Add opencode.jsonc configuration for DNSControl documentation.

Refactor CAA records to use CAA_BUILDER and update type definitions to version 4.35.0.
2026-03-08 11:43:12 -04:00 · 2026-03-08 11:42:01 -04:00
3 changed files with 182 additions and 18 deletions
--- a/dnsconfig.js
+++ b/dnsconfig.js
@@ -16,8 +16,18 @@ DEFAULTS(
  DnsProvider(DNS_CLOUDFLARE),
  DefaultTTL(1),
  CF_MANAGE_COMMENTS, // opt into comments syncing
-  CAA("@", "iodef", "mailto:" + reportEmail),
-  CAA("@", "issue", "letsencrypt.org"),
+  CAA_BUILDER({
+    iodef: "mailto:" + reportEmail,
+    iodef_critical: true,
+    issue: ["letsencrypt.org"],
+    issue_critical: true,
+    issuewild: ["letsencrypt.org"],
+    issuewild_critical: true,
+    issuevmc: "none",
+    issuevmc_critical: true,
+    issuemail: "none",
+    issuemail_critical: true,
+  }),
 );

 /* ****************************************************************************************************************** *\
@@ -68,18 +78,19 @@ D("achlfr.email", REG_101DOMAIN,
  RexBox Services
 \* -------------------------------------------------------------------------- */
 cnames("arirex.me", rexbox, [
-  "OpenWebUI@ai",
-  "Traefik Forward Auth@auth",
+  "Chhoto URL@l",
  "Enclosed@bin",
-  "Matrix / Client@chat",
-  "Pocket ID@id",
  "IT Tools@it",
  "Karakeep@karakeep",
-  "Chhoto URL@l",
+  "Matrix / Client@chat",
  "Matrix / Server@matrix",
  "Minecraft@mc",
  "Ntfy@ntfy",
+  "OpenWebUI@ai",
+  "Pocket ID@id",
+  // "Prompts@prompts",
  "Traefik@traefik",
+  "Traefik Forward Auth@auth",
 ]);

 cnames("achl.fr", rexbox, [
@@ -93,11 +104,11 @@ cnames("achl.fr", rexbox, [
 cnames("arirex.me", rexcloud, [
  "Beszel@beszel",
  "Gitea@git",
-  "IPFS@gw",
-  "IPFS@*.ipfs.gw",
-  "IPFS@*.ipns.gw",
-  "SearXNG@search",
+  "IPFS Subdomain Gateway@*.ipfs.gw",
+  "IPFS Subdomain Gateway@*.ipns.gw",
+  "IPFS Path Gateway@gw",
  // "LibreSpeed@speedtest",
+  "SearXNG@search",
 ]);

 /* -------------------------------------------------------------------------- *\
--- a/opencode.jsonc
+++ b/opencode.jsonc
@@ -0,0 +1,10 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "mcp": {
+    "dnscontrol-docs": {
+      "enabled": true,
+      "type": "remote",
+      "url": "https://docs.dnscontrol.org/~gitbook/mcp"
+    }
+  }
+}
--- a/types-dnscontrol.d.ts
+++ b/types-dnscontrol.d.ts
@@ -1,7 +1,7 @@
 // This file was automatically generated by DNSControl. Do not edit it directly.
 // To update it, run `dnscontrol write-types`.

-// 4.34.0
+// 4.35.0
 // WARNING: These type definitions are experimental and subject to change in future releases.

