At the moment we're not doing DNSSEC. We appreciate that it would be a big challenge.

Another option I considered (less flexible but viable) is just to run two separate knot instances with the different zones loaded, and switch traffic to the other set!

For DNSSEC - because the target zone(s) are also internal, I presume it would be possible to calculate once and then cache the zone so long as none of its ALIAS targets had changed. This would still be a hit of calculations as the target zone changed, but it should taper off in everyday production use.

Our Knot servers are all fed directly - we run 4 of them currently, two in each datacenter, and they are all fed by a process which reads database updates from a queue, and rebuilds the zone files and then reloads them.

The interesting bit of code for a new or updated zone is:

  # Do we have config for this zone?
  # Check for a template
  my $results = $self->knotc_cmds_read("zone[$effective_zone].template");
  my $result  = $results->[0] // '';
  chomp $result;
  $result =~ s/^.* = //;

  my $metric_type = 'zones_updated';
  if ($result ne 'default') {
    # setup the new zone
    $metric_type = 'zones_added';
    my $committer = $self->knotc_begin_transaction_auto();
    my ($success, $output) = $self->knotc_cmds([
      [ 'conf-set', 'zone.domain',          $effective_zone ],
      [ 'conf-set', "zone[$effective_zone].template", 'default' ],
    ]);
    unless ($success) {
      $Logger->log_fatal("Zone setup failed for $effective_zone: ", $output);
    }
    $committer->commit();
  }
  $self->metrics->{$metric_type}++;

  # for new or updated, trigger a zone reload
  my ($success, $output) = $self->knotc_cmds([['zone-reload', $effective_zone]]);
  $Logger->log("Zone reload failed for $effective_zone: ", $output) unless $success;

All the indirection there is a module which automatically sends a conf-abort if it dies before calling conf-commit and such magic.

The entire zone is built based on a "needs rebuild" trigger placed in the queue to each server, so they update separately out of that queue; meaning if one is down for a while it collects a list of what to do before coming back into service.

So they are all entirely independent of each other.

Bron.

On Wed, Apr 15, 2026, at 12:13, Daniel Salzman wrote:

Bron,

Thanks for the details. Let me think about it.

There is another important aspect of the solution, DNSSEC. Your proposed solution would require online signing,
which is not ideal for high-traffic environments (unless you have thousands of servers :-)). What is your stance
on DNSSEC?

Do you use zone transfers, or how do you feed your Knot servers?

