--- /dev/null
+NoSPF='"v=spf1 -all"'
+ReSPF='"v=spf1 redirect=_spf.stargrave.org"'
+
+GW4=91.211.5.21
+GW6=2a03:e2c0:2663:1::1
+VPS4=45.10.110.72
+VPS6=2a04:ac00:a:146::25
+Y6=21a:af91:8d0e:b05:9645:e4e9:12be:3c39
+
+NS1=uz544mqwggqbf3z4utlhfqn45vpbpq78nc63hpg5u2ut29stkt0pkr.ns7.stargrave.org.
+NS2=uz5nulnd504gp3s7sdmdl5l2gxc762hpw926t90k39ltxp67flbccn.ns5.stargrave.org.
+
+SSHGW=8397b7a5602758bb302cf6fd1a26b9a027388687f80be269c8cb1e7bbab707f0
+SSHVPS=35cf6677a0e85882ebf1deac20d4e9a87ae94d9599ea9db3786711268a4052b6
+
+zone_start() {
+ local serial=$1
+ cat <<EOF
+\$TTL 21600
+\$ORIGIN ${DOMAIN}.
+${DOMAIN}. 21600 IN SOA $NS1 admin.${DOMAIN}. (
+ ${serial} ; Serial
+ 12h ; Refresh
+ 2h ; Retry
+ 2w ; Expire
+ 6h ; TTL
+)
+@ NS $NS1
+@ NS $NS2
+_dmarc TXT "v=DMARC1; p=none"
+EOF
+}
+
+add_dane() {
+ local subdomain=$1
+ local domain=$2
+ local prefix=_${DANE_PORT:-443}._tcp
+ [[ $subdomain = "@" ]] || prefix=$prefix.$subdomain
+ print "$subdomain CAA 0 issue \"ca.cypherpunks.ru\""
+ print "$subdomain CAA 0 issue \"cagost.cypherpunks.ru\""
+ pushd ~/secure/ca
+ local hsh=$(~/work/zeasypki/zeasypki dane ee/ecdsa/ca.cypherpunks.ru/$domain)
+ print "$prefix TLSA 3 1 1 $hsh"
+ [[ -e ee/gost/cagost.cypherpunks.ru/$domain ]] && {
+ hsh=$(~/work/zeasypki/zeasypki dane ee/gost/cagost.cypherpunks.ru/$domain)
+ print "$prefix TLSA 3 1 1 $hsh"
+ }
+ popd
+}
+
+add_subdomain() {
+ local subdomain=$1
+ shift
+ for addr (${=1}) {
+ [[ $addr =~ : ]] && a=AAAA || a=A
+ print "$subdomain $a $addr"
+ }
+ shift
+ local flags=(${=@})
+ [[ ${flags[(I)tls]} -ne 0 ]] && {
+ add_dane $subdomain ${subdomain}.$DOMAIN
+ }
+ [[ ${flags[(I)nospf]} -eq 0 ]] && {
+ print "$subdomain TXT $NoSPF"
+ }
+ [[ ${flags[(I)y]} -ne 0 ]] && {
+ print "y.$subdomain AAAA $Y6"
+ print "y.$subdomain TXT $NoSPF"
+ }
+ return 0
+}
+
+add_mx() {
+ local subdomain=$1
+ cat <<EOF
+$subdomain MX 10 mailfake0.stargrave.org.
+$subdomain MX 20 mail2.stargrave.org.
+$subdomain MX 30 mailfake1.stargrave.org.
+$subdomain TXT $ReSPF
+EOF
+}
+
+add_pgp() {
+ local uid=$1
+ gpg --export-options export-dane --export $uid |
+ sed -n '1,/^$/p'|
+ sed -n '2,$p' |
+ sed 's/ TYPE61/._openpgpkey TYPE61/'
+}
+
+add_ssh() {
+ print "$1 SSHFP 4 2 $2"
+}