]> git.openstreetmap.org Git - dns.git/blobdiff - src/openstreetmap.js
Add DNS for Equinix uplink addresses
[dns.git] / src / openstreetmap.js
index e1756c9d8f0c32111ac14c2bdc3e17f26ff0f3c7..1bf2cfbbb0670bf27f81549da9c71622e70f3ba4 100644 (file)
 D(DOMAIN, REGISTRAR, DnsProvider(PROVIDER),
 
-  // Publish CAA records indicating that only letsencrypt should issue certificates
-
-  CAA("@", "issue", "letsencrypt.org", CF_TTL_ANY),
-  CAA("@", "issuewild", "letsencrypt.org", CF_TTL_ANY),
-  CAA("@", "iodef", "mailto:hostmaster@openstreetmap.org"),
-
-  // Use shenron as the MX host
+  // Publish CAA records indicating that only letsencrypt and globalsign (Fastly) should issue certificates
+
+  CAA_BUILDER({
+    label: "@",
+    ttl: "1h",
+    iodef: "mailto:hostmaster@openstreetmap.org",
+    issue: [
+      "letsencrypt.org",
+      "globalsign.com",   // Used by Fastly for CDN certificates
+    ],
+    issuewild: [
+      "letsencrypt.org",
+      "globalsign.com",   // Used by Fastly for CDN certificates
+    ],
+  }),
+
+  // Mail service
 
   MX("@", 10, QUALIFY("a.mx")),
   MX("messages", 10, QUALIFY("a.mx")),
   MX("noreply", 10, QUALIFY("a.mx")),
   MX("otrs", 10, QUALIFY("a.mx")),
-  A("a.mx", "212.110.172.32"),
-  AAAA("a.mx", "2001:41c9:1:400::32"),
+  MX("community", 10, QUALIFY("a.mx")),
+  MX("supporting", 10, QUALIFY("a.mx")),
+
+  A("a.mx", FAFNIR_IPV4),
+  AAAA("a.mx", FAFNIR_IPV6),
+  A("mail", FAFNIR_IPV4),
+  AAAA("mail", FAFNIR_IPV6),
+  A("mta-sts", FAFNIR_IPV4),
+  AAAA("mta-sts", FAFNIR_IPV6),
 
   // Publish SPF records indicating that only shenron sends mail
 
-  TXT("@", "v=spf1 ip4:212.110.172.32 ip6:2001:41c9:1:400::32 mx -all"),
-  TXT("otrs", "v=spf1 ip4:212.110.172.32 ip6:2001:41c9:1:400::32 mx -all"),
+  SPF_BUILDER({
+    label: "@",
+    parts: [
+      "v=spf1",
+      "ip4:184.104.226.98",         // fafnir ipv4 (he.net)
+      "ip6:2001:470:1:b3b::2",      // fafnir ipv6 (he.net)
+      "ip4:87.252.214.98",          // fafnir ipv4 (equinix)
+      "ip6:2001:4d78:fe03:1c::2",   // fafnir ipv6 (equinix)
+      "ip4:193.60.236.0/24",        // ucl external
+      "ip4:82.199.86.96/27",        // amsterdam external (equinix)
+      "ip6:2001:4d78:500:5e3::/64", // amsterdam external (equinix)
+      "ip4:87.252.214.96/27",       // dublin external (equinix)
+      "ip6:2001:4d78:fe03:1c::/64", // dublin external (equinix)
+      "ip4:184.104.179.128/27",     // amsterdam external (he.net)
+      "ip6:2001:470:1:fa1::/64",    // amsterdam external (he.net)
+      "ip4:184.104.226.96/27",      // dublin external (he.net)
+      "ip6:2001:470:1:b3b::/64",    // dublin external (he.net)
+      "mx",                         // safety net if we change mx
+      "-all"
+    ]
+  }),
+
+  SPF_BUILDER({
+    label: "messages",
+    parts: [
+      "v=spf1",
+      "ip4:184.104.226.98",         // fafnir ipv4 (he.net)
+      "ip6:2001:470:1:b3b::2",      // fafnir ipv6 (he.net)
+      "ip4:87.252.214.98",          // fafnir ipv4 (equinix)
+      "ip6:2001:4d78:fe03:1c::2",   // fafnir ipv6 (equinix)
+      "ip4:193.60.236.0/24",        // ucl external
+      "ip4:82.199.86.96/27",        // amsterdam external (equinix)
+      "ip6:2001:4d78:500:5e3::/64", // amsterdam external (equinix)
+      "ip4:87.252.214.96/27",       // dublin external (equinix)
+      "ip6:2001:4d78:fe03:1c::/64", // dublin external (equinix)
+      "ip4:184.104.179.128/27",     // amsterdam external (he.net)
+      "ip6:2001:470:1:fa1::/64",    // amsterdam external (he.net)
+      "ip4:184.104.226.96/27",      // dublin external (he.net)
+      "ip6:2001:470:1:b3b::/64",    // dublin external (he.net)
+      "mx",                         // safety net if we change mx
+      "-all"
+    ]
+  }),
+
+  SPF_BUILDER({
+    label: "noreply",
+    parts: [
+      "v=spf1",
+      "ip4:184.104.226.98",         // fafnir ipv4 (he.net)
+      "ip6:2001:470:1:b3b::2",      // fafnir ipv6 (he.net)
+      "ip4:87.252.214.98",          // fafnir ipv4 (equinix)
+      "ip6:2001:4d78:fe03:1c::2",   // fafnir ipv6 (equinix)
+      "ip4:193.60.236.0/24",        // ucl external
+      "ip4:82.199.86.96/27",        // amsterdam external (equinix)
+      "ip6:2001:4d78:500:5e3::/64", // amsterdam external (equinix)
+      "ip4:87.252.214.96/27",       // dublin external (equinix)
+      "ip6:2001:4d78:fe03:1c::/64", // dublin external (equinix)
+      "ip4:184.104.179.128/27",     // amsterdam external (he.net)
+      "ip6:2001:470:1:fa1::/64",    // amsterdam external (he.net)
+      "ip4:184.104.226.96/27",      // dublin external (he.net)
+      "ip6:2001:470:1:b3b::/64",    // dublin external (he.net)
+      "mx",                         // safety net if we change mx
+      "-all"
+    ]
+  }),
+
+  SPF_BUILDER({
+    label: "otrs",
+    parts: [
+      "v=spf1",
+      "ip4:184.104.226.98",         // fafnir ipv4 (he.net)
+      "ip6:2001:470:1:b3b::2",      // fafnir ipv6 (he.net)
+      "ip4:87.252.214.98",          // fafnir ipv4 (equinix)
+      "ip6:2001:4d78:fe03:1c::2",   // fafnir ipv6 (equinix)
+      "ip4:193.60.236.0/24",        // ucl external
+      "ip4:82.199.86.96/27",        // amsterdam external (equinix)
+      "ip6:2001:4d78:500:5e3::/64", // amsterdam external (equinix)
+      "ip4:87.252.214.96/27",       // dublin external (equinix)
+      "ip6:2001:4d78:fe03:1c::/64", // dublin external (equinix)
+      "ip4:184.104.179.128/27",     // amsterdam external (he.net)
+      "ip6:2001:470:1:fa1::/64",    // amsterdam external (he.net)
+      "ip4:184.104.226.96/27",      // dublin external (he.net)
+      "ip6:2001:470:1:b3b::/64",    // dublin external (he.net)
+      "mx",                         // safety net if we change mx
+      "-all"
+    ]
+  }),
+
+  SPF_BUILDER({
+    label: "community",
+    parts: [
+      "v=spf1",
+      "ip4:184.104.226.98",         // fafnir ipv4 (he.net)
+      "ip6:2001:470:1:b3b::2",      // fafnir ipv6 (he.net)
+      "ip4:87.252.214.98",          // fafnir ipv4 (equinix)
+      "ip6:2001:4d78:fe03:1c::2",   // fafnir ipv6 (equinix)
+      "ip4:193.60.236.0/24",        // ucl external
+      "ip4:82.199.86.96/27",        // amsterdam external (equinix)
+      "ip6:2001:4d78:500:5e3::/64", // amsterdam external (equinix)
+      "ip4:87.252.214.96/27",       // dublin external (equinix)
+      "ip6:2001:4d78:fe03:1c::/64", // dublin external (equinix)
+      "ip4:184.104.179.128/27",     // amsterdam external (he.net)
+      "ip6:2001:470:1:fa1::/64",    // amsterdam external (he.net)
+      "ip4:184.104.226.96/27",      // dublin external (he.net)
+      "ip6:2001:470:1:b3b::/64",    // dublin external (he.net)
+      "mx",                         // safety net if we change mx
+      "-all"
+    ]
+  }),
+
+  SPF_BUILDER({
+    label: "supporting",
+    parts: [
+      "v=spf1",
+      "ip4:184.104.226.98",         // fafnir ipv4 (he.net)
+      "ip6:2001:470:1:b3b::2",      // fafnir ipv6 (he.net)
+      "ip4:87.252.214.98",          // fafnir ipv4 (equinix)
+      "ip6:2001:4d78:fe03:1c::2",   // fafnir ipv6 (equinix)
+      "ip4:193.60.236.0/24",        // ucl external
+      "ip4:82.199.86.96/27",        // amsterdam external (equinix)
+      "ip6:2001:4d78:500:5e3::/64", // amsterdam external (equinix)
+      "ip4:87.252.214.96/27",       // dublin external (equinix)
+      "ip6:2001:4d78:fe03:1c::/64", // dublin external (equinix)
+      "ip4:184.104.179.128/27",     // amsterdam external (he.net)
+      "ip6:2001:470:1:fa1::/64",    // amsterdam external (he.net)
+      "ip4:184.104.226.96/27",      // dublin external (he.net)
+      "ip6:2001:470:1:b3b::/64",    // dublin external (he.net)
+      "mx",                         // safety net if we change mx
+      "-all"
+    ]
+  }),
+
+  // Publish DKIM public key
+
+  TXT("20200301._domainkey", "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzvoNZVOGfw1V4A171hxHMhzVTAnIUQVJ8iX3wbqCld8A5iIaXeTGYvBmewymax/cYJS4QqzbpUzkgrrTA9avuZhd+QGJDgjADgx4VyMOaOS6FwAxS0uXtLrt+lsixRDx/feKyZHaxjzJAQy46ok77xXL4UXIaaovw6G6eZpIScMzZQ2zkKNJxTICzzSOduIilHhMWte4XP+/2PdRmD7Ge9jb0U4bZjswX0AqKSGzDKYw+yxVna9l53adeCnklqg2ofoXu+ResiH+kt05aCUOMo8en3em6yBnRCMalgi1E3Tt7I5BWcYFRkT/8agUGW4gGC6XMV9IskOsYL0emG0kGwIDAQAB", AUTOSPLIT),
+
+  // Publish DMARC report-only policy
+
+  DMARC_BUILDER({
+    policy: "none",
+    rua: [
+      "mailto:openstreetmap-d@dmarc.report-uri.com"
+    ],
+    failureOptions: 1
+  }),
 
