg.ccc.de.
+
+; chaos macht schule server
+cms		IN	A	212.12.51.131
+www.cms		IN	CNAME	cms
+schule		IN	CNAME	cms
+www.schule	IN	CNAME	cms
+
+; Firewall:
+ovpn		IN	A	212.12.48.122
+fwhh-v6		IN	A	212.12.50.214
+
+; (irc) nat ip
+chaoscafe	IN	A	212.12.50.209
+
+cloud		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+cloud		IN	MX	10 cow
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.cloud	IN	TXT	("v=DKIM1;k=rsa;t=s;s=email;p="
+	"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvr7XIfOFt99cdEKeP"
+	"Qhz7miwN2tIZF+imJ3p/r/kam0TKN5pbRMDK0HH4Jl8ksBDozXrLo+U71TX+m"
+	"XBBeNca4QSfmJh6cAesibf4v/6ssGBdQR7efc2b3dFvZS5/qdS7oLYqYbGpuv"
+	"aUB0gzhatrAR0i6HdtXrsJxGemda4WvZXaPLPwcWByHLZsHQUbaD3doZOJGXI"
+	"7+HQs9BuDo4PKQs1/mE5BEWQ0ISEKZ4bk1p8U0ZsfcdQ8o9X53Tj+JxvJHgxi"
+	"h7yHMr4y9hCOAkvZTFZ/Z/r3KU+N+t9NrVYm995KEernSxE3MXYIsdaFKBDvX"
+	"Xq837yzJmv7D9S9We3YwIDAQAB")
+; Mail: hosts.hamburg.ccc.de
+hosts		IN	MX	10 cow
+		IN	TXT	"v=spf1 mx -all"
+dkim._domainkey.hosts	IN	TXT	("v=DKIM1;k=rsa;t=s;s=email;p="
+	"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyFnskyCW0420D+5PA"
+	"L6cKmPoZR2nrPaMPiJl0+DbDhnsLdXtt3cKZkAin2GYQRvZJvlcJ3JFkFljmQ"
+	"sZk7BJ02rV7S79DgeFhKMzjE0p/GaMBSdzDZJQEVkKhEK+KBbSfaZ0FM/4Qh0"
+	"beI26kBgbR6bc+SGdB7+LB2JLPxr5ipP0gJ7RtE+QWIoDaU0e9dSYhucJ4A4k"
+	"RMs3ECvcCVgsyhRPJahs8tzbKjhnp956ru6Jda3Yo/ubhy4AztP/7ZQayCv/W"
+	"06PfZNo/i2711F98L2ATQaDsOCKWhpskyrCRcR1nTWNSL7qYhOPD1hZonsd5I"
+	"f5WwrR4meWD3wmXbX29wIDAQAB")
+; Mail: hosts-external.hamburg.ccc.de
+external-hosts	IN	MX	10 cow
+		IN	TXT 	"v=spf1 mx -all"
+dkim._domainkey.external-hosts	IN	TXT	("v=DKIM1;k=rsa;t=s;s=email;p="
+	"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkfdJvL7Tpdw6JLkuU"
+	"nOLwtxojWZ5Xq6rLDK3EzrX2Tyeq03nqgQuI3ruHgodHb1D7sieU61x30+g7y"
+	"8HnjrN1bfH1iQJUzEOCgOWHwQEbLdbQxcazmbEdowBuA0VuYrXL2tcCFJwdcZ"
+	"MKZAyuba7leeRgSngZJnesT7aaGvZSuzLa1/KaW4MRbOOmy5LlukBC3EZBpWn"
+	"/dL73spDajlDx4VRMUpZQq/PAoPPwCFdw/HNnzxBYBIdVloeJx91qBRaNyUIb"
+	"C/to8YSDVi2aMHiXhTBfoNd1VcxjlBYWqEZtdUhecUjwmbbAO4f0ECO4bs0Yz"
+	"d/EgJB70ry1quA0MqgZQIDAQAB")
+
+; for thw:
+orga		IN	A	212.12.51.130
+		IN	MX	23 nomail.ccc.de.
+		IN	MX	42 orga
+
+shellhost	IN	A	212.12.51.140
+		IN	AAAA	2a00:14b0:f000:23:51:140:0:1
+		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 cow.hamburg.ccc.de.
+shells		IN	CNAME	shellhost
+
+; chaos vpn-hub on haegars hetzner machine
+vpnhub1		IN	A	136.243.3.60
+		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 mail.sdinet.de.
+vpnhub1.ipv4	IN	A	136.243.3.60
+vpnhub1-intern	IN	A	172.31.2.1
+
+; special
