xdr-terraform-modules/base/dns/public_dns/README.md

Key Rotation

Keys should be rotated annually.

To do so:

1. Update dnssec.tf:. Uncomment the _# resources, where # is an incremental update, but do not update the aws_route53_hosted_zone_dnssec or aws_route53_record resources yet.
2. terragrunt apply those resources to create a new KMS key and DNSSEC signing key.
3. Add the updated Key information as a second key to the domain information in route53: AWS Commercial->MDR Common Sevices->Route 53->Registered Domains->domain->Manage Keys
4. Wait for confirmation email
5. Update dnssec.tf with the aws_route53_hosted_zone_dnssec and aws_route53_record updated the latest #.
6. PR and apply.

In 2-7 days, come back and remove the previous _# resources. Do future engineers a favor and create a copy just like you had.