Daniel

On 4/15/26 17:01, Bron Gondwana wrote:
>
>
> On Wed, Apr 15, 2026, at 08:08, Daniel Salzman wrote:
>> Hi Bron,
>>
>> Welcome aboard!
>
> Hi Daniel, thank you!
>
>> First of all, I have to say that the ALIAS record type (and similar alternatives) is rather a workaround until
>> HTTPS/SVCB alias mode is widely supported. We added this type primarily for use with our Redis backend
>> and we aren't philosophically ready to add processing of it to the server itself. However, I believe we can find
>> a solution for your needs.
>>
>> I think that your use case, where the target ALIAS zone is locally available, is not common. Usually, a full DNS resolver
>> is necessary, which is the biggest issue. Our server is focused on high performance, so performing the resolution
>> while responding to queries is not optimal. In your case it is not even necessary.
>
> Yes, absolutely -we're not keen to make our server more expensive. We switched to Knot in the first place because our old backend was being hammered by DDoS attacks, even behind Cloudflare caching frontends.
>
>> Possible options:
>> - Using our Redis backend in combination with https://gitlab.nic.cz/knot/knot-dns/-/blob/master/scripts/redis_unalias.py <https://gitlab.nic.cz/knot/knot-dns/-/blob/master/scripts/redis_unalias.py>
>>    Sorry for the lack of documentation.
>> - If the dynamic records are uniform across the zones, cannot you use something like (ignore the random zone names)?:
>>
>> knotc> zone-begin --
>> OK
>> knotc> zone-set -- test A 192.168.1.1
>> OK
>> knotc> zone-diff --
>> [.] +test. 3600 A 192.168.1.1
>> [e92bd5f.4738fa5efafc1ebdc3.] +test.e92bd5f.4738fa5efafc1ebdc3. 3600 A 192.168.1.1
>> [63da60e39bb6cd76fa.] +test.63da60e39bb6cd76fa. 3600 A 192.168.1.1
>> [96e07.] +test.96e07. 3600 A 192.168.1.1
>> [aa.] +test.aa. 3600 A 192.168.1.1
>> [center.] +test.center. 3600 A 192.168.1.1
>> [collector.] +test.collector. 3600 A 192.168.1.1
>> [e6a69.] +test.e6a69. 3600 A 192.168.1.1
>> [ecbecfc1abcc.] +test.ecbecfc1abcc. 6536 A 192.168.1.1
>> [hawking.] +test.hawking. 16183 A 192.168.1.1
>> [noc3598.] +test.noc3598. 3600 A 192.168.1.1
>> [records.] +test.records. 3600 A 192.168.1.1
>> knotc> zone-commit --
>> OK
>
> It's sadly not 100% uniform across all zones. We have default records, which can be overridden by individual customers.
>
>> - If you insist on the dynamic ALIAS resolution, a new query module could be implemented.
>
> I do think that the ALIAS resolution the way I did it is an exact match for what we want, it's a layer of indirection for the records which are "a service provided by us" - the kind of thing you'd just use a CNAME for if it wasn't for how CNAMEs and MX records behave so unfortunately.
