# Key Rotation

Keys should be rotated annually.

To do so:

1. Update `dnssec.tf`:. Uncomment the `_#` resources, where `#` is an incremental update, but do not update the `aws_route53_hosted_zone_dnssec` or `aws_route53_record` resources yet.
1. `terragrunt apply` those resources to create a new KMS key and DNSSEC signing key.
1. Add the updated Key information as a _second key_ to the domain information in route53: AWS Commercial->MDR Common Sevices->Route 53->Registered Domains->domain->Manage Keys
1. Wait for confirmation email
1. Update `dnssec.tf` with the `aws_route53_hosted_zone_dnssec` and `aws_route53_record` updated the latest `#`.
1. PR and apply.

In 2-7 days, come back and remove the previous `_#` resources. Do future engineers a favor and create a copy just like you had.