projects
/
mirror
/
dsa-wiki.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
3eabf06
)
Add some doc for DNSSEC key rollover
author
Julien Cristau
<jcristau@mozilla.com>
Thu, 30 Mar 2017 09:33:25 +0000
(11:33 +0200)
committer
Julien Cristau
<jcristau@mozilla.com>
Thu, 30 Mar 2017 09:34:15 +0000
(11:34 +0200)
input/howto/dns.mdwn
patch
|
blob
|
history
diff --git
a/input/howto/dns.mdwn
b/input/howto/dns.mdwn
index
7fa1642
..
41a8de6
100644
(file)
--- a/
input/howto/dns.mdwn
+++ b/
input/howto/dns.mdwn
@@
-2,8
+2,8
@@
## updating standard resource records
## updating standard resource records
-For most zones, the hidden primary DNS server is denis, with
ravel,
-
klecker and orff being the public-facing secondary DNS
servers.
+For most zones, the hidden primary DNS server is denis, with
RcodeZero, Netnod
+
and easyDNS providing public-facing secondary
servers.
Zone files are managed via a [git repository][1]. Pushing commits into the git
repository will invoke a post-commit hook that causes the recompilation and
Zone files are managed via a [git repository][1]. Pushing commits into the git
repository will invoke a post-commit hook that causes the recompilation and
@@
-15,7
+15,11
@@
by a separate [git repository][2].
## updating DNSSEC records
## updating DNSSEC records
-TODO
+When nagios complains about impending DS expiry, find the new key in
+/srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar's (gandi).
+Leave the old one in place for a day or so, after checking that dnsviz.net is
+happy with the new key. For the debian.org and 29.172.in-addr.arpa zones, also
+update the trust anchors in puppet.
[1]: ssh://git@ubergit.debian.org/dsa/domains
[2]: ssh://git@ubergit.debian.org/dsa/auto-dns
[1]: ssh://git@ubergit.debian.org/dsa/domains
[2]: ssh://git@ubergit.debian.org/dsa/auto-dns