>
>> What do you think? Maybe more details about your deployment would help. Feel free to send
>> me relevant zone snippets.
>
> Our goal is to be able to switch all the records with IPs starting 103.168 to IPs in a separate datacenter when transitioning traffic to the other site (either deliberately, or for disaster recovery)
>
> Here is a zone which is absolutely vanilla, no special records. It's one of my family's domains:
>
> lorinna.net. 3600 IN SOA ( ns1.messagingengine.com.
> postmaster.messagingengine.com.
> 2026041300 ;serial
> 86343 ;refresh
> 600 ;retry
> 1209600 ;expire
> 3600 ;minimum
> )
> lorinna.net. 3600 IN NS ns1.messagingengine.com.
> lorinna.net. 3600 IN NS ns2.messagingengine.com.
> lorinna.net. 3600 IN MX 10 in1-smtp.messagingengine.com.
> lorinna.net. 3600 IN MX 20 in2-smtp.messagingengine.com.
> lorinna.net. 3600 IN A 103.168.172.37
> lorinna.net. 3600 IN A 103.168.172.52
> lorinna.net. 3600 IN TXT "v=spf1 include:spf.messagingengine.com ?all"
> *.lorinna.net. 3600 IN MX 10 in1-smtp.messagingengine.com.
> *.lorinna.net. 3600 IN MX 20 in2-smtp.messagingengine.com.
> *.lorinna.net. 3600 IN A 103.168.172.37
> *.lorinna.net. 3600 IN A 103.168.172.52
> _dmarc.lorinna.net. 3600 IN TXT "v=DMARC1; p=none;"
> fm1._domainkey.lorinna.net. 3600 IN CNAME ( fm1.lorinna.net.dkim.fmhosted.com.
> )
> fm2._domainkey.lorinna.net. 3600 IN CNAME ( fm2.lorinna.net.dkim.fmhosted.com.
> )
> fm3._domainkey.lorinna.net. 3600 IN CNAME ( fm3.lorinna.net.dkim.fmhosted.com.
> )
> mesmtp._domainkey.lorinna.net. 3600 IN CNAME (
> mesmtp.lorinna.net.dkim.fmhosted.com. )
> _autodiscover._tcp.lorinna.net. 3600 IN SRV ( 0 1 443
> autodiscover.fastmail.com. )
> _caldav._tcp.lorinna.net. 3600 IN SRV 0 0 0 .
> _caldavs._tcp.lorinna.net. 3600 IN SRV 0 1 443 d27457.caldav.fastmail.com.
> _carddav._tcp.lorinna.net. 3600 IN SRV 0 0 0 .
> _carddavs._tcp.lorinna.net. 3600 IN SRV ( 0 1 443 d27457.carddav.fastmail.com.
> )
> _imap._tcp.lorinna.net. 3600 IN SRV 0 0 0 .
> _imaps._tcp.lorinna.net. 3600 IN SRV 0 1 993 imap.fastmail.com.
> _jmap._tcp.lorinna.net. 3600 IN SRV 0 1 443 api.fastmail.com.
> _pop3._tcp.lorinna.net. 3600 IN SRV 0 0 0 .
> _pop3s._tcp.lorinna.net. 3600 IN SRV 10 1 995 pop.fastmail.com.
> _submission._tcp.lorinna.net. 3600 IN SRV 0 0 0 .
> _submissions._tcp.lorinna.net. 3600 IN SRV 0 1 465 smtp.fastmail.com.
> mail.lorinna.net. 3600 IN MX 10 in1-smtp.messagingengine.com.
> mail.lorinna.net. 3600 IN MX 20 in2-smtp.messagingengine.com.
> mail.lorinna.net. 3600 IN A 103.168.172.65
>
>
> And here's one where the apex A record and www A record are pointed to an external system, but the rest is managed at Fastmail.
>
