; Domain: lize.ch
; All existing kSuite mail records preserved exactly as-is.
; Adds: A/AAAA for the apex (Caddy on the watcher 301-redirects to
; https://tyrolize.ch), plus CAA restricting TLS to Let's Encrypt.

$TTL 3600

@                 IN SOA   ns11.infomaniak.ch. hostmaster.infomaniak.ch. (2026061610 10800 3600 605800 3600)
@            3600 IN NS    ns11.infomaniak.ch.
@            3600 IN NS    ns12.infomaniak.ch.

; --- kSuite mail (DO NOT TOUCH) ---
@            3600 IN MX 5  mta-gw.infomaniak.ch.
@            3600 IN TXT   "v=spf1 include:spf.infomaniak.ch -all"
autoconfig   3600 IN CNAME infomaniak.com.
autodiscover 3600 IN CNAME infomaniak.com.
_dmarc       3600 IN TXT   "v=DMARC1; p=reject;"
_domainkey   3600 IN NS    ns11.infomaniak.ch.
_domainkey   3600 IN NS    ns12.infomaniak.ch.

; --- New: apex points at watcher VM for the redirect to tyrolize.ch ---
@             300 IN A     195.15.203.200
@             300 IN AAAA  2001:1600:10:100::b4e

; --- Restrict TLS cert issuance to Let's Encrypt ---
@            3600 IN CAA   0 issue "letsencrypt.org"