Add rstream.io.tunnels template

[uartnet]

Description

New Domain Connect template for rstream tunnels.

The template provisions two DNS records to route a custom subdomain to a customer's rstream cluster:

• CNAME on the chosen host, pointing to the customer's rstream cluster edge (%cluster%).
• TXT at _rstream-verify carrying the ownership token (rstream-verify=%verifytoken%) that the rstream backend reads to confirm the domain belongs to the user before activating it.

Synchronous flow, RSA-SHA256 signed. Public key published as TXT at _dck1.rstream.io. syncRedirectDomain is set because the service uses redirect_uri to send the user back to the rstream dashboard after apply.

This template covers subdomains only. hostRequired: true signals to providers that the template is not intended to be applied without a host parameter. The technical reason is that the rstream cluster edge is currently exposed only as a CNAME target, and a CNAME record at the apex is not portable across DNS providers. Apex customers are guided through a manual ALIAS/ANAME flow in the rstream dashboard instead. Apex may become a separate template in the future once a stable anchor IP (A/AAAA) or an APEXCNAME-compatible target is available.

Type of change

• New template
• Bug fix
• New feature
• Breaking change

How Has This Been Tested?

• Template functionality checked using the Online Editor
• File name follows <providerId>.<serviceId>.json (rstream.io.tunnels.json)
• logoUrl resource is served (https://rstream.io/images/brand/rstream-logo-square-light.svg)

Checklist of common problems

• syncPubKeyDomain is set (rstream.io)
• warnPhishing is not set
• syncRedirectDomain is set (rstream.io)
• No TXT record carries SPF content
• txtConflictMatchingMode: Prefix is set on the TXT record with txtConflictMatchingPrefix: "rstream-verify=" so re-applies replace the previous token
• No variable is used as a bare full record value — TXT data is prefixed with rstream-verify=
• No bare variable is used as a full host label — host is @ or _rstream-verify
• No variable in host is used to target a subdomain — handled via the protocol host parameter (hostRequired: true)
• %host% does not appear in any host attribute
• essential is intentionally not set — both records are service-managed and must not be edited manually

Online Editor test results

Editor test link(s):
Test rstream.io/tunnels example.com/api

[github-actions]

PR Description Check Passed

All required sections are filled in correctly.

Details

  OK  Type of change: 1/4 checkboxes ticked
  OK  How Has This Been Tested?: all 3 checkboxes ticked
  OK  Checklist of common problems: 10/10 checkboxes ticked
  OK  Online Editor test results: 1 link(s) found
  OK  Template coverage: all 1 template(s) covered
Labels to remove: Checklist of common problems not complete, Forged editor links, PR description incomplete, Test links missing

PR description check PASSED

[github-actions]

✅ JSON Filename Check Passed

[github-actions]

✅ JSON Schema Validation Passed

[github-actions]

Linter OK

rstream.io.tunnels.json

Level	Code	Note
info	DCTL1021	missing from iana definitions