> miv.org.au. 3600 IN SOA ( ns1.messagingengine.com.
> postmaster.messagingengine.com.
> 2026041300 ;serial
> 86223 ;refresh
> 600 ;retry
> 1209600 ;expire
> 3600 ;minimum
> )
> miv.org.au. 3600 IN NS ns1.messagingengine.com.
> miv.org.au. 3600 IN NS ns2.messagingengine.com.
> miv.org.au. 3600 IN MX 10 in1-smtp.messagingengine.com.
> miv.org.au. 3600 IN MX 20 in2-smtp.messagingengine.com.
> miv.org.au. 3600 IN A 178.62.49.34
> miv.org.au. 3600 IN TXT (
> google-site-verification=3xg8-ieU1iufBCuguKrrUSGTEnrDYy7aSnPLvN66XHk )
> miv.org.au. 3600 IN TXT "v=spf1 include:spf.messagingengine.com ?all"
> *.miv.org.au. 3600 IN MX 10 in1-smtp.messagingengine.com.
> *.miv.org.au. 3600 IN MX 20 in2-smtp.messagingengine.com.
> *.miv.org.au. 3600 IN A 103.168.172.37
> *.miv.org.au. 3600 IN A 103.168.172.52
> _dmarc.miv.org.au. 3600 IN TXT "v=DMARC1; p=none;"
> fm1._domainkey.miv.org.au. 3600 IN CNAME fm1.miv.org.au.dkim.fmhosted.com.
> fm2._domainkey.miv.org.au. 3600 IN CNAME fm2.miv.org.au.dkim.fmhosted.com.
> fm3._domainkey.miv.org.au. 3600 IN CNAME fm3.miv.org.au.dkim.fmhosted.com.
> mesmtp._domainkey.miv.org.au. 3600 IN CNAME (
> mesmtp.miv.org.au.dkim.fmhosted.com. )
> _autodiscover._tcp.miv.org.au. 3600 IN SRV ( 0 1 443 autodiscover.fastmail.com.
> )
> _caldav._tcp.miv.org.au. 3600 IN SRV 0 0 0 .
> _caldavs._tcp.miv.org.au. 3600 IN SRV 0 1 443 d442465.caldav.fastmail.com.
> _carddav._tcp.miv.org.au. 3600 IN SRV 0 0 0 .
> _carddavs._tcp.miv.org.au. 3600 IN SRV ( 0 1 443 d442465.carddav.fastmail.com.
> )
> _imap._tcp.miv.org.au. 3600 IN SRV 0 0 0 .
> _imaps._tcp.miv.org.au. 3600 IN SRV 0 1 993 imap.fastmail.com.
> _jmap._tcp.miv.org.au. 3600 IN SRV 0 1 443 api.fastmail.com.
> _pop3._tcp.miv.org.au. 3600 IN SRV 0 0 0 .
> _pop3s._tcp.miv.org.au. 3600 IN SRV 10 1 995 pop.fastmail.com.
> _submission._tcp.miv.org.au. 3600 IN SRV 0 0 0 .
> _submissions._tcp.miv.org.au. 3600 IN SRV 0 1 465 smtp.fastmail.com.
> mail.miv.org.au. 3600 IN MX 10 in1-smtp.messagingengine.com.
> mail.miv.org.au. 3600 IN MX 20 in2-smtp.messagingengine.com.
> mail.miv.org.au. 3600 IN A 103.168.172.65
> www.miv.org.au. 3600 IN A 178.62.49.34
>
>
> And here's one that runs entirely separately, just using Fastmail for DNS:
>
> dkim2.com. 3600 IN SOA ( ns1.messagingengine.com.
> postmaster.messagingengine.com.
> 2026040300 ;serial
> 86265 ;refresh
> 600 ;retry
> 1209600 ;expire
> 3600 ;minimum
> )
> dkim2.com. 3600 IN NS ns1.messagingengine.com.
> dkim2.com. 3600 IN NS ns2.messagingengine.com.
> dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> dkim2.com. 3600 IN A 134.209.211.166
> dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> *.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> _dmarc.dkim2.com. 3600 IN TXT ( "v=DMARC1; p=none; rua=mailto:dmarc@dkim2.com"
