-# debian.org DNS
+# how to update DNS resource records
-For most zones the hidden primary is draghi, with ravel, senfl, klecker
-and orff being the public facing secondaries.
+## updating standard resource records
-Domain information lives in a git on draghi, and pushing to it will cause
-the zone to be compiled and reloaded automatically. Repository lives at
-ssh://db.debian.org/git/domains.git - public read only mirror available
-using http.
+For most zones, the hidden primary DNS server is denis, with RcodeZero, Netnod
+and easyDNS providing public-facing secondary servers.
-Some subdomains (and when I say subdomains, I really only mean www) are
-served by the geodns setup on geo1, 2, and 3. They have a seperate repo
-ssh://db.debian.org/git/geodomains.git and an entirely seperate workflow.
+Zone files are managed via a [git repository][1]. Pushing commits into the git
+repository will invoke a post-commit hook that causes the recompilation and
+reload of the zone files.
-At least it's consistent.
+Some subdomains (specifically www.debian.org and security.debian.org) are
+served by the autodns/geodns setup on geo{1,2,3}. Their zone files are managed
+by a separate [git repository][2].
-Adding DNSSEC KSK and ZSK for zones is done by running
-/srv/dns.debian.org/bin/maintkeydb with the following options:
+## updating DNSSEC records
-./bin/maintkeydb create both NSEC3RSASHA1 default your.ip6.arpa
+When nagios complains about impending DS expiry, find the new key in
+/srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar's (gandi).
+Leave the old one in place for a day or so, after checking that dnsviz.net is
+happy with the new key. For the debian.org and 29.172.in-addr.arpa zones, also
+update the trust anchors in puppet.
-Use RSASHA1 instead of NSEC3RSASHA1 for IPv4 address space.
-
-After that a "; wzf: dnssec = 1" needs to be added to the zone file.
+[1]: ssh://git@ubergit.debian.org/dsa/domains
+[2]: ssh://git@ubergit.debian.org/dsa/auto-dns
projects / mirror / dsa-wiki.git / blobdiff