+ccchh		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 cow.hamburg.ccc.de.
+
+office		IN	CNAME	office.hh.ccc.de.
+officemail	IN	CNAME	officemail.hh.ccc.de.
+
+template	IN	A	172.31.17.199
+		IN	AAAA	2a00:14b0:f000:23::199
+		IN	MX	10 cow.hamburg.ccc.de.
+
+irc		IN	A	176.56.239.136
+		IN	AAAA	2a00:d880:8:1::1aa
+		IN	MX	5 nomail.ccc.de.
+
+;anonymizer	IN	A	192.162.102.224
+;		IN	MX	5 nomail.ccc.de.
+;		IN	MX	10 anonymizer
+;mixminion	IN	A	192.162.102.225
+;		IN	MX	5 nomail.ccc.de.
+;		IN	MX	10 mixminion
+
+cryptoparty		IN	CNAME	public-reverse-proxy
+staging.cryptoparty	IN	CNAME	public-reverse-proxy
+cryptoparty-intern 	IN	A	172.31.17.213
+
+; Freifunk Gateways
+freifunk-gw01	IN	CNAME	gw01.hamburg.freifunk.net.
+freifunk-gw02	IN	CNAME	gw02.hamburg.freifunk.net.
+freifunk-gw03	IN	CNAME	gw03.hamburg.freifunk.net.
+freifunk-gw04	IN	CNAME	gw04.hamburg.freifunk.net.
+freifunk-gw05	IN	CNAME	gw05.hamburg.freifunk.net.
+freifunk-gw06	IN	CNAME	gw06.hamburg.freifunk.net.
+freifunk-gw07	IN	CNAME	gw07.hamburg.freifunk.net.
+freifunk-gw08	IN	CNAME	gw08.hamburg.freifunk.net.
+freifunk-gw09	IN	CNAME	gw09.hamburg.freifunk.net.
+freifunk-gw10	IN	CNAME	gw10.hamburg.freifunk.net.
+freifunk-gw11	IN	CNAME	gw11.hamburg.freifunk.net.
+freifunk-gw12	IN	CNAME	gw12.hamburg.freifunk.net.
+freifunk-gw13	IN	CNAME	gw13.hamburg.freifunk.net.
+freifunk-gw14	IN	CNAME	gw14.hamburg.freifunk.net.
+freifunk-gw15	IN	CNAME	gw15.hamburg.freifunk.net.
+freifunk-gw16	IN	CNAME	gw16.hamburg.freifunk.net.
+freifunk-gw17	IN	CNAME	gw17.hamburg.freifunk.net.
+freifunk-gw18	IN	CNAME	gw18.hamburg.freifunk.net.
+freifunk-gw19	IN	CNAME	gw19.hamburg.freifunk.net.
+freifunk-gw20	IN	CNAME	gw20.hamburg.freifunk.net.
+
+fftest	IN	A	212.12.51.135
+	IN	AAAA	2a00:14b0:f000:23::135
+
+; Shellbordell
+colossus	IN	A	212.12.51.133
+
+; generic aliases
+LAN-212-12-50-208.dmz-net IN A	212.12.50.208
+ip208		IN	A	212.12.50.208
+ip209		IN	A	212.12.50.209
+ip210		IN	A	212.12.50.210
+ip211		IN	A	212.12.50.211
+ip212		IN	A	212.12.50.212
+ip213		IN	A	212.12.50.213
+ip214		IN	A	212.12.50.214
+ENDE-212-12-50-215.dmz-broadcast IN A 212.12.50.215
+ip215		IN	A	212.12.50.215
+
+; ChaosVPN
+hack		IN	NS	cvpn-dns.hack
+cvpn-dns.hack	IN	A	172.31.0.5
+
+; IPv4 Reverse DNS
+
+122.48.12.212.rdns	IN	PTR	turing.hamburg.ccc.de.
+123.48.12.212.rdns	IN	PTR	ip-48-123.hamburg.ccc.de.
+124.48.12.212.rdns	IN	PTR	ip-48-124.hamburg.ccc.de.
+125.48.12.212.rdns	IN	PTR	public-reverse-proxy.hamburg.ccc.de.
+126.48.12.212.rdns	IN	PTR	chaosknoten.hamburg.ccc.de.
+
+208.50.12.212.rdns	IN	PTR	net-12-50-212.hamburg.ccc.de.