> )
> ed25519._domainkey.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=ed25519; p=H4AK/+/8XXxmn/bnyOHaqPpyJtrqBf80sgZpnepMPUQ=" )
> fm1._domainkey.dkim2.com. 3600 IN CNAME fm1.dkim2.com.dkim.fmhosted.com.
> fm2._domainkey.dkim2.com. 3600 IN CNAME fm2.dkim2.com.dkim.fmhosted.com.
> fm3._domainkey.dkim2.com. 3600 IN CNAME fm3.dkim2.com.dkim.fmhosted.com.
> mesmtp._domainkey.dkim2.com. 3600 IN CNAME (
> mesmtp.dkim2.com.dkim.fmhosted.com. )
> sel1._domainkey.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa;   p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvwtNJpRLYM99Ya2Vm5Th/BUxw7MazipAvYMHJA80TD9P1F5gx6eHMT8kErqOG5w7ngZPAoEvH0Dq2rfyGC7gqp93RR7xCD/YNm72/uq9NC+zv1gQ3IqeHbKJEd8MQMj4CL+0fhRyAPpMWEPirYGSgVDxKjJHwa0XLlt00iI6DV1m/IhbH2hzcd6WfBBdiFLV+ovTS8InQDedl12aJtRJv/gKLA+6+Nd4DlTb3mBT2JvT0WoIbJ43pZpBR8ItXHOGT75mxMILEcWI2EhtPq/GaJHWbn7RxgyV0I44bTUiKut+8udflCjSpiOBXlFNp20bUQTjNxKNcCiLGFzc8cYFIwIDAQAB"
> )
> dev.dkim2.com. 3600 IN A 134.209.211.166
> mail.dkim2.com. 3600 IN A 134.209.211.166
> mailman.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> mailman.dkim2.com. 3600 IN A 134.209.211.166
> mailman.dkim2.com. 3600 IN A 134.209.211.166
> mailman.dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> _dmarc.mailman.dkim2.com. 3600 IN TXT "v=DMARC1; p=none"
> sympa.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> sympa.dkim2.com. 3600 IN A 134.209.211.166
> sympa.dkim2.com. 3600 IN A 134.209.211.166
> sympa.dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> _dmarc.sympa.dkim2.com. 3600 IN TXT "v=DMARC1; p=none"
> test1.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> test1.dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> _dmarc.test1.dkim2.com. 3600 IN TXT "v=DMARC1; p=none"
> ed25519._domainkey.test1.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=ed25519; p=hwjviTXyzUXSCWayBqE17s/4NSynQKxw58jayHudRAI=" )
> rsa1024._domainkey.test1.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIubB7x1q3rNGDWgObuKSOyYVtVKmcJpIvtWdRzg71iGRGqMdEE18GAOk+6j+GAcHTppkh4qR1d9vOl4S1L8ClAvSFUz0azi31fLQcMpZbagyseSq9FnF4nHL/7MAA2brAXkVCQ1rZLKNHMwkXGggkA9kg+LloNfSML+utkhN3gQIDAQAB"
> )
> sel1._domainkey.test1.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRtvI17L4pHwF58KhyjiN7d74ZHDZia1IOzuXA6hygEuxt0+0Ey9PJvrDpKp/JsJIiJ0Ji8hrQfeMbAX5wHpz8GAkRlWOdorPuZiMZegTU9oD9nWRO/GcAu7Ub4V1pF6AwwfykCmzKbomX7jWa1y0oNgMHMUeZAi1XveQ6cfebJOwtgqWMOTSenY8+p8hU97YFxwKXO0FsAQYvNMMSZAXPM00V/ZaxiZ1UZUCMM/uesVkU7pIOzItGEjoWUrPkIos1GGf+2nBncqNgmivPkJPFeaJXOIL1iHqKJrSzZuTxCWPTQ+JVPyeAgDk0xyGK3RbiyItPjVZhBs7sZekNGVCwIDAQAB"
> )
