how to update DNS resource records

updating standard resource records

For most zones, the hidden primary DNS server is denis, with RcodeZero, Netnod and easyDNS providing public-facing secondary servers.

Zone files are managed via a git repository. Pushing commits into the git repository will invoke a post-commit hook that causes the recompilation and reload of the zone files.

Some subdomains (specifically www.debian.org and security.debian.org) are served by the autodns/geodns setup on geo{1,2,3}. Their zone files are managed by a separate git repository.

updating DNSSEC records

When nagios complains about impending DS expiry, find the new key in /srv/dns.debian.org/var/keys/$zone/dsset and add it at the registrar's (gandi). Leave the old one in place for a day or so, after checking that dnsviz.net is happy with the new key. For the debian.org and 29.172.in-addr.arpa zones, also update the trust anchors in puppet.