+209.50.12.212.rdns	IN	PTR	turing.hamburg.ccc.de.
+;210.50.12.212.rdns	IN	PTR	erfafoo.hamburg.ccc.de.
+211.50.12.212.rdns	IN	PTR	ip-50-12-211.hamburg.ccc.de.
+213.50.12.212.rdns	IN	PTR	cryptoparty.hamburg.ccc.de.
+214.50.12.212.rdns	IN	PTR	ip-50-12-214.hamburg.ccc.de.
+215.50.12.212.rdns	IN	PTR	broadcast-12-15-212.hamburg.ccc.de.
+
+128.51.12.212.rdns	IN	PTR	net-12-51-128.hamburg.ccc.de.
+129.51.12.212.rdns	IN	PTR	ip-51-129.hamburg.ccc.de.
+130.51.12.212.rdns	IN	PTR	ip-51-130.hamburg.ccc.de.
+131.51.12.212.rdns	IN	PTR	cms.hamburg.ccc.de.
+132.51.12.212.rdns	IN	PTR	lists.hamburg.ccc.de.
+133.51.12.212.rdns	IN	PTR	cow.hamburg.ccc.de.
+134.51.12.212.rdns	IN	PTR	srv01.hamburg.freifunk.net.
+135.51.12.212.rdns	IN	PTR	fftest.hamburg.ccc.de.
+136.51.12.212.rdns	IN	PTR	git.hamburg.ccc.de.
+137.51.12.212.rdns	IN	PTR	ip-51-137.hamburg.ccc.de.
+138.51.12.212.rdns	IN	PTR	erfafoo.hamburg.ccc.de.
+139.51.12.212.rdns	IN	PTR	jitsi.hamburg.ccc.de.
+140.51.12.212.rdns	IN	PTR	ip-51-140.hamburg.ccc.de.
+141.51.12.212.rdns	IN	PTR	mumble.hamburg.ccc.de.
+142.51.12.212.rdns	IN	PTR	regio-stage.hamburg.ccc.de.
+143.51.12.212.rdns	IN	PTR	broadcast-12-15-128.hamburg.ccc.de.
+
+; hosts.hamburg.ccc.de
+wiki.hosts			IN	AAAA	2a00:14b0:42:102::2
+cloud.hosts			IN	AAAA	2a00:14b0:42:102::3
+eh22-wiki.hosts			IN	AAAA	2a00:14b0:42:102::4
+pad.hosts			IN	AAAA	2a00:14b0:42:102::5
+keycloak.hosts			IN	AAAA	2a00:14b0:42:102::6
+onlyoffice.hosts		IN	AAAA	2a00:14b0:42:102::7
+renovate.hosts			IN	AAAA	2a00:14b0:42:102::8
+sunders.hosts			IN	AAAA	2a00:14b0:42:102::9
+mjolnir.hosts			IN	AAAA	2a00:14b0:42:102::a
+netbox.hosts			IN	AAAA	2a00:14b0:42:102::b
+tickets.hosts			IN	AAAA	2a00:14b0:42:102::c
+zammad.hosts			IN	AAAA	2a00:14b0:42:102::d
+grafana.hosts			IN	AAAA	2a00:14b0:42:102::e
+ccchoir.hosts			IN	AAAA	2a00:14b0:42:102::f
+pretalx.hosts			IN	AAAA	2a00:14b0:42:102::10
+ntfy.hosts			IN	AAAA	2a00:14b0:42:102::11
+spaceapiccc.hosts		IN	AAAA	2a00:14b0:42:102::12
+acmedns.hosts			IN	AAAA	2a00:14b0:42:102::13
+www2.hosts                      IN      AAAA    2a00:14b0:42:102::14
+www3.hosts                      IN      AAAA    2a00:14b0:42:102::15
+diday-staging-runner.hosts      IN      AAAA    2a00:14b0:42:102::16
+public-web-static.hosts      	IN      AAAA    2a00:14b0:42:102::17
+forgejo-actions-runner.hosts   	IN      AAAA    2a00:14b0:42:102::18
+
+; acme-challenges
+_acme-challenge.sunders 	CNAME a5ee8a99-3cdf-4212-972e-c0b6fda1242f.auth.acmedns
+_acme-challenge.pretalx 	CNAME 295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns

resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone

@@ -0,0 +1,73 @@
+$TTL 7200
+
+; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr
+; verwendet, sondern statt dessen local-mail.hamburg.ccc.de
+; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de
+; angesprochen, und nimmt daher keine mails mit absender-adressen
+; die sie nicht kennt an.
+; ich hoffe diese aenderung arbeitet um diesen bug herum.
+; - haegar 2001.11.14
+
+@               IN      SOA     auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
+		2024012601
+                10800
+                3600
+                3600000
+                86400 )
+
+		IN	NS	ns.hamburg.ccc.de.
+		IN	NS	ns.vie.ccc.de.
+
+		IN	MX	5 nomail.ccc.de.
+;		IN	MX	10 local-mail.hamburg.ccc.de.
+		IN	MX	23 nomail2.ccc.de.
+		IN	MX	42 nomail3.ccc.de.
+
+		IN	A	212.12.48.125
+		IN	AAAA	2a00:14b0:4200:3000:125::1
+
+localhost	IN	A	127.0.0.1
+
+
+; DMZ-Server:
+dmz-net		IN	A	212.12.50.208
+
+turing		IN	CNAME	turing.hamburg.ccc.de.
+www		IN	CNAME	www.hamburg.ccc.de.
+
+LAN-212-12-51-128 IN	A	212.12.51.128
+gate		IN	A	212.12.51.129
+END-212-12-51-143 IN	A	212.12.51.143
+
+
+; convience and email
+
+backup		IN	A	172.31.16.3
+		IN	AAAA	2001:6f8:126f:1:16:20:0:3
+;		IN	MX	5 nomail.ccc.de.
+		IN	MX	10 local-mail.hamburg.ccc.de.
+
+officemail	IN	A	172.31.17.131
+		IN	MX	5 nomail.ccc.de.
+;		IN	MX	10 local-mail.hamburg.ccc.de.
+		IN	MX	23 nomail2.ccc.de.
+		IN	MX	42 nomail3.ccc.de.
+
+orga		IN	CNAME	orga.hamburg.ccc.de.
+
+
+; Die alte World, aka popeye.crew-gmbh.de
+; Legacy-Names, do not delete
+world		IN	A	192.76.134.7
+		IN	MX	10 world
+popeye		IN	A	192.76.134.7
+		IN	MX	10 world
+uucp		IN	A	192.76.134.7
+
+; ChaosVPN
+hack		IN	NS	cvpn-dns.hack
+cvpn-dns.hack	IN	A	172.31.0.5
+
+
+; tmp test
+merz.leck.eier IN TXT "kann er mal"

resources/chaosknoten/auth-dns/zones/localhost.zone

@@ -0,0 +1,12 @@
+$ORIGIN localhost.
+$TTL 7200
+
+@			1D IN SOA	@ root (
+					42		; serial (d. adams)
+					3H		; refresh
+					15M		; retry
+					1W		; expiry
+					1D )		; minimum
+
+			1D IN NS	@
+			1D IN A		127.0.0.1

