## updating standard resource records
-For most zones, the hidden primary DNS server is denis, with ravel,
-klecker and orff being the public-facing secondary DNS servers.
+For most zones, the hidden primary DNS server is denis, with RcodeZero, Netnod
+and easyDNS providing public-facing secondary servers.
Zone files are managed via a [git repository][1]. Pushing commits into the git
repository will invoke a post-commit hook that causes the recompilation and
## updating DNSSEC records
-TODO
+When nagios complains about impending DS expiry, find the new key in
+/srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar's (gandi).
+Leave the old one in place for a day or so, after checking that dnsviz.net is
+happy with the new key. For the debian.org and 29.172.in-addr.arpa zones, also
+update the trust anchors in puppet.
[1]: ssh://git@ubergit.debian.org/dsa/domains
[2]: ssh://git@ubergit.debian.org/dsa/auto-dns