> sel2._domainkey.test1.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqiTwabnGlrGDoPlSHpfiWjsbwucsezwm/iU9bjloGqothOM7XNIrS1ub2f5BNz9yQjOhWGJ+fo8DOnF9YdUKXkBxuUdt49eyClLDaUG4Q35hJBWFF1MsmihtJpo6PzXGZYP/c4mPc2vXTPd3hbAqkftMgUCOCUIUyUEXhMl/R6/XkXATcyDId3TsSyQUJk3U+2r/wQJGz5JkOxyDX1NEawfh3GDuppCUFZFWnsrEvolBGDqZk8RG2FNmRysglRau4z9GG8jieXG4NjIT/yOh3pjbYGq4tgrMVZ7AcrIpCRbEJTUCExgrh3iQRXReVPy2qhcgY6BQLF2ahiTBUm2wAwIDAQAB"
> )
> sel3._domainkey.test1.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr8xHmZoXE3P12DNh5jhFAJjtI9kosn3bISKWYNyn2PAn8E+Ik70iScLj8bFUNcjlLRtBDo5KZ323gdoYS3AUBSJlbkLJKCnQnH6pY+rawmt5kCNJm15DTFlOyZhaMWUilFyVzzGDqXf3d/VzFiX+13GnDdwR1QOnbOTMKx9Y0+nEhlnqRwv3YFjAO1aQOdFzguxMi5wiZQIFtmwwY8GgFIVrEqFq4UCU/hc/E2YcYjHv5zg2KR/zJivfXdLOceHqzJTYdOca/IDqfat2IgOooVVsfHZCCScOutZe9JwWYt98EOiFfvmLs3pvJnBLyGM2BOZUpJnkXSDCnTKxboRnqQIDAQAB"
> )
> test2.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> test2.dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> _dmarc.test2.dkim2.com. 3600 IN TXT "v=DMARC1; p=none"
> rsa1024._domainkey.test2.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcSzEVS5IaMQZWJaqmA7dnD1fHuks1mqzY9RfQn9skWCYJZxHx0d45oSSrMt8lSKZiN4FLgbBl0jiLWXq+oPP3rUEhQrqElzyzo1Swn1Phsq45ij655pXFgZpfXvS95nP2GGDrQLcZhi5VNDg9ACoitB1CtxTipRXm8anlzLtg2QIDAQAB"
> )
> sel1._domainkey.test2.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolQDA1kFcPW13OQNJv7zEGhf18S+PU8oGUOSScVYRJELDUxZzv0i1OsyNW5T2hZlmTDFRszoxstj1o8JBn9nYm6zfdvr4w8JS5SrAEx8MzI4N/SghA334hbXtXQZ3br179XVgTMGJL0OMWw2Qp0c9HQAtQNF3ckeMiPncWp8e58in5YCjvHhezl8/VGrBx+CsDKxT8JFs/0QluC6AFQuM9ZIsm3RPwf4BsPE0/ADpuA5GUUdYUzhNt2Uq9Wr82BJLt8cy1a9FVEGKxdMhgJ7Gx4hx8GpM/oaiQYMO9VmNZVz8n87BkNOnjlpYFCtfb9FH8/mYPwqaSa0DmcahfeHVQIDAQAB"
> )
> sel2._domainkey.test2.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3i4wXkWpIYib21p0CZx1dobNCYababIxIZAJO5SEGiK++C7jLgnpqg+lvTKS7eR5q1MO3ZCY19Bgm/PcigLvuLtMzap4yY+h9hnsQYzrdcAamzrpB3cjiNoCNhT0Zp7kRI6Rx0t2Uc91e0CvaFf8zAJIF4VUyQNXx9Gn/SEtNr0iQCNsPptGA1PUGUwDQUGze7fkXtnBOrgvNjILfnUC7MA6W+2+mCYtHzOkRB+t6SMutR2cDSXabjYBL5/1bweL6ABDouGgBnIj9LrY6RcbzrBpLuUAuXi71dLEHs0KW0UdImyUpE1i+thKqhNGaYnaL8KrTlDUC8g62T2kQNuHJQIDAQAB"
> )
> sel3._domainkey.test2.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDOUuL/rLDi7fohdOw/sk31eGe5CtX9UEw5pSQv/EyYwW9lxZqi9SwU8Of+z7uHLMFJi+YbYV25CYDUrDIE71WLKou3FL0WyH0U4DrZoR7CBnMjRz92Lqh+VV1PJz0t5mU8YD0O+JJ80jScKIIcC8r1qysQI9Y7EdIAWFZlYS97c6WhKVg94xeOAaRDnpbr80H29g9pqGs4Yk4Hc1r5OXptj12sBMO7JCz/4dQ2Di0JsPOwEjWNbV9ysz8EcSW/+RoFG5Iomf4/q/aW7T6tUGqdj8M0eQ0TO0xW0lc4jqKUHH85LbdZFhcDIBUg8ML6mRgSVy779MxMP7+uw3iVLQQIDAQAB"
> )
> test3.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> test3.dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> _dmarc.test3.dkim2.com. 3600 IN TXT "v=DMARC1; p=none"