resources/chaosknoten/auth-dns/zones/old-old/ccc.zone

@@ -0,0 +1,61 @@
+$ORIGIN ccc.
+$TTL 7200
+@               IN      SOA     turing.hamburg.ccc.de. haegar.ccc.de. (
+		2002101507
+                10800
+                3600
+                3600000
+                86400 )
+
+		IN	NS	turing.hamburg.ccc.de.
+
+localhost	IN	A	127.0.0.1
+
+www		IN	A	195.21.255.248
+
+hh		IN	NS	ccchh.hh.ccc.
+		IN	NS	turing.hamburg.ccc.de.
+ccchh.hh	IN	A	192.168.16.2
+
+vpn.hh		IN	NS	turing.hamburg.ccc.de.
+
+; haegar:
+sdinet		IN	NS	ns.sdinet.ccc.
+ns.sdinet	IN	A	192.168.18.41
+
+; falk:
+valhalla	IN	NS	thor.valhalla.ccc.
+thor.valhalla	IN	A	192.168.21.1
+
+; jeedi:
+ghetto		IN	NS	semaphore.ghetto.ccc.
+semaphore.ghetto IN	A	192.168.20.2
+
+; count
+flatline	IN	NS	aleph.flatline.de.
+flatline	IN	NS	pulse.flatline.de.
+
+; thalunil (Alex Bihlmaier)
+core.kallisti	IN	A	194.122.183.51
+fnord		IN	NS	core.kallisti
+kallisti	IN	NS	core.kallisti
+
+; sz
+vogsphere	IN	A	212.12.48.51
+datenknoten	IN	A	212.12.48.49
+znet		IN	NS	datenknoten.ccc.
+sz		IN	NS	datenknoten.ccc.
+chaos		IN	NS	datenknoten.ccc.
+funk		IN	NS	datenknoten.ccc.
+presse		IN	NS	datenknoten.ccc.
+weltregierung	IN	NS	datenknoten.ccc.
+
+; migri
+migri		IN	CNAME	migri.homeip.net.
+
+; Enno
+enno		IN	CNAME	home.verbrennung.org.
+
+; Dennis
+desc		IN	NS	freya.ainex.net.
+

resources/chaosknoten/auth-dns/zones/old-old/vpn.hh.ccc.zone

@@ -0,0 +1,37 @@
+$ORIGIN vpn.hh.ccc.
+$TTL 7200
+
+@               IN      SOA     vpn.hh.ccc. haegar.ccc.de. (
+		2002101502
+                10800
+                3600
+                3600000
+                86400 )
+
+		IN	NS	turing.hamburg.ccc.de.
+
+localhost	IN	A	127.0.0.1
+
+network		IN	A	192.168.0.64
+fwhh		IN	A	192.168.0.65
+worf		IN	A	192.168.0.66
+sdinet-cut	IN	A	192.168.0.67
+migri		IN	A	192.168.0.68
+cemil		IN	A	192.168.0.69
+fw		IN	A	192.168.0.70
+fw-server	IN	A	192.168.0.71
+
+broadcast	IN	A	192.168.0.127
+
+net.znet	IN	A	192.168.23.0
+gate.znet	IN	A	192.168.23.23
+bc.znet		IN	A 	192.168.23.255
+
+net.no-maam	IN	A	192.168.24.0
+gate.no-maam	IN	A	192.168.24.1
+bc.no-maam	IN	A	192.168.24.255
+
+net.loom	IN	A	192.168.33.0
+gate.loom	IN	A	192.168.33.1
+bc.loom		IN	A	192.168.33.255
+

roles/auth_dns/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+knot__remotes: [ ]

roles/auth_dns/handlers/main.yaml

@@ -0,0 +1,19 @@
+---
+- name: restart knot
+  tags: [ auth-dns ]
+  become: true
+  ansible.builtin.systemd:
+    name: knot.service
+    state: restarted
+
+- name: reload knot zones
+  tags: [ auth-dns ]
+  become: true
+  changed_when: true
+  ansible.builtin.command: "knotc zone-reload"
+
+- name: netplan apply
+  tags: [ auth-dns ]
+  become: true
+  changed_when: true
+  ansible.builtin.command: "netplan apply"

roles/auth_dns/meta/argument_specs.yaml

@@ -0,0 +1,59 @@
+---
+argument_specs:
+  main:
+    options:
+      knot__dnssec_key_id:
+        description: The id of the TSIG key which knot will use for zone transfer signing
+        type: str
+        required: true
+      knot__dnssec_key_secret:
+        description: The secret value of the TSIG key which knot will use for zone transfer signing
+        type: str
+        required: true
+      knot__remotes:
+        description:
+          - A list of definitions for remote nameservers that are used for different purposes
+          - See https://www.knot-dns.cz/docs/latest/html/reference.html#remote-section for details
+        type: list
+        elements: dict
+        required: false
+        options:
+          id:
+            type: str
+            required: true
+          address:
+            type: list
+            required: true
+            elements: str
+      knot__catalog_zones:
+        description: A list of catalog zones that will be served by knot
+        type: list
+        elements: dict
+        required: true
+        options:
+          domain:
+            type: str
+            required: true
+          notify_targets:
+            type: list
+            elements: str
+            required: false
+      knot__zones:
+        description: A list of user zones that will be served by knot
+        type: list
+        elements: dict
+        required: true
+        options:
+          domain:
+            type: str
+            required: true
+          notify_targets:
+            type: list
+            elements: str
+            required: false
+          catalog_member:
+            type: str
+            required: false
+          content:
+            type: str
+            required: true

