feat(infra): route dns preflight through flowercore dns

apps/fc-distribution/README.md

@@ -15,14 +15,28 @@ Root CA` as the trust anchor; per-edition leaf signing material lives in
 
 ## Deployment order (do NOT skip / reorder)
 
-### 1. pfSense Unbound DNS — DONE 2026-04-23
+### 1. FlowerCore.DNS preflight — VERIFIED 2026-04-23
 
-`dist.iamworkin.lan -> 10.0.56.200` was added to pfSense Unbound out of band.
-Verify before push:
+`dist.iamworkin.lan` already resolves to `10.0.56.200`, but keep the
+FlowerCore.DNS preflight green before push:
 
 ```bash
-nslookup dist.iamworkin.lan 10.0.56.1   # expect 10.0.56.200
+curl -sk "https://dns.iamworkin.lan/api/v1/zones/iamworkin.lan/resolve-preflight?hostname=dist.iamworkin.lan"
+# Expect: "resolvable": true
+
 python bluejay-infra/scripts/check-pfsense-dns.py
+# Historical filename retained; implementation now calls FlowerCore.DNS
+# resolve-preflight instead of raw resolver lookups.
+```
+
+If the record ever disappears, recreate it through FlowerCore.DNS before
+push/apply:
+
+```bash
+curl -sk https://dns.iamworkin.lan/api/v1/servers
+curl -sk -X POST https://dns.iamworkin.lan/api/v1/servers/<serverId>/zones/iamworkin.lan/records \
+  -H "Content-Type: application/json" \
+  -d '{"name":"dist","type":"A","data":"10.0.56.200","ttl":300}'
 ```
 
 If this is missing, cert-manager HTTP-01 will silently back off ~2h. See