   // Announce MTA-STS policy and TLSRPT policy for error reports
 
   TXT("_mta-sts", "v=STSv1; id=202001291805Z"),
-  TXT("_smtp._tls", "v=TLSRPTv1; rua=mailto:postmaster@openstreetmap.org"),
+  TXT("_smtp._tls", "v=TLSRPTv1; rua=mailto:openstreetmap-d@tlsrpt.report-uri.com"),
+
+  // Fastly cert domain ownership confirmation
+
+  TXT("@", "_globalsign-domain-verification=ps00GlW1BzY9c2_cwH_pFqRkvzZyaCVZ-3RLssRG6S"),
+  TXT("@", "_globalsign-domain-verification=W0buKB5ZmL-VwwHw2oQyQImk3I1q3hSemf2qmB1hjP"),
+
+  // Facebook Business domain verification
+
+  TXT("@", "facebook-domain-verification=j5hix5i8r0kortfugqf2p9wx9x9by0"),
+
+  // Bluesky domain verification
+
+  TXT("_atproto", "did=did:plc:i6llv7iwybeipknl57v4dalb"),
 
   // Delegate MTA-STS policy for subdomains
 
   CNAME("_mta-sts.messages", QUALIFY("_mta-sts")),
   CNAME("_mta-sts.noreply", QUALIFY("_mta-sts")),
   CNAME("_mta-sts.otrs", QUALIFY("_mta-sts")),
+  CNAME("_mta-sts.community", QUALIFY("_mta-sts")),
+  CNAME("_mta-sts.supporting", QUALIFY("_mta-sts")),
 
   // Google postmaster tools verification
 
   CNAME("af323lytato5", "gv-o4v3qh5pfayqex.dv.googlehosted.com."),
   CNAME("irzdddnmh465", "gv-cwr6bvt7xsgact.dv.googlehosted.com."),
 
-  // Delegate geo.openstreetmap.org to PowerDNS
-
-  NS("geo", QUALIFY("saphira")),
-  NS("geo", QUALIFY("ridgeback")),
-  NS("geo", QUALIFY("jakelong")),
-  NS("geo", QUALIFY("katie")),
-  NS("geo", QUALIFY("stormfly-02")),
-  NS("geo", QUALIFY("chrysophylax")),
-
   // Main web servers and their aliases
 