roles/auth_dns/tasks/01-install.yaml

@@ -0,0 +1,11 @@
+---
+- name: Install knot
+  tags: [ auth-dns ]
+  become: true
+  ansible.builtin.package:
+    name:
+      - knot
+      - knot-exporter
+      - knot-dnssecutils
+      - knot-dnsutils
+      - knot-host

roles/auth_dns/tasks/02-configure.yaml

@@ -0,0 +1,53 @@
+---
+- name: Ensure required directories exist
+  tags: [ auth-dns ]
+  become: true
+  loop: [ "/etc/knot", "/etc/knot/zones" ]
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: knot
+    group: knot
+    mode: u=rwx,g=rx,o=
+
+- name: Deploy knot configuration file
+  tags: [ auth-dns ]
+  become: true
+  notify: restart knot
+  ansible.builtin.template:
+    src: knot.conf.j2
+    dest: /etc/knot/knot.conf
+    owner: knot
+    group: knot
+    mode: u=rw,g=r,o=
+
+- name: Deploy configured zones
+  tags: [ auth-dns ]
+  become: true
+  notify: reload knot zones
+  loop: "{{ knot__zones }}"
+  loop_control:
+    label: "{{ item.domain }}"
+  vars:
+    zone_content: "{{ item.content }}"
+  ansible.builtin.template:
+    src: zone.j2
+    dest: "/etc/knot/zones/{{ item.domain }}zone"
+    owner: knot
+    group: knot
+    mode: u=rw,g=r
+
+# this seems weird but hear me out:
+# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements
+# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one.
+# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled
+- name: Disable IPv6 SLAAC
+  tags: [ auth-dns ]
+  become: true
+  notify: netplan apply
+  ansible.builtin.template:
+    src: "netplan-disable-ra.yaml"
+    dest: "/etc/netplan/10-disable-ra.yaml"
+    owner: root
+    group: root
+    mode: u=rw,g=,o=

roles/auth_dns/tasks/main.yaml

@@ -0,0 +1,3 @@
+---
+- ansible.builtin.import_tasks: 01-install.yaml # noqa: name[missing]
+- ansible.builtin.import_tasks: 02-configure.yaml # noqa: name[missing]

roles/auth_dns/templates/knot.conf.j2

@@ -0,0 +1,95 @@
+# {{ ansible_managed }}
+# See knot.conf(5) or refer to the server documentation.
+
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ "0.0.0.0@53", "::@53" ]
+
+log:
+  - target: syslog
+    any: info
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: {{ knot__dnssec_key_id }}
+    algorithm: hmac-sha512
+    secret: "{{ knot__dnssec_key_secret }}"
+
+remote:
+  # static, external and public remote used for DNSSEC KSK checking
+  - id: quad9
+    address: "2620:fe::fe"
+  {% if knot__remotes -%}
+  # additional remotes used in the config
+  {% for i_remote in knot__remotes -%}
+  - id: "{{ i_remote.id }}"
+    address: [ {% for i_addr in i_remote.address %}"{{ i_addr}}"{% if not loop.last %},{% endif %} {% endfor %} ]
+  {% endfor %}
+  {% endif %}
+
+# define how the presence of parent KSK keys is checked
+# in this case, we just ask quad9 which is an open resolver
+submission:
+  - id: default
+    parent: quad9
+    parent-delay: 1h
+
+# define how dnssec signing is done
+# in this case we don't do anything special but teach knot how to check for KSK presence
+policy:
+  - id: default
+    ksk-submission: default
+    nsec3: true
+    nsec3-salt-length: 0
+
+# define default settings that apply to all zones
+template:
+  # template for general-purpose user zones
+  - id: default
+    storage: "/etc/knot/zones"
+    file: "%s.zone"
+    semantic-checks: on
+    zonefile-sync: -1
+    zonefile-load: difference-no-serial
+    serial-policy: dateserial
+    journal-content: all
+    default-ttl: 7200
+    dnssec-signing: on
+    dnssec-policy: default
+
+    {# catalog-role: member #}
+    {# catalog-zone: hamburg.ccc.de.catalog. #}
+
+  # template for automatically created special zones
+  - id: catalog
+    catalog-role: generate
+    dnssec-signing: on
+    dnssec-policy: default
+
+
+# define zones on this server
+# See https://www.knot-dns.cz/docs/3.4/html/reference.html#zone-section
+zone:
+  # catalog zones
+  {% for i_zone in knot__catalog_zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: catalog
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+  {% endfor %}
+
+  # normal zones
+  {% for i_zone in knot__zones -%}
+  - domain: "{{ i_zone.domain }}"
+    template: default
+    notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
+    {% if i_zone.catalog_member | default(False) -%}
+    catalog-role: member
+    catalog-zone: "{{ i_zone.catalog_member }}"
+    {% endif %}
+  {% endfor %}
+
+  {# - domain: "onsite.eurofurence.org" #}

