From: Julien Cristau <jcristau@mozilla.com>
Date: Thu, 30 Mar 2017 09:33:25 +0000 (+0200)
Subject: Add some doc for DNSSEC key rollover
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fdsa-wiki.git;a=commitdiff_plain;h=f55f6d8abaa34259c955131f7c1464babe58b6b4

Add some doc for DNSSEC key rollover
---

diff --git a/input/howto/dns.mdwn b/input/howto/dns.mdwn
index 7fa1642..41a8de6 100644
--- a/input/howto/dns.mdwn
+++ b/input/howto/dns.mdwn
@@ -2,8 +2,8 @@
 
 ## updating standard resource records
 
-For most zones, the hidden primary DNS server is denis, with ravel,
-klecker and orff being the public-facing secondary DNS servers.
+For most zones, the hidden primary DNS server is denis, with RcodeZero, Netnod
+and easyDNS providing public-facing secondary servers.
 
 Zone files are managed via a [git repository][1].  Pushing commits into the git
 repository will invoke a post-commit hook that causes the recompilation and
@@ -15,7 +15,11 @@ by a separate [git repository][2].
 
 ## updating DNSSEC records
 
-TODO
+When nagios complains about impending DS expiry, find the new key in
+/srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar's (gandi).
+Leave the old one in place for a day or so, after checking that dnsviz.net is
+happy with the new key.  For the debian.org and 29.172.in-addr.arpa zones, also
+update the trust anchors in puppet.
 
 [1]: ssh://git@ubergit.debian.org/dsa/domains
 [2]: ssh://git@ubergit.debian.org/dsa/auto-dns