Google Cloud DNS

Last updated: 2026-06-22

This folder stores read-only inventory snapshots and notes for Google Cloud DNS.

The service account JSON key is not stored here; keep it under:

tools/google-cloud-dns/.secrets/codex-cloud-dns.json

Capture Inventory

After placing the JSON key, protect it:

powershell -NoProfile -ExecutionPolicy Bypass -File .\tools\google-cloud-dns\Protect-GoogleCloudDnsCredential.ps1

Then capture the current Cloud DNS zones and records:

powershell -NoProfile -ExecutionPolicy Bypass -File .\tools\google-cloud-dns\Capture-GoogleCloudDnsInventory.ps1

Snapshots are written to:

google-cloud-dns/inventory/snapshots/

Recommended Public Records

The current reviewed recommendation has been applied: use explicit public

service records instead of a broad wildcard. Re-check the intended shape:

powershell -NoProfile -ExecutionPolicy Bypass -File .\tools\google-cloud-dns\Set-GoogleCloudDnsRecommendedRecords.ps1

Re-apply/enforce the change if drift is found:

powershell -NoProfile -ExecutionPolicy Bypass -File .\tools\google-cloud-dns\Set-GoogleCloudDnsRecommendedRecords.ps1 -Apply

The script can be used to add/normalize explicit service CNAMEs such as:

• Adds/normalizes overseerr.ravick5.com. CNAME internal.ravick5.com.
• Adds/normalizes seerr.ravick5.com. CNAME internal.ravick5.com.
• Adds/normalizes requests.ravick5.com. CNAME internal.ravick5.com.
• Removes *.ravick5.com. CNAME internal.ravick5.com.

Access Model

Start with the DNS Reader role for safe inventory capture. Upgrade to

DNS Administrator only when we are ready to apply record changes.

DNSSEC

DNSSEC was reviewed on 2026-06-13. The ravick5.com. public managed zone is

currently unsigned:

dnssecConfig.state: off

Recommendation: enable DNSSEC, but only as a coordinated DNS change that also

publishes Google Cloud DNS DS records at the domain registrar.

Runbook:

google-cloud-dns/DNSSEC_PLAN.md

Current Snapshot Notes

Reconciliation note from 2026-06-22: latest Cloud DNS snapshot is

google-cloud-dns/inventory/snapshots/20260621-113009; record shape still uses

explicit service records rather than a wildcard.

Latest reviewed snapshot:

google-cloud-dns/inventory/snapshots/20260621-113009

Observed managed zone:

Project: ravick5-217115
Zone: ravick5
DNS name: ravick5.com.
Visibility: public

Current records of note:

DNS record presence does not by itself mean the matching application route is

approved or hardened. Public exposure state is tracked in

diagrams/PUBLIC_EXPOSURE.md; Audiobookshelf and reading app access remain

review-before-use items.

Change applied on 2026-05-21:

• Added explicit overseerr.ravick5.com. CNAME internal.ravick5.com.
• Removed broad *.ravick5.com. CNAME internal.ravick5.com.

Change applied on 2026-05-25:

• Added explicit Seerr aliases:
• seerr.ravick5.com. CNAME internal.ravick5.com.
• requests.ravick5.com. CNAME internal.ravick5.com.

Change applied on 2026-05-25:

• Removed typo alias overserr.ravick5.com.

This keeps public service DNS intentional instead of pointing every possible

subdomain at the home public IP.

Name	Type	Target
ravick5.com.	A	47.204.57.28
internal.ravick5.com.	A	47.204.57.28
www.ravick5.com.	CNAME	internal.ravick5.com.
overseerr.ravick5.com.	CNAME	internal.ravick5.com.
seerr.ravick5.com.	CNAME	internal.ravick5.com.
requests.ravick5.com.	CNAME	internal.ravick5.com.
audiobooks.ravick5.com.	CNAME	internal.ravick5.com.
books.ravick5.com.	CNAME	internal.ravick5.com.