 interface Domain {
@@ -784,13 +784,13 @@ declare function CNAME(name: string, target: string, ...modifiers: RecordModifie
 * In this situation, you will see an error message such as:
 *
 * ```
- * Skipping registrar REGISTRAR: No nameservers declared for domain "example.com". Add {no_ns:'true'} to force
+ * Skipping registrar REGISTRAR: No nameservers declared for domain "example.com". Add {no_ns: "true"} to force
 * ```
 *
 * To add this, add the meta data to the zone immediately following the registrar.
 *
 * ```javascript
- * D("example.com", REG_MY_PROVIDER, {no_ns:'true'},
+ * D("example.com", REG_MY_PROVIDER, {no_ns: "true"},
 *   ...
 *   ...
 *   ...
@@ -959,11 +959,11 @@ declare const DISABLE_IGNORE_SAFETY_CHECK: DomainModifier;
 *     pubkey: "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC5/z4L",
 *     label: "subdomain",
 *     version: "DKIM1",
- *     hashtypes: ['sha1', 'sha256'],
+ *     hashtypes: ["sha1", "sha256"],
 *     keytype: "rsa",
 *     note: "some human-readable notes",
- *     servicetypes: ['email'],
- *     flags: ['y', 's'],
+ *     servicetypes: ["email"],
+ *     flags: ["y", "s"],
 *     ttl: 150
 *   }),
 * );
@@ -1400,6 +1400,57 @@ declare function FRAME(name: string, target: string, ...modifiers: RecordModifie
 */
 declare function HASH(algorithm: "SHA1" | "SHA256" | "SHA512", value: string): string;

+/**
+ * `HEDNS_DDNS_KEY` enables Dynamic DNS on a record managed by the Hurricane Electric DNS provider and sets a specific DDNS key (token). This implies [`HEDNS_DYNAMIC_ON`](HEDNS_DYNAMIC_ON.md).
+ *
+ * The DDNS key can then be used with the HE DDNS update API (`https://dyn.dns.he.net/nic/update`) to update the record's value.
+ *
+ * **Note:** DDNS keys are **write-only**. dnscontrol sets the key on the provider but cannot read back the current key. This means a key-only change (same record data, new key) will not be detected as a difference. To force an update, also change another field such as the TTL.
+ *
+ * ```javascript
+ * D("example.com", REG_NONE, DnsProvider(DSP_HEDNS),
+ *     A("dyn", "0.0.0.0", HEDNS_DDNS_KEY("my-secret-token")),
+ *     AAAA("dyn6", "::1", HEDNS_DDNS_KEY("another-token")),
+ * );
+ * ```
+ *
+ * @see https://docs.dnscontrol.org/language-reference/record-modifiers/service-provider-specific//hedns_ddns_key
+ */
+declare function HEDNS_DDNS_KEY(key: string): RecordModifier;
+
+/**
+ * `HEDNS_DYNAMIC_OFF` explicitly disables Dynamic DNS on a record managed by the Hurricane Electric DNS provider. This will clear any DDNS key previously associated with the record.
+ *
+ * Use this modifier when you want to ensure a record that was previously dynamic is returned to a static state.
+ *
+ * ```javascript
+ * D("example.com", REG_NONE, DnsProvider(DSP_HEDNS),
+ *     A("static", "5.6.7.8", HEDNS_DYNAMIC_OFF),
+ * );
+ * ```
+ *
+ * @see https://docs.dnscontrol.org/language-reference/record-modifiers/service-provider-specific//hedns_dynamic_off
+ */
+declare const HEDNS_DYNAMIC_OFF: RecordModifier;
+
+/**
+ * `HEDNS_DYNAMIC_ON` enables [Dynamic DNS](https://dns.he.net/) on a record managed by the Hurricane Electric DNS provider. When enabled, HE DNS assigns a DDNS key to the record that can be used with the HE DDNS update API (`https://dyn.dns.he.net/nic/update`).
+ *
+ * If a record is already dynamic, its dynamic state is preserved across modifications even without explicitly specifying this modifier.
+ *
+ * To set a specific DDNS key, use [`HEDNS_DDNS_KEY()`](HEDNS_DDNS_KEY.md) instead.
+ *
+ * ```javascript
+ * D("example.com", REG_NONE, DnsProvider(DSP_HEDNS),
+ *     A("dyn", "0.0.0.0", HEDNS_DYNAMIC_ON),
+ *     AAAA("dyn6", "::1", HEDNS_DYNAMIC_ON),
+ * );
+ * ```
+ *
+ * @see https://docs.dnscontrol.org/language-reference/record-modifiers/service-provider-specific//hedns_dynamic_on
+ */
+declare const HEDNS_DYNAMIC_ON: RecordModifier;
+
 /**
 * HTTPS adds an HTTPS record to a domain. The name should be the relative label for the record. Use `@` for the domain apex. The HTTPS record is a special form of the SVCB resource record.
 *
@@ -2425,6 +2476,98 @@ declare function LUA(name: string, rtype: string, contents: string | string[], .
 */
 declare function M365_BUILDER(opts: { label?: string; mx?: boolean; autodiscover?: boolean; dkim?: boolean; skypeForBusiness?: boolean; mdm?: boolean; domainGUID?: string; initialDomain?: string }): DomainModifier;

+/**
+ * `MIKROTIK_FORWARDER` manages a RouterOS DNS forwarder entry (`/ip/dns/forwarders`). The `name` parameter can be a domain name (e.g. `corp.example.com`) or an arbitrary alias (e.g. `my-upstream`). These named entries can then be referenced as the target of [`MIKROTIK_FWD`](MIKROTIK_FWD.md) records.
+ *
+ * Forwarder records must be placed in the synthetic zone `_forwarders.mikrotik`. This zone should appear **before** any zones that reference its entries by name in `dnsconfig.js` to ensure proper creation order.
+ *
+ * See the [MikroTik RouterOS provider page](../../provider/mikrotik.md) for full configuration details.
+ *
+ * Metadata keys supported:
+ *
+ * | Key                | Description                                        |
+ * |--------------------|----------------------------------------------------|
+ * | `doh_servers`      | DoH server URLs for this forwarder.                |
+ * | `verify_doh_cert`  | Set to `"true"` to verify the DoH certificate.     |