-  A("spike-04", "89.16.162.21"),
-  AAAA("spike-04", "2001:41c9:2:d6::21"),
-  // A("@", "89.16.162.21", TTL("10m")),
-  // AAAA("@", "2001:41c9:2:d6::21", TTL("10m")),
-  // A("www", "89.16.162.21", TTL("10m")),
-  // AAAA("www", "2001:41c9:2:d6::21", TTL("10m")),
-  // A("api", "89.16.162.21", TTL("10m")),
-  // AAAA("api", "2001:41c9:2:d6::21", TTL("10m")),
-  // A("maps", "89.16.162.21", TTL("10m")),
-  // AAAA("maps", "2001:41c9:2:d6::21", TTL("10m")),
-  // A("mapz", "89.16.162.21", TTL("10m")),
-  // AAAA("mapz", "2001:41c9:2:d6::21", TTL("10m")),
-  A("spike-04.bm", "10.0.32.21"),
-  A("spike-04.oob", "10.0.33.21"),
-
-  A("spike-05", "89.16.162.22"),
-  AAAA("spike-05", "2001:41c9:2:d6::22"),
-  // A("@", "89.16.162.22", TTL("10m")),
-  // AAAA("@", "2001:41c9:2:d6::22", TTL("10m")),
-  // A("www", "89.16.162.22", TTL("10m")),
-  // AAAA("www", "2001:41c9:2:d6::22", TTL("10m")),
-  // A("api", "89.16.162.22", TTL("10m")),
-  // AAAA("api", "2001:41c9:2:d6::22", TTL("10m")),
-  // A("maps", "89.16.162.22", TTL("10m")),
-  // AAAA("maps", "2001:41c9:2:d6::22", TTL("10m")),
-  // A("mapz", "89.16.162.22", TTL("10m")),
-  // AAAA("mapz", "2001:41c9:2:d6::22", TTL("10m")),
-  A("spike-05.bm", "10.0.32.22"),
-  A("spike-05.oob", "10.0.33.22"),
-
-  A("spike-06", "130.117.76.11"),
-  AAAA("spike-06", "2001:978:2:2c::172:B"),
-  A("@", "130.117.76.11", TTL("10m")),
-  AAAA("@", "2001:978:2:2c::172:B", TTL("10m")),
-  A("www", "130.117.76.11", TTL("10m")),
-  AAAA("www", "2001:978:2:2c::172:B", TTL("10m")),
-  A("api", "130.117.76.11", TTL("10m")),
-  AAAA("api", "2001:978:2:2c::172:B", TTL("10m")),
-  A("maps", "130.117.76.11", TTL("10m")),
-  AAAA("maps", "2001:978:2:2c::172:B", TTL("10m")),
-  A("mapz", "130.117.76.11", TTL("10m")),
-  AAAA("mapz", "2001:978:2:2c::172:B", TTL("10m")),
-  A("spike-06.ams", "10.0.48.11"),
-  A("spike-06.oob", "10.0.49.11"),
-
-  A("spike-07", "130.117.76.12"),
-  AAAA("spike-07", "2001:978:2:2c::172:C"),
-  A("@", "130.117.76.12", TTL("10m")),
-  AAAA("@", "2001:978:2:2c::172:C", TTL("10m")),
-  A("www", "130.117.76.12", TTL("10m")),
-  AAAA("www", "2001:978:2:2c::172:C", TTL("10m")),
-  A("api", "130.117.76.12", TTL("10m")),
-  AAAA("api", "2001:978:2:2c::172:C", TTL("10m")),
-  A("maps", "130.117.76.12", TTL("10m")),
-  AAAA("maps", "2001:978:2:2c::172:C", TTL("10m")),
-  A("mapz", "130.117.76.12", TTL("10m")),
-  AAAA("mapz", "2001:978:2:2c::172:C", TTL("10m")),
-  A("spike-07.ams", "10.0.48.12"),
-  A("spike-07.oob", "10.0.49.12"),
-
-  A("spike-08", "130.117.76.13"),
-  AAAA("spike-08", "2001:978:2:2c::172:D"),
-  A("@", "130.117.76.13", TTL("10m")),
-  AAAA("@", "2001:978:2:2c::172:D", TTL("10m")),
-  A("www", "130.117.76.13", TTL("10m")),
-  AAAA("www", "2001:978:2:2c::172:D", TTL("10m")),
-  A("api", "130.117.76.13", TTL("10m")),
-  AAAA("api", "2001:978:2:2c::172:D", TTL("10m")),
-  A("maps", "130.117.76.13", TTL("10m")),
-  AAAA("maps", "2001:978:2:2c::172:D", TTL("10m")),
-  A("mapz", "130.117.76.13", TTL("10m")),
-  AAAA("mapz", "2001:978:2:2c::172:D", TTL("10m")),
-  A("spike-08.ams", "10.0.48.13"),
-  A("spike-08.oob", "10.0.49.13"),
-
-  // Rails application servers
-
-  A("thorn-01.ams", "10.0.48.51"),
-  A("rails1.ams", "10.0.48.51"),
-  A("thorn-01.oob", "10.0.49.51"),
-
-  A("thorn-02.ams", "10.0.48.52"),
-  A("rails2.ams", "10.0.48.52"),
-  A("thorn-02.oob", "10.0.49.52"),
-
-  A("thorn-03.ams", "10.0.48.53"),
-  A("rails3.ams", "10.0.48.53"),
-  A("thorn-03.oob", "10.0.49.53"),
-
-  A("thorn-04.bm", "10.0.32.41"),
-  A("rails4.bm", "10.0.32.41"),
-  A("thorn-04.oob", "10.0.33.41"),
-
-  A("thorn-05.bm", "10.0.32.42"),
-  A("rails5.bm", "10.0.32.42"),
-  A("thorn-05.oob", "10.0.33.42"),
+  A("spike-01", SPIKE01_IPV4),
+  AAAA("spike-01", SPIKE01_IPV6),
+  // A("@", SPIKE01_IPV4),
+  // AAAA("@", SPIKE01_IPV6),
+  // A("www", SPIKE01_IPV4),
+  // AAAA("www", SPIKE01_IPV6),
+  // A("api", SPIKE01_IPV4),
+  // AAAA("api", SPIKE01_IPV6),
+  // A("maps", SPIKE01_IPV4),
+  // AAAA("maps", SPIKE01_IPV6),
+  // A("mapz", SPIKE01_IPV4),
+  // AAAA("mapz", SPIKE01_IPV6),
+  A("spike-01.dub", SPIKE01_INTERNAL),
+  A("spike-01.oob", SPIKE01_OOB),
+
+  A("spike-02", SPIKE02_IPV4),
+  AAAA("spike-02", SPIKE02_IPV6),
+  // A("@", SPIKE02_IPV4),
+  // AAAA("@", SPIKE02_IPV6),
+  // A("www", SPIKE02_IPV4),
+  // AAAA("www", SPIKE02_IPV6),
+  // A("api", SPIKE02_IPV4),
+  // AAAA("api", SPIKE02_IPV6),
+  // A("maps", SPIKE02_IPV4),
+  // AAAA("maps", SPIKE02_IPV6),
+  // A("mapz", SPIKE02_IPV4),
+  // AAAA("mapz", SPIKE02_IPV6),
+  A("spike-02.dub", SPIKE02_INTERNAL),
+  A("spike-02.oob", SPIKE02_OOB),
+
+  A("spike-03", SPIKE03_IPV4),
+  AAAA("spike-03", SPIKE03_IPV6),
+  // A("@", SPIKE03_IPV4),
+  // AAAA("@", SPIKE03_IPV6),
+  // A("www", SPIKE03_IPV4),
+  // AAAA("www", SPIKE03_IPV6),
+  // A("api", SPIKE03_IPV4),
+  // AAAA("api", SPIKE03_IPV6),
+  // A("maps", SPIKE03_IPV4),
+  // AAAA("maps", SPIKE03_IPV6),
+  // A("mapz", SPIKE03_IPV4),
+  // AAAA("mapz", SPIKE03_IPV6),
+  A("spike-03.dub", SPIKE03_INTERNAL),
+  A("spike-03.oob", SPIKE03_OOB),
+
+  A("spike-06", SPIKE06_IPV4),
+  AAAA("spike-06", SPIKE06_IPV6),
+  A("@", SPIKE06_IPV4, CF_PROXY_ON),
+  AAAA("@", SPIKE06_IPV6, CF_PROXY_ON),
+  A("www", SPIKE06_IPV4, CF_PROXY_ON),
+  AAAA("www", SPIKE06_IPV6, CF_PROXY_ON),
+  A("api", SPIKE06_IPV4, CF_PROXY_ON),
+  AAAA("api", SPIKE06_IPV6, CF_PROXY_ON),
+  A("maps", SPIKE06_IPV4, CF_PROXY_ON),
+  AAAA("maps", SPIKE06_IPV6, CF_PROXY_ON),
+  A("mapz", SPIKE06_IPV4, CF_PROXY_ON),
+  AAAA("mapz", SPIKE06_IPV6, CF_PROXY_ON),
+  A("spike-06.ams", SPIKE06_INTERNAL),
+  A("spike-06.oob", SPIKE06_OOB),
+
+  A("spike-07", SPIKE07_IPV4),
+  AAAA("spike-07", SPIKE07_IPV6),
+  A("@", SPIKE07_IPV4, CF_PROXY_ON),
+  AAAA("@", SPIKE07_IPV6, CF_PROXY_ON),
+  A("www", SPIKE07_IPV4, CF_PROXY_ON),
+  AAAA("www", SPIKE07_IPV6, CF_PROXY_ON),
+  A("api", SPIKE07_IPV4, CF_PROXY_ON),
+  AAAA("api", SPIKE07_IPV6, CF_PROXY_ON),
+  A("maps", SPIKE07_IPV4, CF_PROXY_ON),
+  AAAA("maps", SPIKE07_IPV6, CF_PROXY_ON),
+  A("mapz", SPIKE07_IPV4, CF_PROXY_ON),
+  AAAA("mapz", SPIKE07_IPV6, CF_PROXY_ON),
+  A("spike-07.ams", SPIKE07_INTERNAL),
+  A("spike-07.oob", SPIKE07_OOB),
+
+  A("spike-08", SPIKE08_IPV4),
+  AAAA("spike-08", SPIKE08_IPV6),
+  A("@", SPIKE08_IPV4, CF_PROXY_ON),
+  AAAA("@", SPIKE08_IPV6, CF_PROXY_ON),
+  A("www", SPIKE08_IPV4, CF_PROXY_ON),
+  AAAA("www", SPIKE08_IPV6, CF_PROXY_ON),
+  A("api", SPIKE08_IPV4, CF_PROXY_ON),
+  AAAA("api", SPIKE08_IPV6, CF_PROXY_ON),
+  A("maps", SPIKE08_IPV4, CF_PROXY_ON),
+  AAAA("maps", SPIKE08_IPV6, CF_PROXY_ON),
+  A("mapz", SPIKE08_IPV4, CF_PROXY_ON),
+  AAAA("mapz", SPIKE08_IPV6, CF_PROXY_ON),
+  A("spike-08.ams", SPIKE08_INTERNAL),
+  A("spike-08.oob", SPIKE08_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("www", 1, ".", "alpn=h2"),
+  HTTPS("api", 1, ".", "alpn=h2"),
+  HTTPS("maps", 1, ".", "alpn=h2"),
+  HTTPS("mapz", 1, ".", "alpn=h2"),
 
