vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
vm-cloudflare/cloudflare_dns_manifest.md
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

128 lines
2.4 KiB
Markdown
Raw Permalink Blame History

# Cloudflare DNS Manifest (Baseline)
## Purpose
A declarative, version-controlled DNS manifest for VaultMesh, OffSec, and related domains. This serves as the canonical source of truth for DNS state, to be captured in VaultMesh receipts and anchored regularly.
---
# 1. Manifest Structure
Each domain contains:
- SOA
- NS
- A / AAAA records
- CNAME
- TXT (SPF, DKIM, DMARC, verification)
- MX
- SRV (if any)
- Proxied/Unproxied state
- Expected TTL
All manifests MUST be reproducible from Cloudflare's API and diffs anchored weekly.
---
# 2. Example Manifest: vaultmesh.org
```yaml
zone: vaultmesh.org
records:
- type: A
name: @
content: 192.0.2.10
proxied: true
ttl: auto
- type: AAAA
name: @
content: 2001:db8::10
proxied: true
ttl: auto
- type: CNAME
name: www
content: vaultmesh.org
proxied: true
- type: TXT
name: @
content: "v=spf1 include:_spf.google.com -all"
- type: TXT
name: _dmarc
content: "v=DMARC1; p=quarantine; rua=mailto:security@vaultmesh.org"
- type: MX
name: @
content: mx1.improvmx.com
priority: 10
- type: MX
name: @
content: mx2.improvmx.com
priority: 20
```
---
# 3. OffSec Domain Template
For: offsec.global, offsecglobal.com, offsecagent.com, offsecshield.com
```yaml
zone: offsec.example
records:
- type: A
name: @
content: 192.0.2.44
proxied: true
- type: CNAME
name: www
content: offsec.example
proxied: true
- type: TXT
name: @
content: "v=spf1 include:_spf.mxroute.com -all"
- type: TXT
name: _dmarc
content: "v=DMARC1; p=reject; rua=mailto:guardian@offsec.example"
- type: MX
name: @
content: mxroute1.mxlogin.com
priority: 10
- type: MX
name: @
content: mxroute2.mxlogin.com
priority: 20
```
---
# 4. Security Requirements
- DNSSEC: **Enabled** for all zones
- Registrar Lock: **Enabled**
- No wildcards unless justified
- All A/AAAA/CNAME must be **proxied** unless servicing internal/private infra
- Remove stale records within 24h of deprecation
---
# 5. Change-Control Pipeline
1. Proposed DNS change → Manifest PR
2. CI validates structure + conflicts
3. Merge → Apply via API/Terraform
4. Emit DNS-change receipt in VaultMesh
5. Anchor weekly DNS snapshots
---
# 6. Audit Signals
- Unexpected unproxied records
- Sudden IP changes
- DMARC/ SPF drift
- Added/removed MX without change-control
- Hostname shadowing attempts
Reference in New Issue View Git Blame Copy Permalink