roles/auth_dns/templates/netplan-disable-ra.yaml

@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+network:
+  ethernets:
+    {%- for i_iface_name in ansible_interfaces -%}
+    {%- if i_iface_name != "lo" -%}
+    {%- set i_iface = ansible_facts[i_iface_name] %}
+
+    {{ i_iface_name }}:
+      match:
+        macaddress: "{{ i_iface.macaddress }}"
+      accept-ra: false
+    {% endif %}
+    {% endfor %}
+

roles/auth_dns/templates/zone.j2

@@ -0,0 +1,4 @@
+; {{ ansible_managed }}
+
+{{ zone_content }}
+

roles/base_config/meta/main.yaml

@@ -2,4 +2,3 @@
 dependencies:
   - role: deploy_ssh_server_config
   - role: deploy_systemd_journal_config
-  - role: deploy_systemd_resolved_config

roles/deploy_systemd_resolved_config/README.md

@@ -1,21 +0,0 @@
-# Role `deploy_systemd_resolved_config`
-
-A role for deploying a minimal configuration for [systemd-resolved](https://man.archlinux.org/man/systemd-resolved.8) or alternatively completely disabling it.
-
-!! Note
-If systemd-resolved is disabled, the configuration is instead rendered directly into `/etc/resolv.conf` to ensure a node does not accidentally lose name resolving capabilities.
-
-## Optional Arguments
-
-- `deploy_systemd_resolved_config__enable` (defaults to `true`) decides whether systemd-resolved should be enabled or disabled.
-
-- `deploy_systemd_resolved_config__mode` (defaults to `stub`) controls which compatibility mode is used for `/etc/resolv.conf` when systemd-resolved is enabled. See [man systemd-resolved(8)](https://man.archlinux.org/man/systemd-resolved.8#/ETC/RESOLV.CONF).
-
-- `deploy_systemd_resolved_config__dns` is the list of primary DNS servers that will be configured. If e.g. a specific link configures other DNS servers, they will take precedence.
-
-- `deploy_systemd_resolved_config__fallback_dns` (defaults to Quad9) is the list of fallback DNS servers. If, at runtime, none of the configured primary DNS servers are reachable, these servers will be used as fallback.
-
-## Hosts
-
-This role is included as a dependency to [base_config](../base_config/) and therefore does not need to be explicitly pulled in.
-

roles/deploy_systemd_resolved_config/defaults/main.yaml

@@ -1,9 +0,0 @@
----
-deploy_systemd_resolved_config__enable: true
-deploy_systemd_resolved_config__mode: "stub"
-deploy_systemd_resolved_config__dns: [ ]
-deploy_systemd_resolved_config__fallback_dns:
-  - "9.9.9.9"
-  - "149.112.112.112"
-  - "2620:fe::fe"
-  - "2620:fe::9"

roles/deploy_systemd_resolved_config/handlers/main.yaml

@@ -1,7 +0,0 @@
----
-- name: "reload systemd-resolved"
-  tags: [ "deploy_systemd_resolved_config" ]
-  become: true
-  ansible.builtin.systemd:
-    name: "systemd-resolved.service"
-    state: "restarted"

