Closed Bug 872884 Opened 12 years ago Closed 12 years ago

dnssec: document ZSK and KSK renewal/rollover process

Categories

(Infrastructure & Operations :: DNS and Domain Registration, task)

Product:
Infrastructure & Operations
Component:
DNS and Domain Registration
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: Atoll, Assigned: bhourigan)

References

Details

We occasionally need to regenerate the DNSSEC signing keys - usually ZSK (zone), rarely KSK (key). A rollover process is required [1] but needs to be fleshed out into a formal runbook-type process, including notes [2] about what we learned while fixing bug 872831. [1] https://mana.mozilla.org/wiki/display/SYSADMIN/DNSSEC [2] MarkMonitor change limits, rollover process requirements, how to validate published data, incomprehensible errors from dnssec-signzone, key expiration monitoring
[2] key type validation (type 7), comcast testing
Group: infra
Assignee: server-ops → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: shyam → jdow
Assignee: server-ops-infra → bhourigan
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
Component: Infrastructure: Other → Infrastructure: DNS
We now use an external DNS provider and no longer have the need to maintain our own DNSSEC keys.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.