From d109c7dfa3e4ca04045253043f9074b3aa311e5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Sat, 13 Jul 2019 10:18:59 -0400
Subject: [PATCH] forgot more bits

---
 tsa/howto/dns.mdwn | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/tsa/howto/dns.mdwn b/tsa/howto/dns.mdwn
index cc99fb55..5efd7334 100644
--- a/tsa/howto/dns.mdwn
+++ b/tsa/howto/dns.mdwn
@@ -5,12 +5,12 @@ How to
 
 Most operations on DNS happens in the `admin/dns/domains` repository
 (`git@git-rw.torproject.org:admin/dns/domains`). Those zones contains
-the master copy of the zone files, stored as standard Bind zonefiles
-([RFC 1034](https://tools.ietf.org/html/rfc1034)).
+the master copy of the zone files, stored as (mostly) standard Bind zonefiles
+([RFC 1034](https://tools.ietf.org/html/rfc1034)), but notably without a SOA.
 
-Tor's DNS support is fully authenticated with DNS, both to the outside
-world but also internally, where all TPO hosts use DNSSEC in their
-resolvers.
+Tor's DNS support is fully authenticated with DNSSEC, both to the
+outside world but also internally, where all TPO hosts use DNSSEC in
+their resolvers.
 
 Adding and editing a zone
 -------------------------
@@ -33,6 +33,15 @@ Removing a zone
        cd /srv/dns.torproject.org/var/keys/
        mv generated/torproject.fr* OLD-generated/
        mv keys/torproject.fr OLD-KEYS/
+ * remove the zone from the secondaries (Netnod and our own
+   servers). this means visiting the Netnod web interface for that
+   side, and Puppet
+   (`modules/bind/templates/named.conf.torproject-zones.erb`) for our
+   own
+ * the domains will probably be listed in other locations, grep Puppet
+   for Apache virtual hosts and email aliases
+ * the domains will also probably exist in the `letsencrypt-domains`
+   repository
 
 DS records expiry and renewal
 -----------------------------
-- 
GitLab