vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f0b8d962de8f3d8a98b33d43419fa3bcb53eee58
vm-cloudflare/cloudflare_dns_manifest.md
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

2.4 KiB
Raw Blame History

Cloudflare DNS Manifest (Baseline)

Purpose

A declarative, version-controlled DNS manifest for VaultMesh, OffSec, and related domains. This serves as the canonical source of truth for DNS state, to be captured in VaultMesh receipts and anchored regularly.

1. Manifest Structure

Each domain contains:

  • SOA
  • NS
  • A / AAAA records
  • CNAME
  • TXT (SPF, DKIM, DMARC, verification)
  • MX
  • SRV (if any)
  • Proxied/Unproxied state
  • Expected TTL

All manifests MUST be reproducible from Cloudflare's API and diffs anchored weekly.

2. Example Manifest: vaultmesh.org

zone: vaultmesh.org
records:
  - type: A
    name: @
    content: 192.0.2.10
    proxied: true
    ttl: auto

  - type: AAAA
    name: @
    content: 2001:db8::10
    proxied: true
    ttl: auto

  - type: CNAME
    name: www
    content: vaultmesh.org
    proxied: true

  - type: TXT
    name: @
    content: "v=spf1 include:_spf.google.com -all"

  - type: TXT
    name: _dmarc
    content: "v=DMARC1; p=quarantine; rua=mailto:security@vaultmesh.org"

  - type: MX
    name: @
    content: mx1.improvmx.com
    priority: 10

  - type: MX
    name: @
    content: mx2.improvmx.com
    priority: 20

3. OffSec Domain Template

For: offsec.global, offsecglobal.com, offsecagent.com, offsecshield.com

zone: offsec.example
records:
  - type: A
    name: @
    content: 192.0.2.44
    proxied: true

  - type: CNAME
    name: www
    content: offsec.example
    proxied: true

  - type: TXT
    name: @
    content: "v=spf1 include:_spf.mxroute.com -all"

  - type: TXT
    name: _dmarc
    content: "v=DMARC1; p=reject; rua=mailto:guardian@offsec.example"

  - type: MX
    name: @
    content: mxroute1.mxlogin.com
    priority: 10

  - type: MX
    name: @
    content: mxroute2.mxlogin.com
    priority: 20

4. Security Requirements

  • DNSSEC: Enabled for all zones
  • Registrar Lock: Enabled
  • No wildcards unless justified
  • All A/AAAA/CNAME must be proxied unless servicing internal/private infra
  • Remove stale records within 24h of deprecation

5. Change-Control Pipeline

  1. Proposed DNS change → Manifest PR
  2. CI validates structure + conflicts
  3. Merge → Apply via API/Terraform
  4. Emit DNS-change receipt in VaultMesh
  5. Anchor weekly DNS snapshots

6. Audit Signals

  • Unexpected unproxied records
  • Sudden IP changes
  • DMARC/ SPF drift
  • Added/removed MX without change-control
  • Hostname shadowing attempts
Reference in New Issue View Git Blame Copy Permalink