DNSSEC
======

ZSK
---

Assumes:
- ZSK_p is the ZSK key in retirement (previous)
- ZSK_c is the ZSK key that's going to be used for this period (current)
- ZSK_n is the ZSK key that's going to be used for the period after
  ZSK_c is used (next)

1. On rotation day, generate ZSK_n and add its DNSKEY RR to the zone
2. Remove DNSKEY RR for ZSK_p from the zone
3. Sign DNSKEY RRs with KSK
4. Sign rest of the zone with ZSK_c
5. Publish signed zones, which includes:
   - DNSKEY RRs for ZSK_p, ZSK_c and ZSK_n signed by KSK
   - Every other RR signed by ZSK_c
   - Does not include any RRSIG signed by ZSK_p
6. After cache expires, delete ZSK_p DNSKEY RR.

NSEC3PARAM
----------

On ZSK rotation day, generate a new salt with

	openssl rand -hex 11

and replace the current salt in the zone.

KSK
---

TBD

PGP
===

Main key
--------

TBD

Git signing key
---------------

TBD

SSH
===

1. Move current key set to `old/` directory
2. Change `~/.ssh/config` to also try keys from `old/` directory
3. Generate new key set
4. SSH to target machine and add new key to `~/.ssh/authorized_keys`
5. SSH again, with `-v` to confirm that the new key is being used
6. Change `~/.ssh/config` back to stop trying keys from `old/` directory

Key set:
- Own infra
- 3rd party infra
- Git-over-SSH