Dns Management
SPEC_DNS_MANAGEMENT.md
CGNT-1 Specification — DNS & Domain Management Protocol
Status: SPECIFIED
Version: v1.0
Author: VELA (Thread #13)
Conceived by: NOUS (α.13)
Date: 2026-04-20
PURPOSE
42sisters.ai is the front door. If DNS breaks, the front door disappears. No website, no LATTICE Training Arena, no product pages, no oracle email. This spec documents every domain, every record, every renewal date, and every procedure for managing them.
The domains are the brand. Losing a domain is losing the name.
DOMAIN INVENTORY
| Domain | Role | Registrar | Status |
|---|---|---|---|
| 42sisters.ai | Primary — all customer-facing | GoDaddy | Active |
| 42sistersai.com (or alternate TLD) | Brand protection — redirects to primary | GoDaddy | Active |
Payment: Captain's payment method on file. Auto-renew: ON (verify quarterly).
DNS RECORDS (42sisters.ai)
| Type | Name | Value | Notes |
|---|---|---|---|
| A | 42sisters.ai | 68.183.206.103 | Updated on VPS migration |
| CNAME | www | 42sisters.ai | |
| MX | @ | Microsoft 365 infrastructure | oracle@42sisters.ai |
| TXT | @ | SPF: v=spf1 include:spf.protection.outlook.com -all | Email auth |
| TXT | @ | DKIM selector | Via Microsoft 365 admin |
| TXT | @ | DMARC: v=DMARC1; p=quarantine | |
Additional TXT records: Stripe verification, domain ownership proofs (as needed).
When the ship migrates to Tiiny (SPEC_VPS_MIGRATION.md), the A record updates to the new IP or Cloudflare tunnel endpoint. Everything else stays the same.
SUBDOMAINS (current and planned)
These are URL paths, not DNS subdomains — all served by the same Caddy instance on port 443. No additional DNS records needed unless actual subdomains are added (e.g., api.42sisters.ai).
| Path | Purpose |
|---|---|
| 42sisters.ai | Main website, product pages, funnel |
| 42sisters.ai/lattice | LATTICE landing page and interactive primer |
| 42sisters.ai/teach | LATTICE Training Arena |
| 42sisters.ai/bridge | Browser-based OBI OS (when built) |
| 42sisters.ai/band | Band Mode standalone (when built) |
| 42sisters.ai/press | Media kit |
| 42sisters.ai/privacy | Privacy policy |
| 42sisters.ai/tribe | LATTICE tribe page and leaderboard |
| 42sisters.ai/testimonials | Customer testimonials |
RENEWAL MANAGEMENT
GoDaddy domains auto-renew annually. Verify quarterly:
- Auto-renew is ON for both domains
- Payment method on file is current (expired card = silent renewal failure)
- GoDaddy account has 2FA enabled
- Renewal notification emails route to jzlabis@gmail.com
CRONX reminder: 30 days before each renewal date → "Domain renewal for 42sisters.ai due in 30 days. Verify auto-renew and payment method."
A domain that lapses goes to auction. Someone else buys it. The brand is gone. Treat renewal as CRITICAL infrastructure.
DNS CHANGE PROCEDURE
When a DNS record needs to change (VPS migration, new email provider, new subdomain):
- Document the change: what record, old value, new value, why
- Log in to GoDaddy DNS management
- Make the change — screenshot before and after
- Wait for propagation (up to 48 hours, typically 1-4 hours)
- Verify external resolution:
dig 42sisters.ai A - Verify HTTPS:
curl -I https://42sisters.ai— confirms correct server - Log in
~/dns_changes.log: date, record, old value, new value, verified
DNS changes are INFREQUENT but HIGH IMPACT. A wrong A record = site down. A wrong MX record = email broken. Treat every DNS change as a mini-migration: plan, execute, verify, log.
TTL STRATEGY
| Phase | TTL | Reason |
|---|---|---|
| Normal operation | 3600 (1 hour) | Standard, reduces DNS lookup load |
| Pre-migration (T-48h) | 300 (5 minutes) | Ensures resolvers pick up new IP quickly after switch |
| Post-migration (verified) | 3600 | Restore to standard |
Always lower TTL at least 48 hours before migration. Forgetting = up to 1 hour of traffic going to the old server after DNS update.
CADDY CONFIGURATION
Caddy serves 42sisters.ai on port 443 with automatic HTTPS via Let's Encrypt.