   // Nominatim servers
 
-  A("pummelzacken", "193.60.236.18"),
-  // A("nominatim", "193.60.236.18", TTL("10m")),
-  A("pummelzacken.ucl", "10.0.0.20"),
-  A("pummelzacken.oob", "10.0.1.20"),
+  A("dulcy", DULCY_IPV4),
+  AAAA("dulcy", DULCY_IPV6),
+  A("dulcy.ams", DULCY_INTERNAL),
+  A("dulcy.oob", DULCY_OOB),
 
-  A("dulcy", "130.117.76.9"),
-  AAAA("dulcy", "2001:978:2:2c::172:9"),
-  A("nominatim", "130.117.76.9", TTL("10m")),
-  AAAA("nominatim", "2001:978:2:2c::172:9", TTL("10m")),
-  A("dulcy.ams", "10.0.48.9"),
-  A("dulcy.oob", "10.0.49.9"),
+  A("longma", LONGMA_IPV4),
+  AAAA("longma", LONGMA_IPV6),
+  A("longma.dub", LONGMA_INTERNAL),
+  A("longma.oob", LONGMA_OOB),
 
-  // Taginfo server
+  A("stormfly-04", STORMFLY04_IPV4),
+  AAAA("stormfly-04", STORMFLY04_IPV6),
+  A("stormfly-04.oob", STORMFLY04_OOB),
 
-  A("grindtooth", "193.60.236.15"),
-  A("taginfo", "193.60.236.15", TTL("10m")),
-  A("grindtooth.ucl", "10.0.0.19"),
-  A("grindtooth.oob", "10.0.1.19"),
+  A("vhagar", VHAGAR_IPV4),
+  AAAA("vhagar", VHAGAR_IPV6),
+  A("vhagar.ams", VHAGAR_INTERNAL),
+  A("vhagar.oob", VHAGAR_OOB),
 
-  A("stormfly-01", "140.211.167.104"),
-  AAAA("stormfly-01", "2605:bc80:3010:700::8cde:a768"),
-  // A("taginfo", "140.211.167.104", TTL("10m")),
-  // AAAA("taginfo", "2605:bc80:3010:700::8cde:a768", TTL("10m")),
-  A("stormfly-01.oob", "10.0.0.99"),
+  CNAME("nominatim", "nominatim.geo.openstreetmap.org."),
+  CNAME("qgis.nominatim", "nominatim.geo.openstreetmap.org."),
+  CNAME("qa-tile.nominatim", "longma.openstreetmap.org."),
 
   // Tile servers
 
-  A("orm", "130.117.76.3"),
-  AAAA("orm", "2001:978:2:2c::172:3"),
-  A("orm.ams", "10.0.48.3"),
-  A("orm.oob", "10.0.49.3"),
-
-  A("odin", "130.117.76.15"),
-  AAAA("odin", "2001:978:2:2c::172:f"),
-  A("odin.ams", "10.0.48.15"),
-  A("odin.oob", "10.0.49.15"),
-
-  A("ysera", "193.60.236.22"),
-  A("ysera.ucl", "10.0.0.15"),
-  A("ysera.oob", "10.0.1.15"),
-
-  A("scorch", "176.31.235.79"),
-  AAAA("scorch", "2001:41d0:2:fc4f::1"),
-
-  A("rhaegal", "161.53.248.77"),
-
-  A("pyrene", "140.211.167.98"),
-  AAAA("pyrene", "2605:bc80:3010:700::8cd3:a762"),
-  A("pyrene.oob", "10.0.0.40"),
-
-  A("bowser", "138.44.68.106"),
-
-  CNAME("tile", QUALIFY("tile.geo")),
-  CNAME("a.tile", QUALIFY("tile.geo")),
-  CNAME("b.tile", QUALIFY("tile.geo")),
-  CNAME("c.tile", QUALIFY("tile.geo")),
-
-  // Services machine
-
-  A("ironbelly", "130.117.76.10"),
-  AAAA("ironbelly", "2001:978:2:2c::172:a"),
-  A("backup", "130.117.76.10", TTL("10m")),
-  AAAA("backup", "2001:978:2:2c::172:a", TTL("10m")),
-  A("planet", "130.117.76.10", TTL("10m")),
-  AAAA("planet", "2001:978:2:2c::172:a", TTL("10m")),
-  A("logstash", "130.117.76.10"),
-  AAAA("logstash", "2001:978:2:2c::172:a"),
-  A("ironbelly.ams", "10.0.48.10"),
-  A("ironbelly.oob", "10.0.49.10"),
-
-  A("grisu", "89.16.162.20"),
-  AAAA("grisu", "2001:41c9:2:d6::20"),
-  // A("backup", "89.16.162.20", TTL("10m")),
-  // AAAA("backup", "2001:41c9:2:d6::20", TTL("10m")),
-  // A("planet", "89.16.162.20", TTL("10m")),
-  // AAAA("planet", "2001:41c9:2:d6::20", TTL("10m")),
-  A("grisu.bm", "10.0.32.20"),
-  A("grisu.oob", "10.0.33.20"),
+  A("odin", ODIN_IPV4),
+  AAAA("odin", ODIN_IPV6),
+  A("odin.ams", ODIN_INTERNAL),
+  A("odin.oob", ODIN_OOB),
+
+  A("ysera", YSERA_IPV4),
+  A("ysera.ucl", YSERA_INTERNAL),
+  A("ysera.oob", YSERA_OOB),
+
+  A("culebre", CULEBRE_IPV4),
+  AAAA("culebre", CULEBRE_IPV6),
+  A("culebre.dub", CULEBRE_INTERNAL),
+  A("culebre.oob", CULEBRE_OOB),
+
+  A("nidhogg", NIDHOGG_IPV4),
+  AAAA("nidhogg", NIDHOGG_IPV6),
+  A("nidhogg.oob", NIDHOGG_OOB),
+
+  A("wawel", WAWEL_IPV4),
+
+  A("scorch", SCORCH_IPV4),
+  AAAA("scorch", SCORCH_IPV6),
+
+  A("rhaegal", RHAEGAL_IPV4),
+  AAAA("rhaegal", RHAEGAL_IPV6),
+
+  A("palulukon", PALULUKON_IPV4),
+
+  A("piasa", PIASA_IPV4),
+  AAAA("piasa", PIASA_IPV6),
+  A("piasa.oob", PIASA_OOB),
+
+  A("bowser", BOWSER_IPV4),
+
+  A("balerion", BALERION_IPV4),
+
+  A("albi", ALBI_IPV4),
+  AAAA("albi", ALBI_IPV6),
+
+  CNAME("tile", "dualstack.n.sni.global.fastly.net."),
+  CNAME("a.tile", "dualstack.n.sni.global.fastly.net."),
+  CNAME("b.tile", "dualstack.n.sni.global.fastly.net."),
+  CNAME("c.tile", "dualstack.n.sni.global.fastly.net."),
+
+  A("render", CULEBRE_IPV4),
+  A("render", NIDHOGG_IPV4),
+  AAAA("render", CULEBRE_IPV6),
+  AAAA("render", NIDHOGG_IPV6),
+
+  // Vector tile servers
+
+  A("cmok", CMOK_IPV4),
+
+  CNAME("vector", "dualstack.n.sni.global.fastly.net."),
+
+  // Site gateways
+
+  A("fafnir", FAFNIR_IPV4),
+  AAAA("fafnir", FAFNIR_IPV6),
+  A("fafnir.dub", FAFNIR_INTERNAL),
+  A("fafnir.oob", FAFNIR_OOB),
+
+  // Planet servers
+
+  A("norbert", NORBERT_IPV4),
+  AAAA("norbert", NORBERT_IPV6),
+  A("backup", NORBERT_IPV4),
+  AAAA("backup", NORBERT_IPV6),
+  A("planet", NORBERT_IPV4),
+  AAAA("planet", NORBERT_IPV6),
+  A("norbert.ams", NORBERT_INTERNAL),
+  A("norbert.oob", NORBERT_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("planet", 1, ".", "alpn=h2"),
+
+  A("horntail", HORNTAIL_IPV4),
+  AAAA("horntail", HORNTAIL_IPV6),
+  // A("backup", HORNTAIL_IPV4),
+  // AAAA("backup", HORNTAIL_IPV6),
+  // A("planet", HORNTAIL_IPV4),
+  // AAAA("planet", HORNTAIL_IPV6),
+  A("horntail.dub", HORNTAIL_INTERNAL),
+  A("horntail.oob", HORNTAIL_OOB),
 
