--- /dev/null
+zdns -- DNS zones creator helper
+
+This is very simple zsh-based helper functions to create DNS zones.
+Many things are hardcoded there. Basically you just write ordinary
+zsh script, sourcing the rc.zsh, containing various helper functions.
+It expects DOMAIN variable to be set.
+
+* fqdn(domain) -- prints fully-qualified domain name, taking either
+ "domain.", or "@", or "subdomain" names
+* shortened(domain) -- prints $DOMAIN-relative shortened name, printing
+ only subdomain parts or "@"
+* zone_start(serial) -- prints SOA record with two predefined (hardcoded)
+ nameservers and none DMARC policy
+* add_mx(domain) -- add predefined MX records for given domain, with
+ predefined redirect-based SPF policy
+* add_dane(domain) -- add DANE records for given domain. You have to
+ have tls/ subdirectory, containing zeasypki's state
+ (http://www.git.stargrave.org/?p=zeasypki.git;a=blob;f=README)
+ It looks in each CA's subdirectory if keypair exists for the domain,
+ printing necessary CAA and TLSA records
+* add_ssh(domain) -- searches for corresponding public key in ssh/
+ subdirectory and (if it exists) prints corresponding SSHFP record
+* add_subdomain(domain, addresses) -- adds specified domain with
+ provided space-separated addresses. It automatically calls add_dane
+ and add_ssh helpers. Unless $NOSPF=1 is specified, it prints "-all"
+ SPF policy. If $Y=1 is specified, then it adds "y.domain" address with
+ predefined $Y6 address and "-all" SPF policy
+* add_pgp(keyid, uid) -- prints _openpgpkey DANE record for given
+ OpenPGP key of desired UID. "uid" is optional and useful only if your
+ key have got multiple UIDs and you need to add only the single
+ specified one
+
+To omit burden of sourcing rc.zsh, setting $DOMAIN and rebuilding zones
+after its change, there is default.zone.do redo (http://cr.yp.to/redo.html)
+target, expecting your script in $domain.zsh file.
+
+For example the zone for nncpgo.org domain with mail-capabilities, WWW
+subdomain (available via Yggdrasil network), OpenPGP DANE key,
+openpgp-subdomain for WKD and necessary DANE/SSH records could be
+created the following way:
+
+ $ ln -fs /path/to/zeasypki/state tls
+ $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/openpgpkey.nncpgo.org ]]
+ $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/openpgpkey.nncpgo.org ]]
+ $ [[ -d tls/ee/ecdsa/ca.cypherpunks.ru/www.nncpgo.org ]]
+ $ [[ -d tls/ee/gost/cagost.cypherpunks.ru/www.nncpgo.org ]]
+
+ $ mkdir -p ssh
+ $ print ssh-ed25519 AAAA... > ssh/www.nncpgo.org
+
+ $ cat > nncpgo.org.zsh <<EOF
+ zone_start 2012011633
+ add_mx @
+ Y=1 add_subdomain www "$GW4 $GW6 $VPS4 $VPS6"
+ Y=1 add_subdomain openpgpkey "$GW4 $GW6"
+ add_pgp releases@nncpgo.org
+ EOF
+
+ $ redo nncpgo.org.zone
+
+It will produce:
+
+ $TTL 21600
+ $ORIGIN nncpgo.org.
+ nncpgo.org. 21600 IN SOA uz5....ns7.stargrave.org. admin.nncpgo.org. (
+ 2012011633 ; Serial
+ 12h ; Refresh
+ 2h ; Retry
+ 2w ; Expire
+ 6h ; TTL
+ )
+ @ NS uz5....ns7.stargrave.org.
+ @ NS uz5....ns5.stargrave.org.
+ _dmarc TXT "v=DMARC1; p=none"
+ @ MX 10 mailfake0.stargrave.org.
+ @ MX 20 mail2.stargrave.org.
+ @ MX 30 mailfake1.stargrave.org.
+ @ TXT "v=spf1 redirect=_spf.stargrave.org"
+ www A 91.211.5.21
+ www AAAA 2a03:e2c0:2663:1::1
+ www A 45.10.110.72
+ www AAAA 2a04:ac00:a:146::25
+ www CAA 0 issue "ca.cypherpunks.ru"
+ _443._tcp.www TLSA 3 1 1 0a77...d187
+ www CAA 0 issue "cagost.cypherpunks.ru"
+ _443._tcp.www TLSA 3 1 1 9b98...7b3a
+ www TXT "v=spf1 -all"
+ y.www AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
+ y.www TXT "v=spf1 -all"
+ openpgpkey A 91.211.5.21
+ openpgpkey AAAA 2a03:e2c0:2663:1::1
+ openpgpkey CAA 0 issue "ca.cypherpunks.ru"
+ _443._tcp.openpgpkey TLSA 3 1 1 ddf4...e89c
+ openpgpkey CAA 0 issue "cagost.cypherpunks.ru"
+ _443._tcp.openpgpkey TLSA 3 1 1 2075...7c3d
+ openpgpkey TXT "v=spf1 -all"
+ y.openpgpkey AAAA 21a:af91:8d0e:b05:9645:e4e9:12be:3c39
+ y.openpgpkey TXT "v=spf1 -all"
+ ; NNCP releases <releases@nncpgo.org>
+ 2019...15ac._openpgpkey TYPE61 \# 655 (...)