[api] restore DKIM, SPF, DMARC, DS, DNSKEY in v1alpha3 Domain DNS types

Reverts 3eeae11 and adds documentation explaining what each type
actually represents: DKIM/SPF/DMARC are TXT records under specific
naming conventions, DS/DNSKEY are DNSSEC types. Keeping them as
distinct fields improves UX via format validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dilyevsky

api/core/v1alpha/domain_conversion.go

@@ -90,6 +90,24 @@ func convertDomainTargetDNSToV1Alpha3(in *DomainTargetDNS) *v1alpha3.DomainTarge
 			TTL:    in.TTL,
 		}
 	}
+	if len(in.DKIM) > 0 {
+		out.DKIM = &v1alpha3.DNSDKIMRecords{
+			Values: in.DKIM,
+			TTL:    in.TTL,
+		}
+	}
+	if len(in.SPF) > 0 {
+		out.SPF = &v1alpha3.DNSSPFRecords{
+			Values: in.SPF,
+			TTL:    in.TTL,
+		}
+	}
+	if len(in.DMARC) > 0 {
+		out.DMARC = &v1alpha3.DNSDMARCRecords{
+			Values: in.DMARC,
+			TTL:    in.TTL,
+		}
+	}
 	if len(in.CAA) > 0 {
 		out.CAA = &v1alpha3.DNSCAARecords{
 			Values: in.CAA,
@@ -108,6 +126,19 @@ func convertDomainTargetDNSToV1Alpha3(in *DomainTargetDNS) *v1alpha3.DomainTarge
 			TTL:         in.TTL,
 		}
 	}
+	if len(in.DS) > 0 {
+		out.DS = &v1alpha3.DNSDSRecords{
+			Values: in.DS,
+			TTL:    in.TTL,
+		}
+	}
+	if len(in.DNSKEY) > 0 {
+		out.DNSKEY = &v1alpha3.DNSDNSKEYRecords{
+			Values: in.DNSKEY,
+			TTL:    in.TTL,
+		}
+	}
+
 	return out
 }
 
@@ -144,6 +175,24 @@ func convertDomainTargetDNSFromV1Alpha3(in *v1alpha3.DomainTargetDNS) *DomainTar
 			firstTTL = in.MX.TTL
 		}
 	}
+	if in.DKIM != nil {
+		out.DKIM = in.DKIM.Values
+		if firstTTL == nil {
+			firstTTL = in.DKIM.TTL
+		}
+	}
+	if in.SPF != nil {
+		out.SPF = in.SPF.Values
+		if firstTTL == nil {
+			firstTTL = in.SPF.TTL
+		}
+	}
+	if in.DMARC != nil {
+		out.DMARC = in.DMARC.Values
+		if firstTTL == nil {
+			firstTTL = in.DMARC.TTL
+		}
+	}
 	if in.CAA != nil {
 		out.CAA = in.CAA.Values
 		if firstTTL == nil {
@@ -162,6 +211,19 @@ func convertDomainTargetDNSFromV1Alpha3(in *v1alpha3.DomainTargetDNS) *DomainTar
 			firstTTL = in.NS.TTL
 		}
 	}
+	if in.DS != nil {
+		out.DS = in.DS.Values
+		if firstTTL == nil {
+			firstTTL = in.DS.TTL
+		}
+	}
+	if in.DNSKEY != nil {
+		out.DNSKEY = in.DNSKEY.Values
+		if firstTTL == nil {
+			firstTTL = in.DNSKEY.TTL
+		}
+	}
+
 	out.TTL = firstTTL
 	return out
 }

api/core/v1alpha2/domain_conversion.go

@@ -95,6 +95,24 @@ func convertDomainTargetDNSToV1Alpha3(in *DomainTargetDNS, target *DomainTargetS
 			TTL:    in.TTL,
 		}
 	}
+	if len(in.DKIM) > 0 {
+		out.DKIM = &v1alpha3.DNSDKIMRecords{
+			Values: in.DKIM,
+			TTL:    in.TTL,
+		}
+	}
+	if len(in.SPF) > 0 {
+		out.SPF = &v1alpha3.DNSSPFRecords{
+			Values: in.SPF,
+			TTL:    in.TTL,
+		}
+	}
+	if len(in.DMARC) > 0 {
+		out.DMARC = &v1alpha3.DNSDMARCRecords{
+			Values: in.DMARC,
+			TTL:    in.TTL,
+		}
+	}
 	if len(in.CAA) > 0 {
 		out.CAA = &v1alpha3.DNSCAARecords{
 			Values: in.CAA,
@@ -113,6 +131,19 @@ func convertDomainTargetDNSToV1Alpha3(in *DomainTargetDNS, target *DomainTargetS
 			TTL:         in.TTL,
 		}
 	}
+	if len(in.DS) > 0 {
+		out.DS = &v1alpha3.DNSDSRecords{
+			Values: in.DS,
+			TTL:    in.TTL,
+		}
+	}
+	if len(in.DNSKEY) > 0 {
+		out.DNSKEY = &v1alpha3.DNSDNSKEYRecords{
+			Values: in.DNSKEY,
+			TTL:    in.TTL,
+		}
+	}
+
 	return out
 }
 