roles/deploy_systemd_resolved_config/meta/argument_specs.yaml

@@ -1,21 +0,0 @@
----
-argument_specs:
-  main:
-    options:
-      deploy_systemd_resolved_config__enable:
-        description: "Whether systemd-resolved should be enabled or disabled"
-        type: bool
-        required: false
-      deploy_systemd_resolved_config__mode:
-        description: "Which /etc/resolv.conf compatibility mode should be configured"
-        type: str
-        required: false
-        choices: [ "stub", "static-stub", "passthru", "extern" ]
-      deploy_systemd_resolved_config__dns:
-        description: "A list of DNS servers that will be configured as default dns servers"
-        type: list
-        required: false
-      deploy_systemd_resolved_config__fallback_dns:
-        description: "A list of fallback DNS servers that will be configured"
-        type: list
-        required: false

roles/deploy_systemd_resolved_config/tasks/disable.yaml

@@ -1,25 +0,0 @@
----
-- name: Ensure /etc/resolv.conf is a plain file
-  tags: [ "deploy_systemd_resolved_config" ]
-  become: true
-  ansible.builtin.file:
-    path: "/etc/resolv.conf"
-    state: file
-
-- name: Write nameserver config directly into /etc/resolv.conf
-  tags: [ "deploy_systemd_resolved_config" ]
-  become: true
-  ansible.builtin.template:
-    src: "resolv.conf.j2"
-    dest: "/etc/resolv.conf"
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
-
-- name: Disable systemd-resolved
-  tags: [ "deploy_systemd_resolved_config" ]
-  become: true
-  ansible.builtin.systemd:
-    name: "systemd-resolved.service"
-    state: stopped
-    enabled: false

roles/deploy_systemd_resolved_config/tasks/enable.yaml

@@ -1,36 +0,0 @@
----
-- name: Deploy systemd-resolved config
-  tags: [ "deploy_systemd_resolved_config" ]
-  become: true
-  notify: "reload systemd-resolved"
-  ansible.builtin.template:
-    src: resolved.conf.j2
-    dest: /etc/systemd/resolved.conf
-    owner: root
-    group: root
-    mode: u=rw,g=r,o=r
-
-- name: Make /etc/resolv.conf points to systemd-resolved
-  tags: [ "deploy_systemd_resolved_config" ]
-  become: true
-  when: deploy_systemd_resolved_config__mode != "extern"
-  ansible.builtin.file: # noqa: jinja
-    path: /etc/resolv.conf
-    state: link
-    force: true
-    src: >-
-      {%- if deploy_systemd_resolved_config__mode == "stub" -%}
-      /run/systemd/resolve/stub-resolv.conf
-      {%- elif deploy_systemd_resolved_config__mode == "static-stub" -%}
-      /usr/lib/systemd/resolv.conf
-      {%- elif deploy_systemd_resolved_config__mode == "passthru" -%}
-      /run/systemd/resolve/resolv.conf
-      {%- endif -%}
-
-- name: Ensure systemd-resolved is running and enabled
-  tags: [ "deploy_systemd_resolved_config" ]
-  become: true
-  ansible.builtin.systemd:
-    name: systemd-resolved.service
-    state: started
-    enabled: true

roles/deploy_systemd_resolved_config/tasks/main.yaml

@@ -1,10 +0,0 @@
----
-- name: Include enable.yaml
-  tags: [ "deploy_systemd_resolved_config" ]
-  ansible.builtin.include_tasks: enable.yaml
-  when: deploy_systemd_resolved_config__enable
-
-- name: Include disable.yaml
-  tags: [ "deploy_systemd_resolved_config" ]
-  ansible.builtin.include_tasks: disable.yaml
-  when: not deploy_systemd_resolved_config__enable

roles/deploy_systemd_resolved_config/templates/resolv.conf.j2

@@ -1,11 +0,0 @@
-# {{ ansible_managed }}
-
-{% for i in deploy_systemd_resolved_config__dns %}
-nameserver {{ i }}
-{% endfor %}
-
-{% for i in deploy_systemd_resolved_config__fallback_dns %}
-nameserver {{ i }}
-{% endfor %}
-
-options edns0

roles/deploy_systemd_resolved_config/templates/resolved.conf.j2

@@ -1,11 +0,0 @@
-# {{ ansible_managed }}
-
-# Since the config supports drop-in files,
-# use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.'
-#
-# See resolved.conf(5) for details
-
-[Resolve]
-DNS={{ deploy_systemd_resolved_config__dns | join(" ") }}
-FallbackDNS={{ deploy_systemd_resolved_config__fallback_dns | join(" ") }}
-