+ * | `comment`          | Comment stored on the RouterOS forwarder entry.    |
+ *
+ * ```javascript
+ * D("_forwarders.mikrotik", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
+ *     // Domain-based forwarder: forward corp.example.com to internal DNS servers.
+ *     MIKROTIK_FORWARDER("corp.example.com", "10.0.0.53,10.0.0.54"),
+ *
+ *     // Alias-based forwarder with DoH.
+ *     MIKROTIK_FORWARDER("doh-upstream", "1.1.1.1", {doh_servers: "https://cloudflare-dns.com/dns-query", verify_doh_cert: "true"}),
+ * );
+ *
+ * // Then reference the alias in a FWD record:
+ * D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
+ *     MIKROTIK_FWD("@", "doh-upstream", {match_subdomain: "true"}),
+ * );
+ * ```
+ *
+ * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/service-provider-specific//mikrotik_forwarder
+ */
+declare function MIKROTIK_FORWARDER(name: string, dns_servers: string, ...modifiers: RecordModifier[]): DomainModifier;
+
+/**
+ * `MIKROTIK_FWD` creates a RouterOS FWD (conditional DNS forwarding) static entry. These records instruct the MikroTik router to forward DNS queries matching the name to a specified upstream server, optionally populating a RouterOS address list with resolved addresses.
+ *
+ * The `target` can be an IP address (e.g. `8.8.8.8`) or the name of a [`MIKROTIK_FORWARDER`](MIKROTIK_FORWARDER.md) entry (e.g. `my-upstream`).
+ *
+ * See the [MikroTik RouterOS provider page](../../provider/mikrotik.md) for full configuration details.
+ *
+ * Metadata keys supported:
+ *
+ * | Key               | Description                                                        |
+ * |-------------------|--------------------------------------------------------------------|
+ * | `match_subdomain` | Set to `"true"` to also match subdomains of the name.              |
+ * | `regexp`          | RouterOS regexp for query matching.                                |
+ * | `address_list`    | RouterOS address list to populate with resolved addresses.         |
+ * | `comment`         | Comment stored on the RouterOS record.                             |
+ *
+ * ```javascript
+ * D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
+ *     // Forward all queries for example.com and subdomains to 8.8.8.8,
+ *     // add resolved addresses to the "vpn-list" address list.
+ *     MIKROTIK_FWD("@", "8.8.8.8", {match_subdomain: "true", address_list: "vpn-list"}),
+ *
+ *     // Forward internal.example.com to a named forwarder entry.
+ *     MIKROTIK_FWD("internal", "corp-dns", {match_subdomain: "true"}),
+ * );
+ * ```
+ *
+ * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/service-provider-specific//mikrotik_fwd
+ */
+declare function MIKROTIK_FWD(name: string, target: string, ...modifiers: RecordModifier[]): DomainModifier;
+
+/**
+ * `MIKROTIK_NXDOMAIN` creates a RouterOS NXDOMAIN static entry. The router will respond with NXDOMAIN for any DNS queries matching the specified name. This is commonly used for DNS-based ad blocking or blackholing.
+ *
+ * See the [MikroTik RouterOS provider page](../../provider/mikrotik.md) for full configuration details.
+ *
+ * Metadata keys supported:
+ *
+ * | Key               | Description                                                        |
+ * |-------------------|--------------------------------------------------------------------|
+ * | `match_subdomain` | Set to `"true"` to also match subdomains of the name.              |
+ * | `regexp`          | RouterOS regexp for query matching.                                |
+ * | `comment`         | Comment stored on the RouterOS record.                             |
+ *
+ * ```javascript
+ * D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
+ *     // Block ads.example.com with NXDOMAIN.
+ *     MIKROTIK_NXDOMAIN("ads"),
+ *
+ *     // Block tracking.example.com and all its subdomains.
+ *     MIKROTIK_NXDOMAIN("tracking", {match_subdomain: "true"}),
+ * );
+ * ```
+ *
+ * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/service-provider-specific//mikrotik_nxdomain
+ */
+declare function MIKROTIK_NXDOMAIN(name: string, ...modifiers: RecordModifier[]): DomainModifier;
+
 /**
 * `MX` adds a [Mail exchange record](https://www.rfc-editor.org/rfc/rfc1035) to the domain.
 *
@@ -3126,7 +3269,7 @@ declare const PURGE: DomainModifier;
 * * _S3 bucket_ (configured as website): specify the hosted zone ID for the region that you created the bucket in. You can find it in [the List of regions and hosted Zone IDs](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region)
 * * _Another Route 53 record_: you can either specify the correct zone id or do not specify anything and DNSControl will figure out the right zone id. (Note: Route53 alias can't reference a record in a different zone).
 *
- * Target health evaluation can be enabled with the [`R53_EVALUATE_TARGET_HEALTH`](../record-modifiers/R53\_EVALUATE\_TARGET\_HEALTH.md) record modifier.
+ * Target health evaluation can be enabled with the [`R53_EVALUATE_TARGET_HEALTH`](../record-modifiers/R53_EVALUATE_TARGET_HEALTH.md) record modifier.
 *
 * ```javascript
 * D("example.com", REG_MY_PROVIDER, DnsProvider("ROUTE53"),
Author	SHA1	Message	Date
Jarrett Aiken	57930abc00	Add opencode.jsonc configuration for DNSControl documentation.	2026-03-08 11:43:12 -04:00
Jarrett Aiken	738d1d9753	Refactor CAA records to use CAA_BUILDER and update type definitions to version 4.35.0.	2026-03-08 11:42:01 -04:00