> ed25519._domainkey.test3.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=ed25519; p=reUWo3pXLWHk5dILIK4NoCR3F2iACFdQ/FlhvVvMtxc=" )
> sel1._domainkey.test3.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAju2t0p4xwgCT4UCRgfNZ27U6nhQ5sHSV23hR2TBngda8yAChPInsdVyjJv+cSeZf7tG7yKrzKTM9KaKK8BzBguYrJ9DRJqg7MPPsXlZJ53Ydku3GKLcuiBmDrwUxyBGAMFxndVs+uNJkF2qi+RK0Dgd45wMZiJJF1K3bPjkkQub4Ex4MXvbIqqThthlYiKUGHFBPKg7DALkdoIlegrAP4xZ43Cszd5u9AvNdjvAr31ajjaGrGuQH+gW5kXdwZpDiQgvi0Obnr7AZeVSyr4I5CTNLoj4ed4I0AOJ3TsoZM1fFzHr/rqhL+oEKW3tA7UYGaRoXFDei0qLXhRGTJjzscQIDAQAB"
> )
> sel2._domainkey.test3.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynXlN4POdoj82RpdpD7iG8RR/RF1TjQxy65Fu/12cV0YYX1mZLOHcvSUkxkxMKSxdZnv/7UKuQcbdQXC7jBah/JQNYzLVDUe3bKbrjsypczRPYKajxnEYCsjvoKDR9g2XtlppGrchst77wcj3SWplz2MGBk5E2SGVo1TuvuRt2S0iiye8+Z2KBaVUE3t55YxRHhjIfudboyq4Vqt6o1/6gl7eieZjqfqIBcU8k1xgEG5EG5GYCV12cUzvFU4Q5jPIzDWydppSN+jsIdSRbA8E0GweeRYumuNHryfDexZ04GafvjDwC+b9PCD5r8xiyt7N8gPNG052smGeK39N9Y/TQIDAQAB"
> )
> sel3._domainkey.test3.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmJR1PxhxeO2eZlHPZfikAOyn/95rjszoGWRZti+0VyitapUVvla9noM3w0rbFEbVwW4Y3ILqY7j1C1jiM02okbYNYwE0CC1WSTGUrSoyRV7nGFJ5n6vcLCLqE9EFJwFnUCCXDTz+90D4aiXgasm/MAJJMkBQzdrrpQTwnLGVfWYGenqUWJ1+yn8kXmDq/wub0oE5G3DEE7noCgxpzkEd6tqCIJ3Z1wcA9qnUsTBjmDLPEZAwc4ajwZ/cfXceDXnprUKlFvq9tfMReKfObT2g6/iBsesBLCsuYgHKRydNqT1+YU0GmkSQkXutgyH5o4WzkUsPim2saIiTkVPTCtbWBwIDAQA"
> )
> test4.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> test4.dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> _dmarc.test4.dkim2.com. 3600 IN TXT "v=DMARC1; p=none"
> ed25519._domainkey.test4.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=ed25519; p=fJAwKEPblCYdjrEIPeyOFy6AeXZUBALBdGQRjSPe97c=" )
> sel1._domainkey.test4.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqxfEjz2MPZ7ZiE/uQkgPOC7mn0CweB5MZgHMqgGPQodj2DpbILnxBivC64VV5/JItBaNCtEL3UFY1YzlJOKzqjJacF66u9en4m6L6uC31vrHmVME6+rx7B5nMBlkwPheamx8Dyf+wNo3/9UCKxSdFdtiJLpLGC7Tg2ry7tpxST4Joaf9fIggc3Zmaraidk0S0uJKQq6ZKoZtjJkt0Bd+LGEnGC6C9/lrjHarnImc1bcELpJrzmneOmJO1/b4C8TXawu7luKn6dTWhujAOam+sO4vXxwpCDEa2saSrB6ru2Ef4ittBVn8fYDCwCjqbniU3B/g7BcBYnnMLUvQecZEqwIDAQAB"
> )
> sel2._domainkey.test4.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApolcHH25pnffLSu90xCKJINg7wItlff/H1x529bcRoYDl171r7rqnXA4dBaVSQoIK+vHsoizucMNw1dvdlxgdjOjBxJQOzF5gT4rvFjXn6gJG41MJcAolxA12FAM3XAlYmy2tE5jIU9TXenLgnXzLuf+YYLWsU2XHFO7yQkOwakgLFVQ7hljB1lCA6gWdERj1pa/v0njvBCK2k4+n70cS0CVE4n1zeKUSM/WHhqrW1ty2N4DW47JpBlbmJLepMuR3wPnkE7vL4OR+2HmZ+x6DzdZbzo0FFvh7jdfjlX/BB84ixaXIsJfEzWZMRc6DF+7oQIJ7WkyAETX2CXp/GpQwwIDAQAB"
> )
