-# debian.org DNS
+# how to update DNS resource records
-For most zones the hidden primary is samosa, with rietz, raff and klecker
-being the public facing secondaries.
+## updating standard resource records
-Domain information lives in a git on samosa, and pushing to it will cause
-the zone to be compiled and reloaded automatically. Repository lives at
-ssh://db.debian.org/git/domains.git - public read only mirror available
-using http.
+For most zones, the hidden primary DNS server is denis, with ravel, senfl,
+klecker and orff being the public-facing secondary DNS servers.
-Some subdomains (and when I say subdomains, I really only mean www) are
-served by the geodns setup on geo1, 2, and 3. They have a seperate repo
-ssh://db.debian.org/git/geodomains.git and an entirely seperate workflow.
+Zone files are managed via a [git repository][1]. Pushing commits into the git
+repository will invoke a post-commit hook that causes the recompilation and
+reload of the zone files.
-At least it's consistent.
+Some subdomains (specifically www.debian.org and security.debian.org) are
+served by the autodns/geodns setup on geo{1,2,3}. Their zone files are managed
+by a separate [git repository][2].
+
+## updating DNSSEC records
+
+TODO
+
+[1]: ssh://git@ubergit.debian.org/dsa/domains
+[2]: ssh://git@ubergit.debian.org/dsa/auto-dns