From 3ffe6f21540a5869803d6e4da6e8c7e67b796f14 Mon Sep 17 00:00:00 2001
From: Martin Zobel-Helas <zobel@debian.org>
Date: Tue, 16 Feb 2010 22:49:12 +0100
Subject: [PATCH] adjust to reality

---
 input/howto/dns.mdwn | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/input/howto/dns.mdwn b/input/howto/dns.mdwn
index f2e071f..0591ccf 100644
--- a/input/howto/dns.mdwn
+++ b/input/howto/dns.mdwn
@@ -1,9 +1,9 @@
 # debian.org DNS
 
-For most zones the hidden primary is samosa, with rietz, raff and klecker
-being the public facing secondaries.
+For most zones the hidden primary is draghi, with ravel, senfl, klecker
+and orff being the public facing secondaries.
 
-Domain information lives in a git on samosa, and pushing to it will cause
+Domain information lives in a git on draghi, and pushing to it will cause
 the zone to be compiled and reloaded automatically.  Repository lives at
 ssh://db.debian.org/git/domains.git - public read only mirror available
 using http.
@@ -13,3 +13,12 @@ served by the geodns setup on geo1, 2, and 3.  They have a seperate repo
 ssh://db.debian.org/git/geodomains.git and an entirely seperate workflow.
 
 At least it's consistent.
+
+Adding DNSSEC KSK and ZSK for zones is done by running
+/srv/dns.debian.org/bin/maintkeydb with the following options:
+
+./bin/maintkeydb create both NSEC3RSASHA1 default your.ip6.arpa
+
+Use RSASHA1 instead of NSEC3RSASHA1 for IPv4 address space.
+
+After that a "; wzf: dnssec = 1" needs to be added to the zone file.
-- 
2.20.1