X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fdns.mdwn;h=41a8de673e1d71b00252354b8f9117520fea722e;hb=f55f6d8abaa34259c955131f7c1464babe58b6b4;hp=48995d8d6f8acb572308bf221b611ce60b83e324;hpb=131b80ab1d7e441788b6f74e2fe3d8ff8ebd7d1f;p=mirror%2Fdsa-wiki.git

diff --git a/input/howto/dns.mdwn b/input/howto/dns.mdwn
index 48995d8..41a8de6 100644
--- a/input/howto/dns.mdwn
+++ b/input/howto/dns.mdwn
@@ -1,9 +1,25 @@
-# debian.org DNS
+# how to update DNS resource records
 
-For most zones the hidden primary is samosa, with rietz, raff and klecker
-being the public facing secondaries.
+## updating standard resource records
 
-Domain information lives in a git on samosa, and pushing to it will cause
-the zone to be compiled and reloaded automatically.  Repository lives at
-ssh://db.debian.org/git/domains.git - public read only mirror available
-using http.
+For most zones, the hidden primary DNS server is denis, with RcodeZero, Netnod
+and easyDNS providing public-facing secondary servers.
+
+Zone files are managed via a [git repository][1].  Pushing commits into the git
+repository will invoke a post-commit hook that causes the recompilation and
+reload of the zone files.
+
+Some subdomains (specifically www.debian.org and security.debian.org) are
+served by the autodns/geodns setup on geo{1,2,3}.  Their zone files are managed
+by a separate [git repository][2].
+
+## updating DNSSEC records
+
+When nagios complains about impending DS expiry, find the new key in
+/srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar's (gandi).
+Leave the old one in place for a day or so, after checking that dnsviz.net is
+happy with the new key.  For the debian.org and 29.172.in-addr.arpa zones, also
+update the trust anchors in puppet.
+
+[1]: ssh://git@ubergit.debian.org/dsa/domains
+[2]: ssh://git@ubergit.debian.org/dsa/auto-dns