# Cloudflare DNS Manifest (Baseline)

## Purpose
A declarative, version-controlled DNS manifest for VaultMesh, OffSec, and related domains. This serves as the canonical source of truth for DNS state, to be captured in VaultMesh receipts and anchored regularly.

---

# 1. Manifest Structure
Each domain contains:
- SOA
- NS
- A / AAAA records
- CNAME
- TXT (SPF, DKIM, DMARC, verification)
- MX
- SRV (if any)
- Proxied/Unproxied state
- Expected TTL

All manifests MUST be reproducible from Cloudflare's API and diffs anchored weekly.

---

# 2. Example Manifest: vaultmesh.org
```yaml
zone: vaultmesh.org
records:
  - type: A
    name: @
    content: 192.0.2.10
    proxied: true
    ttl: auto

  - type: AAAA
    name: @
    content: 2001:db8::10
    proxied: true
    ttl: auto

  - type: CNAME
    name: www
    content: vaultmesh.org
    proxied: true

  - type: TXT
    name: @
    content: "v=spf1 include:_spf.google.com -all"

  - type: TXT
    name: _dmarc
    content: "v=DMARC1; p=quarantine; rua=mailto:security@vaultmesh.org"

  - type: MX
    name: @
    content: mx1.improvmx.com
    priority: 10

  - type: MX
    name: @
    content: mx2.improvmx.com
    priority: 20
```

---

# 3. OffSec Domain Template
For: offsec.global, offsecglobal.com, offsecagent.com, offsecshield.com

```yaml
zone: offsec.example
records:
  - type: A
    name: @
    content: 192.0.2.44
    proxied: true

  - type: CNAME
    name: www
    content: offsec.example
    proxied: true

  - type: TXT
    name: @
    content: "v=spf1 include:_spf.mxroute.com -all"

  - type: TXT
    name: _dmarc
    content: "v=DMARC1; p=reject; rua=mailto:guardian@offsec.example"

  - type: MX
    name: @
    content: mxroute1.mxlogin.com
    priority: 10

  - type: MX
    name: @
    content: mxroute2.mxlogin.com
    priority: 20
```

---

# 4. Security Requirements
- DNSSEC: **Enabled** for all zones
- Registrar Lock: **Enabled**
- No wildcards unless justified
- All A/AAAA/CNAME must be **proxied** unless servicing internal/private infra
- Remove stale records within 24h of deprecation

---

# 5. Change-Control Pipeline
1. Proposed DNS change → Manifest PR
2. CI validates structure + conflicts
3. Merge → Apply via API/Terraform
4. Emit DNS-change receipt in VaultMesh
5. Anchor weekly DNS snapshots

---

# 6. Audit Signals
- Unexpected unproxied records
- Sudden IP changes
- DMARC/ SPF drift
- Added/removed MX without change-control
- Hostname shadowing attempts