Last Comment Bug 872884 - dnssec: document ZSK and KSK renewal/rollover process
: dnssec: document ZSK and KSK renewal/rollover process
Product: Infrastructure & Operations
Classification: Other
Component: Infrastructure: DNS (show other bugs)
: other
: x86 Mac OS X
-- normal with 1 vote (vote)
: ---
Assigned To: Brian Hourigan [:digi]
: Justin Dow [:jabba]
Depends on:
Blocks: 872818
  Show dependency treegraph
Reported: 2013-05-15 21:22 PDT by Richard Soderberg [:atoll]
Modified: 2013-10-12 15:44 PDT (History)
2 users (show)
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---
Cab Review: ServiceNow Change Request (use flag)


Description User image Richard Soderberg [:atoll] 2013-05-15 21:22:08 PDT
We occasionally need to regenerate the DNSSEC signing keys - usually ZSK (zone), rarely KSK (key). A rollover process is required [1] but needs to be fleshed out into a formal runbook-type process, including notes [2] about what we learned while fixing bug 872831.

[2] MarkMonitor change limits, rollover process requirements, how to validate published data, incomprehensible errors from dnssec-signzone, key expiration monitoring
Comment 1 User image Richard Soderberg [:atoll] 2013-05-15 21:22:41 PDT
[2] key type validation (type 7), comcast testing
Comment 2 User image Brian Hourigan [:digi] 2013-10-12 15:44:40 PDT
We now use an external DNS provider and no longer have the need to maintain our own DNSSEC keys.

Note You need to log in before you can comment on or make changes to this bug.