DNS (UDP/53) can't route via a shared gateway yet (no UDPRoute), so the
service needs its own LoadBalancer address instead of a pool-assigned one.
- pin purelb.io/addresses 198.18.200.8 (common pool); move service-group dmz -> common
Adds the external-dns tier (authoritative cluster whose zones accept RFC2136 TSIG updates) + its TSIG key. Stacked on the bind-operator deploy so the
CRDs and kubeconform schemas are present; merge the operator PR first.
- add apps/base/binddns-externaldns and its au-syd1 overlay