> sel3._domainkey.test4.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiy1mVSb6jt4Y4m0V2M3/e/azZBQUGjahidiAgIE/4ZrJn65azagf3byfJwSvyxbnUSNvvJRf4aEiktKVOWKm9HbFMB8bS972Uj6IhviNrbrI7fdos/wv7SB7lCEVETKHC8lot7mw3xD86RLzhBFlBpgKreQrN0bXGC7vkMLE5Noxxj1BdVOEL7RQf96NGgi08ksgvlOMAcEVsVrGYJbrqAW85QJYe/0oQTb9BB86gRqweaZprFPDKB0/UUlRMNNR3+Zwrp7ibb8c0QXaDJ4V+5k2ABw8Cp99uXHeK8K50nfakQnY5EUlQ8lpCIG2JHLHTF7s4TbnXJST7Jy5RSmNywIDAQAB"
> )
> test5.dkim2.com. 3600 IN MX 10 mail.dkim2.com.
> test5.dkim2.com. 3600 IN TXT "v=spf1 a mx -all"
> _dmarc.test5.dkim2.com. 3600 IN TXT "v=DMARC1; p=none"
> ed25519._domainkey.test5.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=ed25519; p=IAG1F5P3LD1Q8Y67PeW7YJLuvrM19wpaof+dzdC679I=" )
> sel1._domainkey.test5.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YUNs4TOful7xAtEh/PcKbVRvxBOOC52crCwqRCeVUnsvyOPx/qtY0oA2qPZVzDFU/h3fyz54eqYMiOIbxJavt3+nDNf8VfyHxQfc6+JdHdcHAJDpM1EMgN5awMxvc76csMVN6hnYFeOuSZECQy8Kr2C8QPCTcoMeNmR0udfKBo17Gjx4Wg9QDlc0CrzdenXscs0+D/3Y47lN1KllQeBAR7wvTVFoFKvSZ2CvwW264Syx76viMd0+JaK0YdhAcphMuHeNWzCKA+pMVD45gtikpkOQo+MBQIV96lNXa3fEw20S1IZfCMZHMSBbLmsiDY4luCe6kA08khNaE/zBi1GbQIDAQAB"
> )
> sel2._domainkey.test5.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSkJ+kfygUujU2u3tquvkjpPV/Gluz9k7rNnDfQwSddbZLOtDSQRt5pA04fjUcS+PraUAg2arKuGv05Nuw/X0ts7bh3N0b2Iwbg1IEGGa6gXMmJ6Lj5T0O716rk0GOvdWqLz/466MzCH8viwPwSLY25EBDD3r1Y9o58xy6VhiUuMsqttjzsk743A0wKQHr5FEYim0qnfY0ePfAr0s36XItgQaXH9pkr2CPmqSXlIwKN99h2TJVcf86dMDqxuqUnI2OilwKcGtMk2/oMxC3A5gGgFkivxUIdoKs0Y/JruR6mvnoFREbC5GToWNGCgciYbxMfaQIRO9tJwyPGl8gPpiQIDAQAB"
> )
> sel3._domainkey.test5.dkim2.com. 3600 IN TXT (
> "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsU7LuV9aZv8jiNflYQBEpGjGjzKF+PBBFSezLBkRsYQ8IKcmCa0v/BI2hC0h0DGqtOb4dz640F3oZFRyUcX5PsKinm6SChl1qOog4+3oNFs7bhe3NJm7MRgTCSKomEWKXJei303wy/iDKtm+KUL8mSFNlAr3FnVTxXq2LY+rUG786Ha7xvK7NeLN4+R22061QVf+rqWhMgZB0fEGzIAVx2C7P2dCMT1sZoPPXHajXmw36LbOUDp151tfH7LQ9qdPL+08FYjM4xoJdLy3kgHATb0bnebq0Mfxym2x14nI6YoOzqE+fcL4xJXqfVISC1Uyvx0ndNO6jajsBIbr2ihKewIDAQAB"
> )
>
>
> ... so basically my idea is to replace every current 103.168.172.x IP in our generated zones with an indirection to the actual service name, and then be able to update just that one zone file in order to change the IPs which are served for that service.
>
> I'd be happy to re-implement that as a separate plugin, or as variables or some other way to do that indirection - I just want it to keep the DNS service fast, and allow me to switch all those records all at once.
>
> Thanks,
>
> Bron.
> --
> Bron Gondwana, CEO, Fastmail Pty Ltd / Fastmail US LLC
>   brong@fastmailteam.com
>
>

Bron Gondwana, CEO, Fastmail Pty Ltd / Fastmail US LLC

brong@fastmailteam.com