@@ -152,6 +183,24 @@ func convertDomainTargetDNSFromV1Alpha3(in *v1alpha3.DomainTargetDNS) *DomainTar
 			firstTTL = in.MX.TTL
 		}
 	}
+	if in.DKIM != nil {
+		out.DKIM = in.DKIM.Values
+		if firstTTL == nil {
+			firstTTL = in.DKIM.TTL
+		}
+	}
+	if in.SPF != nil {
+		out.SPF = in.SPF.Values
+		if firstTTL == nil {
+			firstTTL = in.SPF.TTL
+		}
+	}
+	if in.DMARC != nil {
+		out.DMARC = in.DMARC.Values
+		if firstTTL == nil {
+			firstTTL = in.DMARC.TTL
+		}
+	}
 	if in.CAA != nil {
 		out.CAA = in.CAA.Values
 		if firstTTL == nil {
@@ -170,6 +219,19 @@ func convertDomainTargetDNSFromV1Alpha3(in *v1alpha3.DomainTargetDNS) *DomainTar
 			firstTTL = in.NS.TTL
 		}
 	}
+	if in.DS != nil {
+		out.DS = in.DS.Values
+		if firstTTL == nil {
+			firstTTL = in.DS.TTL
+		}
+	}
+	if in.DNSKEY != nil {
+		out.DNSKEY = in.DNSKEY.Values
+		if firstTTL == nil {
+			firstTTL = in.DNSKEY.TTL
+		}
+	}
+
 	out.TTL = firstTTL
 	return out
 }

api/core/v1alpha3/domain_types.go

@@ -137,6 +137,50 @@ type DNSMXRecords struct {
 	TTL *int32 `json:"ttl,omitempty"`
 }
 
+// DNSDKIMRecords holds DKIM (DomainKeys Identified Mail) values with an optional per-record TTL.
+// Stored as TXT records under <selector>._domainkey.<domain>.
+// Values should be DKIM public key records (e.g. "v=DKIM1; k=rsa; p=...").
+type DNSDKIMRecords struct {
+	// Values is the list of DKIM record values.
+	// +kubebuilder:validation:MinItems=1
+	Values []string `json:"values"`
+
+	// TTL is the time-to-live for this record type.
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=3600
+	// +optional
+	TTL *int32 `json:"ttl,omitempty"`
+}
+
+// DNSSPFRecords holds SPF (Sender Policy Framework) values with an optional per-record TTL.
+// Stored as TXT records. Values should follow SPF syntax (e.g. "v=spf1 include:_spf.google.com ~all").
+type DNSSPFRecords struct {
+	// Values is the list of SPF record values.
+	// +kubebuilder:validation:MinItems=1
+	Values []string `json:"values"`
+
+	// TTL is the time-to-live for this record type.
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=3600
+	// +optional
+	TTL *int32 `json:"ttl,omitempty"`
+}
+
+// DNSDMARCRecords holds DMARC (Domain-based Message Authentication, Reporting & Conformance) values
+// with an optional per-record TTL. Stored as TXT records under _dmarc.<domain>.
+// Values should follow DMARC syntax (e.g. "v=DMARC1; p=reject; rua=mailto:...").
+type DNSDMARCRecords struct {
+	// Values is the list of DMARC record values.
+	// +kubebuilder:validation:MinItems=1
+	Values []string `json:"values"`
+
+	// TTL is the time-to-live for this record type.
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=3600
+	// +optional
+	TTL *int32 `json:"ttl,omitempty"`
+}
+
 // DNSCAARecords holds CAA record values with an optional per-record TTL.
 type DNSCAARecords struct {
 	// Values is the list of CAA record values.
@@ -176,6 +220,34 @@ type DNSNSRecords struct {
 	TTL *int32 `json:"ttl,omitempty"`
 }
 
