The default bug view has changed. See this FAQ.

dnssec: document ZSK and KSK renewal/rollover process

RESOLVED INVALID

Status

Infrastructure & Operations
Infrastructure: DNS
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: atoll, Assigned: digi)

Tracking

Details

(Reporter)

Description

4 years ago
We occasionally need to regenerate the DNSSEC signing keys - usually ZSK (zone), rarely KSK (key). A rollover process is required [1] but needs to be fleshed out into a formal runbook-type process, including notes [2] about what we learned while fixing bug 872831.

[1] https://mana.mozilla.org/wiki/display/SYSADMIN/DNSSEC
[2] MarkMonitor change limits, rollover process requirements, how to validate published data, incomprehensible errors from dnssec-signzone, key expiration monitoring
(Reporter)

Comment 1

4 years ago
[2] key type validation (type 7), comcast testing
Group: infra
Assignee: server-ops → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: shyam → jdow

Updated

4 years ago
Assignee: server-ops-infra → bhourigan
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations

Updated

4 years ago
Component: Infrastructure: Other → Infrastructure: DNS
(Assignee)

Comment 2

4 years ago
We now use an external DNS provider and no longer have the need to maintain our own DNSSEC keys.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.