We occasionally need to regenerate the DNSSEC signing keys - usually ZSK (zone), rarely KSK (key). A rollover process is required  but needs to be fleshed out into a formal runbook-type process, including notes  about what we learned while fixing bug 872831.  https://mana.mozilla.org/wiki/display/SYSADMIN/DNSSEC  MarkMonitor change limits, rollover process requirements, how to validate published data, incomprehensible errors from dnssec-signzone, key expiration monitoring
 key type validation (type 7), comcast testing
Assignee: server-ops → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: shyam → jdow
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
We now use an external DNS provider and no longer have the need to maintain our own DNSSEC keys.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.