+// DNSDSRecords holds DS (Delegation Signer) records for DNSSEC chain of trust,
+// with an optional per-record TTL. Values should be DS record data (e.g. "12345 8 2 <digest>").
+type DNSDSRecords struct {
+	// Values is the list of DS record values.
+	// +kubebuilder:validation:MinItems=1
+	Values []string `json:"values"`
+
+	// TTL is the time-to-live for this record type.
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=3600
+	// +optional
+	TTL *int32 `json:"ttl,omitempty"`
+}
+
+// DNSDNSKEYRecords holds DNSKEY records for DNSSEC, with an optional per-record TTL.
+// Values should be DNSKEY record data (e.g. "257 3 8 <base64-encoded-key>").
+type DNSDNSKEYRecords struct {
+	// Values is the list of DNSKEY record values.
+	// +kubebuilder:validation:MinItems=1
+	Values []string `json:"values"`
+
+	// TTL is the time-to-live for this record type.
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=3600
+	// +optional
+	TTL *int32 `json:"ttl,omitempty"`
+}
+
 type DomainTargetDNS struct {
 	// IPs holds A/AAAA record addresses.
 	// Cannot be set with FQDN.
@@ -195,6 +267,23 @@ type DomainTargetDNS struct {
 	// +optional
 	MX *DNSMXRecords `json:"mx,omitempty"`
 
+	// DKIM holds DKIM (DomainKeys Identified Mail) values.
+	// Stored as TXT records under <selector>._domainkey.<domain>.
+	// Values should be DKIM public key records (e.g. "v=DKIM1; k=rsa; p=...").
+	// +optional
+	DKIM *DNSDKIMRecords `json:"dkim,omitempty"`
+
+	// SPF holds SPF (Sender Policy Framework) values.
+	// Stored as TXT records. Values should follow SPF syntax (e.g. "v=spf1 include:_spf.google.com ~all").
+	// +optional
+	SPF *DNSSPFRecords `json:"spf,omitempty"`
+
+	// DMARC holds DMARC (Domain-based Message Authentication, Reporting & Conformance) values.
+	// Stored as TXT records under _dmarc.<domain>.
+	// Values should follow DMARC syntax (e.g. "v=DMARC1; p=reject; rua=mailto:...").
+	// +optional
+	DMARC *DNSDMARCRecords `json:"dmarc,omitempty"`
+
 	// CAA holds Certification Authority Authorization record values.
 	// +optional
 	CAA *DNSCAARecords `json:"caa,omitempty"`
@@ -207,6 +296,15 @@ type DomainTargetDNS struct {
 	// +optional
 	NS *DNSNSRecords `json:"ns,omitempty"`
 
+	// DS holds DS (Delegation Signer) records for DNSSEC chain of trust.
+	// Values should be DS record data (e.g. "12345 8 2 <digest>").
+	// +optional
+	DS *DNSDSRecords `json:"ds,omitempty"`
+
+	// DNSKEY holds DNSKEY records for DNSSEC.
+	// Values should be DNSKEY record data (e.g. "257 3 8 <base64-encoded-key>").
+	// +optional
+	DNSKEY *DNSDNSKEYRecords `json:"dnskey,omitempty"`
 }
 
 type DomainTLSSpec struct {
@@ -557,6 +655,41 @@ func getDomainRows(domain *Domain) []domainRow {
 				ttl:   resolveTTL(dns.CAA.TTL),
 			})
 		}
+		if dns.DKIM != nil && len(dns.DKIM.Values) > 0 {
+			rows = append(rows, domainRow{
+				typ:   "DNS:DKIM",
+				value: formatMultiValue(dns.DKIM.Values, 30),
+				ttl:   resolveTTL(dns.DKIM.TTL),
+			})
+		}
+		if dns.SPF != nil && len(dns.SPF.Values) > 0 {
+			rows = append(rows, domainRow{
+				typ:   "DNS:SPF",
+				value: formatMultiValue(dns.SPF.Values, 30),
+				ttl:   resolveTTL(dns.SPF.TTL),
+			})
+		}
+		if dns.DMARC != nil && len(dns.DMARC.Values) > 0 {
+			rows = append(rows, domainRow{
+				typ:   "DNS:DMARC",
+				value: formatMultiValue(dns.DMARC.Values, 30),
+				ttl:   resolveTTL(dns.DMARC.TTL),
+			})
+		}
+		if dns.DS != nil && len(dns.DS.Values) > 0 {
+			rows = append(rows, domainRow{
+				typ:   "DNS:DS",
+				value: formatMultiValue(dns.DS.Values, 30),
+				ttl:   resolveTTL(dns.DS.TTL),
+			})
+		}
+		if dns.DNSKEY != nil && len(dns.DNSKEY.Values) > 0 {
+			rows = append(rows, domainRow{
+				typ:   "DNS:DNSKEY",
+				value: formatMultiValue(dns.DNSKEY.Values, 30),
+				ttl:   resolveTTL(dns.DNSKEY.TTL),
+			})
+		}
 	}
 
 	if len(rows) == 0 {