   // Database servers
 
-  A("karm.ams", "10.0.48.50"),
-  A("karm.oob", "10.0.49.50"),
+  A("snap-01.ams", SNAP01_INTERNAL),
+  A("snap-01.oob", SNAP01_OOB),
+
+  A("snap-02.ucl", SNAP02_INTERNAL),
+  A("snap-02.oob", SNAP02_OOB),
 
-  A("eddie.ucl", "10.0.0.10"),
-  A("eddie.oob", "10.0.1.10"),
+  A("snap-03.dub", SNAP03_INTERNAL),
+  A("snap-03.oob", SNAP03_OOB),
 
-  A("katla.bm", "10.0.32.40"),
-  A("katla.oob", "10.0.33.40"),
+  A("karm.ams", KARM_INTERNAL),
+  A("karm.oob", KARM_OOB),
 
-  A("ramoth.ams", "10.0.48.5"),
-  A("ramoth.oob", "10.0.49.5"),
+  A("eddie.ucl", EDDIE_INTERNAL),
+  A("eddie.oob", EDDIE_OOB),
 
   // Development server with wildcard alias for user sites
 
-  A("errol", "193.60.236.13"),
-  A("dev", "193.60.236.13"),
-  A("*.dev", "193.60.236.13"),
-  A("ooc", "193.60.236.13"),
-  A("a.ooc", "193.60.236.13"),
-  A("b.ooc", "193.60.236.13"),
-  A("c.ooc", "193.60.236.13"),
-  A("npe", "193.60.236.13"),
-  A("errol.ucl", "10.0.0.14"),
-  A("errol.oob", "10.0.1.14"),
+  A("faffy", FAFFY_IPV4),
+  AAAA("faffy", FAFFY_IPV6),
+  A("dev", FAFFY_IPV4),
+  AAAA("dev", FAFFY_IPV6),
+  A("*.dev", FAFFY_IPV4),
+  AAAA("*.dev", FAFFY_IPV6),
+  A("ooc", FAFFY_IPV4),
+  AAAA("ooc", FAFFY_IPV6),
+  A("a.ooc", FAFFY_IPV4),
+  AAAA("a.ooc", FAFFY_IPV6),
+  A("b.ooc", FAFFY_IPV4),
+  AAAA("b.ooc", FAFFY_IPV6),
+  A("c.ooc", FAFFY_IPV4),
+  AAAA("c.ooc", FAFFY_IPV6),
+  A("npe", FAFFY_IPV4),
+  AAAA("npe", FAFFY_IPV6),
+  A("faffy.ams", FAFFY_INTERNAL),
+  A("faffy.oob", FAFFY_OOB),
 
   // Foundation server
 
-  A("ridley", "193.60.236.19"),
-  A("otrs", "193.60.236.19"),
-  A("blog", "193.60.236.19"),
-  A("foundation", "193.60.236.19"),
-  A("hot", "193.60.236.19"),
-  A("dmca", "193.60.236.19"),
-  A("ridley.ucl", "10.0.0.3"),
-  A("ridley.oob", "10.0.1.3"),
+  A("ridley", RIDLEY_IPV4),
+  A("blog", RIDLEY_IPV4),
+  A("foundation", RIDLEY_IPV4),
+  A("ridley.ucl", RIDLEY_INTERNAL),
+  A("ridley.oob", RIDLEY_OOB),
 
-  // Piwik server
+  // HTTPS / SVCB records
+  HTTPS("blog", 1, ".", "alpn=h2"),
+  HTTPS("foundation", 1, ".", "alpn=h2"),
 
-  A("eustace", "193.60.236.14"),
-  A("piwik", "193.60.236.14"),
-  A("eustace.ucl", "10.0.0.9"),
-  A("eustace.oob", "10.0.1.9"),
+  // Matomo server
+
+  A("smaug", SMAUG_IPV4),
+  AAAA("smaug", SMAUG_IPV6),
+  A("matomo", SMAUG_IPV4),
+  AAAA("matomo", SMAUG_IPV6),
+  A("piwik", SMAUG_IPV4),
+  AAAA("piwik", SMAUG_IPV6),
+  A("smaug.dub", SMAUG_INTERNAL),
+  A("smaug.oob", SMAUG_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("matomo", 1, ".", "alpn=h2"),
+  HTTPS("piwik", 1, ".", "alpn=h2"),
 
   // Imagery servers
 
-  A("draco", "193.60.236.12"),
-  A("draco.ucl", "10.0.0.11"),
-  A("draco.oob", "10.0.1.11"),
-
-  A("kessie", "178.250.74.36"),
-  AAAA("kessie", "2a02:1658:4:0:dad3:85ff:fe5d:875e"),
-  A("agri", "178.250.74.36", TTL("1h")),
-  AAAA("agri", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("a.agri", "178.250.74.36", TTL("1h")),
-  AAAA("a.agri", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("b.agri", "178.250.74.36", TTL("1h")),
-  AAAA("b.agri", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("c.agri", "178.250.74.36", TTL("1h")),
-  AAAA("c.agri", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("os", "178.250.74.36", TTL("1h")),
-  AAAA("os", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("a.os", "178.250.74.36", TTL("1h")),
-  AAAA("a.os", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("b.os", "178.250.74.36", TTL("1h")),
-  AAAA("b.os", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("c.os", "178.250.74.36", TTL("1h")),
-  AAAA("c.os", "2a02:1658:4:0:dad3:85ff:fe5d:875e", TTL("1h")),
-  A("kessie.oob", "178.250.74.37"),
-
-  // Munin server
-
-  A("urmel", "193.60.236.21"),
-  A("munin", "193.60.236.21"),
-  A("urmel.ucl", "10.0.0.6"),
-  A("urmel.oob", "10.0.1.6"),
-
-  // Chef server
-
-  A("sarel", "193.60.236.20"),
-  A("chef", "193.60.236.20"),
-  A("hardware", "193.60.236.20"),
-  A("acme", "193.60.236.20"),
-  A("git", "193.60.236.20", TTL("10m")),
-  A("dns", "193.60.236.20", TTL("10m")),
-  A("sarel.ucl", "10.0.0.12"),
-  A("sarel.oob", "10.0.1.12"),
-
-  // Forum server
-
-  A("clifford", "193.60.236.11"),
-  A("forum", "193.60.236.11", TTL("10m")),
-  A("clifford.ucl", "10.0.0.17"),
-  A("clifford.oob", "10.0.1.17"),
+  A("agri", LOCKHEED_IPV4),
+  AAAA("agri", LOCKHEED_IPV6),
+  A("a.agri", LOCKHEED_IPV4),
+  AAAA("a.agri", LOCKHEED_IPV6),
+  A("b.agri", LOCKHEED_IPV4),
+  AAAA("b.agri", LOCKHEED_IPV6),
+  A("c.agri", LOCKHEED_IPV4),
+  AAAA("c.agri", LOCKHEED_IPV6),
+  A("os", LOCKHEED_IPV4),
+  AAAA("os", LOCKHEED_IPV6),
+  A("a.os", LOCKHEED_IPV4),
+  AAAA("a.os", LOCKHEED_IPV6),
+  A("b.os", LOCKHEED_IPV4),
+  AAAA("b.os", LOCKHEED_IPV6),
+  A("c.os", LOCKHEED_IPV4),
+  AAAA("c.os", LOCKHEED_IPV6),
+
+
+  // Prometheus server and munin redirect
+
+  A("stormfly-03", STORMFLY03_IPV4),
+  AAAA("stormfly-03", STORMFLY03_IPV6),
+  A("prometheus", STORMFLY03_IPV4),
+  AAAA("prometheus", STORMFLY03_IPV6),
+  A("munin", STORMFLY03_IPV4),
+  AAAA("munin", STORMFLY03_IPV6),
+  A("stormfly-03.oob", STORMFLY03_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("prometheus", 1, ".", "alpn=h2"),
+  HTTPS("munin", 1, ".", "alpn=h2"),
+
+  // Management server
+
+  A("idris", IDRIS_IPV4),
+  AAAA("idris", IDRIS_IPV6),
+  A("acme", IDRIS_IPV4),
+  AAAA("acme", IDRIS_IPV6),
+  A("apt", IDRIS_IPV4),
+  AAAA("apt", IDRIS_IPV6),
+  A("chef", IDRIS_IPV4),
+  AAAA("chef", IDRIS_IPV6),
+  A("dns", IDRIS_IPV4),
+  AAAA("dns", IDRIS_IPV6),
+  A("git", IDRIS_IPV4),
+  AAAA("git", IDRIS_IPV6),
+  A("hardware", IDRIS_IPV4),
+  AAAA("hardware", IDRIS_IPV6),
+  A("idris.dub", IDRIS_INTERNAL),
+  A("idris.oob", IDRIS_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("acme", 1, ".", "alpn=h2"),
+  HTTPS("chef", 1, ".", "alpn=h2"),
+  HTTPS("dns", 1, ".", "alpn=h2"),
+  HTTPS("git", 1, ".", "alpn=h2"),
+  HTTPS("hardware", 1, ".", "alpn=h2"),
 
