; Domain: tyrolize.ch
; Adds A/AAAA + wildcard pointing at the watcher VM (195.15.203.200),
; plus anti-spoofing (no mail leaves this domain) and CAA restricting
; TLS issuance to Let's Encrypt.

$TTL 3600

@               IN SOA   ns11.infomaniak.ch. hostmaster.infomaniak.ch. (2026061646 10800 3600 605800 3600)
@          3600 IN NS    ns11.infomaniak.ch.
@          3600 IN NS    ns12.infomaniak.ch.

; --- Watcher VM (short TTL during bring-up; raise to 3600 later if you want) ---
@           300 IN A     195.15.203.200
@           300 IN AAAA  2001:1600:10:100::b4e
*           300 IN A     195.15.203.200
*           300 IN AAAA  2001:1600:10:100::b4e

; --- Anti-spoofing: no mail is sent from tyrolize.ch ---
@          3600 IN TXT   "v=spf1 -all"
_dmarc     3600 IN TXT   "v=DMARC1; p=reject; rua=mailto:tyro@lize.ch"

; --- Restrict TLS cert issuance to Let's Encrypt ---
@          3600 IN CAA   0 issue "letsencrypt.org"

; --- Infomaniak default (harmless on non-mail domain) ---
_domainkey 3600 IN NS    ns11.infomaniak.ch.
_domainkey 3600 IN NS    ns12.infomaniak.ch.