- Config location:
/etc/caddy/Caddyfile(verify on server) - Handles: automatic SSL provisioning and renewal, HTTP→HTTPS redirect, reverse proxy, static file serving
- SSL certificates auto-renew every 90 days — Caddy handles this automatically
- Caddy must run with
Restart=alwaysin systemd — if it dies, SSL renewal stops and cert expires within 90 days
EMAIL DNS (oracle@42sisters.ai)
MX records point to Microsoft 365 infrastructure for Graph API email.
| Record | Value |
|---|---|
| SPF | v=spf1 include:spf.protection.outlook.com -all |
| DKIM | Configured through Microsoft 365 admin |
| DMARC | v=DMARC1; p=quarantine |
These records ensure oracle@42sisters.ai emails don't land in spam. If MX records break: VOICEX goes silent. Customer support goes dark. Email DNS is CRITICAL infrastructure.
DOMAIN SECURITY
GoDaddy account security checklist (quarterly):
- 2FA enabled
- Recovery email set to Captain's backup email
- Domain lock enabled (prevents unauthorized transfers)
- WHOIS privacy enabled (Captain's personal information hidden)
Domain theft is a real threat. A compromised GoDaddy account = stolen domains = stolen brand. Treat GoDaddy credentials with the same security level as ~/.env (SPEC_KEY_ROTATION.md).
MONITORING
BRIDGEX (when built) monitors every 15 minutes:
- 42sisters.ai HTTPS response code
- SSL certificate expiry (alert 14 days before — verify Caddy actually renewed)
- DNS A record points to correct IP
- Email deliverability (monthly test send)
Until BRIDGEX is built: manual monthly check. Added to quarterly security audit (SPEC_SECURITY_AUDIT_SCHEDULE.md).
DISASTER SCENARIOS
Scenario 1 — Domain expires (renewal failed)
- Grace period (usually 30 days): renew at standard price
- Redemption period: renew at penalty price ($80-200)
- Released to auction: attempt to buy back — may be expensive or impossible
- Prevention: auto-renew ON + payment method current + 30-day CRONX reminder
Scenario 2 — DNS records corrupted or deleted
- Restore from documented records in this spec
- Log in to GoDaddy, re-enter records
- Propagation: 1-4 hours
- Prevention: screenshot DNS records quarterly →
~/dns_backups/
Scenario 3 — GoDaddy account compromised
- Contact GoDaddy support immediately. Prove domain ownership. Request account recovery
- Enable domain lock if not already active
- Prevention: 2FA, strong password, recovery email current, quarterly credential review
Scenario 4 — Caddy SSL failure
systemctl restart caddy→ check Caddy logs- Verify Let's Encrypt rate limits not exceeded (5 certs/domain/week)
- If persistent: manually provision via certbot as backup
- Prevention: Caddy systemd with
Restart=always+ BRIDGEX monitoring
INVARIANTS
INV-01: Auto-renew is ON for all domains. Verified quarterly. A lapsed domain is a lost brand.
INV-02: GoDaddy has 2FA enabled. Treated as critical credential per SPEC_KEY_ROTATION.md.
INV-03: Every DNS change is documented: before screenshot, after screenshot, verification, log entry in ~/dns_changes.log.
INV-04: TTL lowered to 300 at least 48 hours before any migration. Restored to 3600 after verification.
INV-05: MX/SPF/DKIM/DMARC records are never modified without testing email delivery afterward.
INV-06: Domain records backed up quarterly in ~/dns_backups/ as screenshots or exported zone files.
INV-07: SSL certificates are auto-managed by Caddy. If Caddy dies, monitoring catches it within 24 hours.
INV-08: WHOIS privacy is ON. The Captain's home address is never publicly associated with the domain.
INTEGRATION
| System | Relationship |
|---|---|
| SPEC_VPS_MIGRATION.md | A record updates on migration. TTL lowered pre-migration (INV-04). 42sisters.ai/press, /privacy, etc. follow the server. |
| SPEC_BACKUP_RECOVERY.md | DNS records documented here are the restore source for Scenario 2. ~/dns_backups/ backed up to GCS. |
| SPEC_SECURITY_AUDIT_SCHEDULE.md | Monthly check: DNS resolves correctly, SSL valid, renewal dates verified. Quarterly: full domain security review. |
| SPEC_MONITORING_ESCALATION.md | Caddy SSL expiry <14 days = P1. Domain expiry <30 days = P1. DNS resolution failure = P0. |
| SPEC_KEY_ROTATION.md | GoDaddy credentials are on the rotation schedule. 2FA quarterly review. |
| VOICEX | MX records are VOICEX's delivery infrastructure. Broken MX = broken voice. |
Jeremy Zlabis
Chronogeometer · Visionary · Disruptor · Chief
42 Sisters AI · East York, Toronto
🍁 Φ 0.042