   // KVMs
 
-  A("kvm1.ucl", "10.0.0.21"),
+  A("kvm1.ucl", KVM1_INTERNAL),
 
   // Managed network switches
 
-  A("switch1", "130.117.76.2"),
-  AAAA("switch1", "2001:978:2:2c::172:2"),
+  A("switch1.ams", SWITCH1AMS_IPV4),
+  AAAA("switch1.ams", SWITCH1AMS_IPV6),
+
+  A("switch1.dub", SWITCH1DUB_IPV4),
+  AAAA("switch1.dub", SWITCH1DUB_IPV6),
 
   // Managed power strips
 
-  A("pdu1.ams", "10.0.48.100"),
-  A("pdu2.ams", "10.0.48.101"),
+  A("pdu1.ams", PDU1AMS_INTERNAL),
+  A("pdu2.ams", PDU2AMS_INTERNAL),
+
+  A("pdu1.dub", PDU1DUB_INTERNAL),
+  A("pdu2.dub", PDU2DUB_INTERNAL),
+
+  // Out of band access servers
+
+  A("oob1.ams", OOB1AMS_INTERNAL),
+
+  A("oob1.dub", OOB1DUB_INTERNAL),
+
+  // Network gateways
+
+  A("equinix-gw.ams", EQUINIXGWAMS_IPV4),
+  AAAA("equinix-gw.ams", EQUINIXGWAMS_IPV6),
+  A("equinix-gw-1.ams", EQUINIXGW1AMS_IPV4),
+  AAAA("equinix-gw-1.ams", EQUINIXGW1AMS_IPV6),
+  A("equinix-gw-2.ams", EQUINIXGW2AMS_IPV4),
+  AAAA("equinix-gw-2.ams", EQUINIXGW2AMS_IPV6),
+  A("equinix-osm.ams", EQUINIXOSMAMS_IPV4),
+  AAAA("equinix-osm.ams", EQUINIXOSMAMS_IPV6),
+
+  A("equinix-gw.dub", EQUINIXGWDUB_IPV4),
+  AAAA("equinix-gw.dub", EQUINIXGWDUB_IPV6),
+  A("equinix-gw-1.dub", EQUINIXGW1DUB_IPV4),
+  AAAA("equinix-gw-1.dub", EQUINIXGW1DUB_IPV6),
+  A("equinix-gw-2.dub", EQUINIXGW2DUB_IPV4),
+  AAAA("equinix-gw-2.dub", EQUINIXGW2DUB_IPV6),
+  A("equinix-osm.dub", EQUINIXOSMDUB_IPV4),
+  AAAA("equinix-osm.dub", EQUINIXOSMDUB_IPV6),
 
   // Bytemark machine, and the services which operate from it
 
-  A("shenron", "212.110.172.32"),
-  AAAA("shenron", "2001:41c9:1:400::32"),
-  A("mail", "212.110.172.32"),
-  AAAA("mail", "2001:41c9:1:400::32"),
-  A("mta-sts", "212.110.172.32"),
-  AAAA("mta-sts", "2001:41c9:1:400::32"),
-  A("lists", "212.110.172.32"),
-  AAAA("lists", "2001:41c9:1:400::32"),
-  A("svn", "212.110.172.32"),
-  AAAA("svn", "2001:41c9:1:400::32"),
-  A("trac", "212.110.172.32"),
-  AAAA("trac", "2001:41c9:1:400::32"),
-  A("irc", "212.110.172.32"),
-  AAAA("irc", "2001:41c9:1:400::32"),
-  A("help", "212.110.172.32"),
-  AAAA("help", "2001:41c9:1:400::32"),
-  A("blogs", "212.110.172.32", TTL("10m")),
-  AAAA("blogs", "2001:41c9:1:400::32", TTL("10m")),
-  A("shenron.bm", "10.0.16.3"),
+  A("shenron", SHENRON_IPV4),
+  AAAA("shenron", SHENRON_IPV6),
+  A("lists", SHENRON_IPV4),
+  AAAA("lists", SHENRON_IPV6),
+  A("help", SHENRON_IPV4),
+  AAAA("help", SHENRON_IPV6),
+
+  // HTTPS / SVCB records
+  HTTPS("lists", 1, ".", "alpn=h2"),
+  HTTPS("help", 1, ".", "alpn=h2"),
+
+  // Naga service
+
+  A("naga", NAGA_IPV4),
+  AAAA("naga", NAGA_IPV6),
+  A("svn", NAGA_IPV4),
+  AAAA("svn", NAGA_IPV6),
+  A("trac", NAGA_IPV4),
+  AAAA("trac", NAGA_IPV6),
+  A("irc", NAGA_IPV4),
+  AAAA("irc", NAGA_IPV6),
+  A("blogs", NAGA_IPV4),
+  AAAA("blogs", NAGA_IPV6),
+  A("welcome", NAGA_IPV4),
+  AAAA("welcome", NAGA_IPV6),
+  A("operations", NAGA_IPV4),
+  AAAA("operations", NAGA_IPV6),
+  A("hot", NAGA_IPV4),
+  AAAA("hot", NAGA_IPV6),
+  A("dmca", NAGA_IPV4),
+  AAAA("dmca", NAGA_IPV6),
+  A("otrs", NAGA_IPV4),
+  AAAA("otrs", NAGA_IPV6),
+  A("birthday20", NAGA_IPV4),
+  AAAA("birthday20", NAGA_IPV6),
+
+  // HTTPS / SVCB records
+  HTTPS("svn", 1, ".", "alpn=h2"),
+  HTTPS("trac", 1, ".", "alpn=h2"),
+  HTTPS("irc", 1, ".", "alpn=h2"),
+  HTTPS("blogs", 1, ".", "alpn=h2"),
+  HTTPS("welcome", 1, ".", "alpn=h2"),
+  HTTPS("operations", 1, ".", "alpn=h2"),
+  HTTPS("hot", 1, ".", "alpn=h2"),
+  HTTPS("dmca", 1, ".", "alpn=h2"),
+  // HTTPS("otrs", 1, ".", "alpn=h2"), - OTRS is not available using HTTPS/2
+  HTTPS("birthday20", 1, ".", "alpn=h2"),
+
+  A("naga.dub", NAGA_INTERNAL),
+  A("naga.oob", NAGA_OOB),
 
   // Wiki servers
 
-  A("ouroboros", "130.117.76.4"),
-  AAAA("ouroboros", "2001:978:2:2c::172:4"),
-  // A("wiki", "130.117.76.4", TTL("10m")),
-  // AAAA("wiki", "2001:978:2:2c::172:4", TTL("10m")),
-  A("ouroboros.ams", "10.0.48.4"),
-  A("ouroboros.oob", "10.0.49.4"),
+  A("konqi", KONQI_IPV4),
+  AAAA("konqi", KONQI_IPV6),
+  A("wiki", KONQI_IPV4),
+  AAAA("wiki", KONQI_IPV6),
+  A("konqi.dub", KONQI_INTERNAL),
+  A("konqi.oob", KONQI_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("wiki", 1, ".", "alpn=h2"),
+
+  // Overpass server
 
-  A("tabaluga", "130.117.76.14"),
-  AAAA("tabaluga", "2001:978:2:2c::172:e"),
-  A("wiki", "130.117.76.14", TTL("10m")),
-  AAAA("wiki", "2001:978:2:2c::172:e", TTL("10m")),
-  A("tabaluga.ams", "10.0.48.14"),
-  A("tabaluga.oob", "10.0.49.14"),
+  A("grisu", GRISU_IPV4),
+  AAAA("grisu", GRISU_IPV6),
+  A("query", GRISU_IPV4),
+  AAAA("query", GRISU_IPV6),
+  A("grisu.dub", GRISU_INTERNAL),
+  A("grisu.oob", GRISU_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("query", 1, ".", "alpn=h2"),
 
   // GPS tile server
 
-  A("noquiklos", "193.60.236.16"),
-  A("gps-tile", "193.60.236.16"),
-  A("a.gps-tile", "193.60.236.16"),
-  A("b.gps-tile", "193.60.236.16"),
-  A("c.gps-tile", "193.60.236.16"),
-  A("gps.tile", "193.60.236.16"),
-  A("gps-a.tile", "193.60.236.16"),
-  A("gps-b.tile", "193.60.236.16"),
-  A("gps-c.tile", "193.60.236.16"),
-  A("noquiklos.ucl", "10.0.0.13"),
-  A("noquiklos.oob", "10.0.1.13"),
+  A("muirdris", MUIRDRIS_IPV4),
+  AAAA("muirdris", MUIRDRIS_IPV6),
+  A("gps-tile", MUIRDRIS_IPV4),
+  AAAA("gps-tile", MUIRDRIS_IPV6),
+  A("a.gps-tile", MUIRDRIS_IPV4),
+  AAAA("a.gps-tile", MUIRDRIS_IPV6),
+  A("b.gps-tile", MUIRDRIS_IPV4),
+  AAAA("b.gps-tile", MUIRDRIS_IPV6),
+  A("c.gps-tile", MUIRDRIS_IPV4),
+  AAAA("c.gps-tile", MUIRDRIS_IPV6),
+  A("gps.tile", MUIRDRIS_IPV4),
+  AAAA("gps.tile", MUIRDRIS_IPV6),
+  A("gps-a.tile", MUIRDRIS_IPV4),
+  AAAA("gps-a.tile", MUIRDRIS_IPV6),
+  A("gps-b.tile", MUIRDRIS_IPV4),
+  AAAA("gps-b.tile", MUIRDRIS_IPV6),
+  A("gps-c.tile", MUIRDRIS_IPV4),
+  AAAA("gps-c.tile", MUIRDRIS_IPV6),
+  A("muirdris.dub", MUIRDRIS_INTERNAL),
+  A("muirdris.oob", MUIRDRIS_OOB),
+
+  // HTTPS / SVCB records
+  HTTPS("gps-tile", 1, ".", "alpn=h2"),
+  HTTPS("a.gps-tile", 1, ".", "alpn=h2"),
+  HTTPS("b.gps-tile", 1, ".", "alpn=h2"),
+  HTTPS("c.gps-tile", 1, ".", "alpn=h2"),
+  HTTPS("gps-a.tile", 1, ".", "alpn=h2"),
+  HTTPS("gps-b.tile", 1, ".", "alpn=h2"),
+  HTTPS("gps-c.tile", 1, ".", "alpn=h2"),
 
   // Tile cache servers
 
-  A("gorynych", "5.45.248.21"),
-  AAAA("gorynych", "2a02:6b8:b010:5065::a001"),
-  A("trogdor", "134.90.146.26"),
-  A("trogdor.oob", "134.90.146.30"),
-  A("ridgeback", "31.169.50.10"),
-  A("ridgeback.oob", "31.169.50.14"),
-  A("jakelong", "71.19.155.177"),
-  AAAA("jakelong", "2605:2700:0:17:a800:ff:fe3e:cdca"),
-  A("nepomuk", "77.95.65.39"),
-  AAAA("nepomuk", "2a03:9180:0:100::7"),
-  A("simurgh", "94.20.20.55"),
-  A("katie", "144.76.70.77"),
-  AAAA("katie", "2a01:4f8:191:834c::2"),
-  A("konqi", "81.7.11.83"),
-  AAAA("konqi", "2a02:180:1:1::517:b53"),
-  A("longma", "140.110.240.7"),
-  AAAA("longma", "2001:e10:2000:240::7"),
-  A("viserion", "193.198.233.211"),
-  AAAA("viserion", "2001:b68:4cff:3::3"),
-  A("drogon", "161.53.30.107"),
-  AAAA("drogon", "2001:b68:c0ff:0:221:5eff:fe40:c7c4"),
-  A("saphira", "185.73.44.30"),
-  AAAA("saphira", "2001:ba8:0:2c1e::"),
-  A("toothless", "185.73.44.167"),
-  AAAA("toothless", "2001:ba8:0:2ca7::"),
-  A("sarkany", "37.17.173.8"),
-  AAAA("sarkany", "2001:4c48:2:bf04:250:56ff:fe8f:5c81"),
-  A("cmok", "31.130.201.40"),
-  AAAA("cmok", "2001:67c:2268:1005:21e:8cff:fe8c:8d3b"),
-  A("stormfly-02", "140.211.167.105"),
-  AAAA("stormfly-02", "2605:bc80:3010:700::8cde:a769"),
-  A("stormfly-02.oob", "10.0.0.108"),
-  A("rimfaxe", "130.225.254.109"),
-  AAAA("rimfaxe", "2001:878:346::109"),
-  A("culebre", "155.210.4.103"),
-  A("kalessin", "185.66.195.245"),
-  AAAA("kalessin", "2a03:2260:2000:1::5"),
-  A("angor", "196.10.54.165"),
-  // AAAA("angor", "2001:43f8:1f4:b00:b283:feff:fed8:dd45"),
-  A("ladon", "83.212.2.116"),
-  AAAA("ladon", "2001:648:2ffe:4::116"),
-  A("ascalon", "184.107.48.228"),
-  A("noomoahk", "91.224.148.166"),
-  AAAA("noomoahk", "2a03:7220:8080:a600::1"),
-  A("cherufe", "200.91.44.37"),
-  A("norbert", "89.234.186.100"),
-  AAAA("norbert", "2a00:5884:821c::1"),
-  A("chrysophylax", "217.71.244.22"),
-  AAAA("chrysophylax", "2001:8e0:40:2039::10"),
-  A("necrosan", "80.67.167.77"),
-  AAAA("necrosan", "2a0b:cbc0:110d:1::1c"),
-  A("keizer", "195.201.226.63"),
-  AAAA("keizer", "2a01:4f8:1c1c:bc54::1"),
-  A("vipertooth", "176.122.99.101"),
-  AAAA("vipertooth", "2001:67c:2d40::65"),
-  A("tuatara", "114.23.141.203"),
-  AAAA("tuatara", "2406:1e00:b410:c24:529a:4cff:fe79:bc3b"),
-  A("waima", "103.197.61.160"),
-  A("nidhogg", "130.236.254.221"),
-  AAAA("nidhogg", "2001:6b0:17:f0a0::dd"),
-  A("boitata", "200.236.31.207"),
-  AAAA("boitata", "2801:82:80ff:8002:216:ccff:feaa:21"),
-  A("fafnir", "130.239.18.114"),
-  AAAA("fafnir", "2001:6b0:e:2a18::114"),
-  A("fume", "147.228.60.16"),
-  A("balerion", "138.44.68.134"),
-  A("naga", "185.116.130.151"),
-
-  // Blades
-
-  A("tiamat-00", "193.60.236.40"),
-  A("tiamat-00.ucl", "10.0.0.40"),
-  A("tiamat-00.oob", "10.0.1.40"),
-  A("tiamat-01", "193.60.236.41"),
-  A("tiamat-01.ucl", "10.0.0.41"),
-  A("tiamat-01.oob", "10.0.1.41"),
-  A("tiamat-02", "193.60.236.42"),
-  A("tiamat-02.ucl", "10.0.0.42"),
-  A("tiamat-02.oob", "10.0.1.42"),
-  A("tiamat-03", "193.60.236.43"),
-  A("tiamat-03.ucl", "10.0.0.43"),
-  A("tiamat-03.oob", "10.0.1.43"),
-  A("tiamat-10", "193.60.236.44"),
-  A("tiamat-10.ucl", "10.0.0.44"),
-  A("tiamat-10.oob", "10.0.1.44"),
-  A("tiamat-11", "193.60.236.45"),
-  A("tiamat-11.ucl", "10.0.0.45"),
-  A("tiamat-11.oob", "10.0.1.45"),
-  A("tiamat-12", "193.60.236.46"),
-  A("tiamat-12.ucl", "10.0.0.46"),
-  A("tiamat-12.oob", "10.0.1.46"),
-  A("tiamat-13", "193.60.236.47"),
-  A("tiamat-13.ucl", "10.0.0.47"),
-  A("tiamat-13.oob", "10.0.1.47"),
-  A("tiamat-20", "193.60.236.48"),
-  A("tiamat-20.ucl", "10.0.0.48"),
-  A("tiamat-20.oob", "10.0.1.48"),
-  A("tiamat-21", "193.60.236.49"),
-  A("tiamat-21.ucl", "10.0.0.49"),
-  A("tiamat-21.oob", "10.0.1.49"),
-  A("tiamat-22", "193.60.236.50"),
-  A("tiamat-22.ucl", "10.0.0.50"),
-  A("tiamat-22.oob", "10.0.1.50"),
-  A("tiamat-23", "193.60.236.51"),
-  A("tiamat-23.ucl", "10.0.0.51"),
-  A("tiamat-23.oob", "10.0.1.51"),
-
-  // Donation site
-
-  A("donate", "193.60.236.19", TTL("10m")),
+  A("ridgeback", RIDGEBACK_IPV4),
+  A("ridgeback.oob", RIDGEBACK_OOB),
+  A("angor", ANGOR_IPV4),
+  AAAA("angor", ANGOR_IPV6),
+  A("ladon", LADON_IPV4),
+  AAAA("ladon", LADON_IPV6),
+  A("neak", NEAK_IPV4),
+  A("meraxes", MERAXES_IPV4),
+  AAAA("meraxes", MERAXES_IPV6),
+
+  // Donation site and new OSMF crm site
+
+  A("donate", RIDLEY_IPV4),
+  A("support", RIDLEY_IPV4),
+  A("supporting", RIDLEY_IPV4),
+
+  // HTTPS / SVCB records
+  HTTPS("donate", 1, ".", "alpn=h2"),
+  HTTPS("support", 1, ".", "alpn=h2"),
+  HTTPS("supporting", 1, ".", "alpn=h2"),
+
+  A("lockheed", LOCKHEED_IPV4),
+  AAAA("lockheed", LOCKHEED_IPV6),
+  A("lockheed.ams", LOCKHEED_INTERNAL),
+  A("lockheed.oob", LOCKHEED_OOB),
+  A("tiler", LOCKHEED_IPV4),
+  AAAA("tiler", LOCKHEED_IPV6),
+  A("us-imagery", LOCKHEED_IPV4),
+  AAAA("us-imagery", LOCKHEED_IPV6),
+  A("a.us-imagery", LOCKHEED_IPV4),
+  AAAA("a.us-imagery", LOCKHEED_IPV6),
+  A("b.us-imagery", LOCKHEED_IPV4),
+  AAAA("b.us-imagery", LOCKHEED_IPV6),
+  A("c.us-imagery", LOCKHEED_IPV4),
+  AAAA("c.us-imagery", LOCKHEED_IPV6),
+
+  // HTTPS / SVCB records
+  HTTPS("tiler", 1, ".", "alpn=h2"),
+  HTTPS("us-imagery", 1, ".", "alpn=h2"),
+  HTTPS("a.us-imagery", 1, ".", "alpn=h2"),
+  HTTPS("b.us-imagery", 1, ".", "alpn=h2"),
+  HTTPS("c.us-imagery", 1, ".", "alpn=h2"),
+
+  // Discourse server ("community")
+
+  A("fume", FUME_IPV4),
+  AAAA("fume", FUME_IPV6),
+  A("fume.dub", FUME_INTERNAL),
+  A("fume.oob", FUME_OOB),
+
+  A("community", FUME_IPV4),
+  A("communities", FUME_IPV4),
+  A("c", FUME_IPV4),
+  AAAA("community", FUME_IPV6),
+  AAAA("communities", FUME_IPV6),
+  AAAA("c", FUME_IPV6),
+
+  // HTTPS / SVCB records
+  HTTPS("community", 1, ".", "alpn=h2"),
+  HTTPS("communities", 1, ".", "alpn=h2"),
+  HTTPS("c", 1, ".", "alpn=h2"),
+
+  CNAME("community-cdn", "dualstack.n.sni.global.fastly.net."),
+  TXT("community", "google-site-verification=hQ8GZyj4KwnPqAX2oAzpbLrh6I5dfR08PSdL3icVkfg"),
+
+  A("forum", FUME_IPV4),
+  AAAA("forum", FUME_IPV6),
+
+  // HTTPS / SVCB records
+  HTTPS("forum", 1, ".", "alpn=h2"),
+
+  // Taginfo and Staging Blog Server
+
+  A("tabaluga", TABALUGA_IPV4),
+  AAAA("tabaluga", TABALUGA_IPV6),
+  A("tabaluga.ams", TABALUGA_INTERNAL),
+  A("tabaluga.oob", TABALUGA_OOB),
+
+  A("staging.blog", TABALUGA_IPV4),
+  AAAA("staging.blog", TABALUGA_IPV6),
+
+  // HTTPS / SVCB records
+  HTTPS("staging.blog", 1, ".", "alpn=h2"),
+
+  A("taginfo", TABALUGA_IPV4),
+  AAAA("taginfo", TABALUGA_IPV6),
+
+  // HTTPS / SVCB records
+  HTTPS("taginfo", 1, ".", "alpn=h2"),
+
+  // Spare servers
+
+  A("dribble", DRIBBLE_IPV4),
+  AAAA("dribble", DRIBBLE_IPV6),
+  A("dribble.ams", DRIBBLE_INTERNAL),
+  A("dribble.oob", DRIBBLE_OOB),
 
   // Uptime site at StatusCake
 
-  CNAME("uptime", "uptimessl.statuscake.com."),
-
-  // Custom Domain for https://github.com/osmfoundation/welcome-mat/
-
-  CNAME("welcome", "osmfoundation.github.io."),
+  CNAME("uptime", "uptimessl-new.statuscake.com."),
 
   // Dynamic DNS records