Raxx · internal docs

internal · gated

Rotation SOP — Dyn (Oracle Dyn) API Key

Mode: operator-assisted Last validated: 2026-04-24 UTC Validation method: read-only-docs Average duration: 6m (variable — depends on Oracle Dyn portal availability) Required role: ops

Applies to: DYN_API_KEY (Dyn Managed DNS API user/customer/password triplet, or the API key issued via DynID for Standard DNS).

Service status caveat: Dyn was acquired by Oracle and many help.dyn.com pages now redirect to a deprecation notice. The login portal at https://account.dyn.com/entrance/ is still operational as of 2026-04-24. Long-term, Oracle is migrating customers to its OCI DNS product. Confirm with Oracle support whether Dyn is still our active DNS path before scheduling rotations. If we have already migrated off Dyn, retire this SOP.

When to run

Prerequisites

Steps

1. Pre-rotation checks

# Authenticate and get a session token (Managed DNS REST API)
SESSION=$(curl -sS -X POST -H "Content-Type: application/json" \
  -d "{\"customer_name\":\"$DYN_CUSTOMER\",\"user_name\":\"$DYN_USER\",\"password\":\"$CURRENT_PASSWORD\"}" \
  https://api.dynect.net/REST/Session/ | jq -r '.data.token')
echo "$SESSION" | head -c 16
# Expect: a token string. If the call returns an error, the credential is already invalid.

2. Generate the new credential

There is no programmatic rotation API for the Dyn user password. Portal only.

  1. Navigate to https://account.dyn.com/entrance/.
  2. Log in with the current credential.
  3. Navigate to the user/account management section (path varies by product: Managed DNS vs Standard DNS).
  4. Locate API User or API Credentials.
  5. Click Reset Password (or Generate New Key for Standard DNS / DynID API).
  6. Copy the new credential immediately.

For Standard DNS / DynID: 1. Log in to DynID at https://account.dyn.com/. 2. Navigate to the API Users section. 3. Generate or reset the API key.

3. Validate the new credential

NEW_PASSWORD="..."
SESSION=$(curl -sS -X POST -H "Content-Type: application/json" \
  -d "{\"customer_name\":\"$DYN_CUSTOMER\",\"user_name\":\"$DYN_USER\",\"password\":\"$NEW_PASSWORD\"}" \
  https://api.dynect.net/REST/Session/ | jq -r '.data.token')
[ -n "$SESSION" ] && [ "$SESSION" != "null" ] && echo "auth ok" || echo "auth FAILED"
# Expect: "auth ok"
# Logout to clean up:
curl -sS -X DELETE -H "Auth-Token: $SESSION" https://api.dynect.net/REST/Session/

4. Store in Infisical

infisical secrets set DYN_PASSWORD="$NEW_PASSWORD" \
  --projectId="$INFISICAL_PROJECT_ID" --env=prod
# DYN_CUSTOMER and DYN_USER are stored separately and not rotated unless the user identity changes.

5. Propagate to downstream consumers

Consumer How
DNS automation app / cron heroku config:set DYN_PASSWORD="$NEW_PASSWORD" -a <app>
Operator local DM via Slack D0AJ7K184TV

6. Verify downstream

# Run the consumer's DNS check (read-only) and verify it succeeds with new credentials
heroku run --app <app> python -m scripts.dyn_dns_check
# Expect: no auth errors.

7. Revoke the old credential

The portal's "Reset Password" action already invalidated the old password atomically — no separate revoke step. Confirm:

curl -sS -o /dev/null -w "%{http_code}\n" -X POST -H "Content-Type: application/json" \
  -d "{\"customer_name\":\"$DYN_CUSTOMER\",\"user_name\":\"$DYN_USER\",\"password\":\"$OLD_PASSWORD\"}" \
  https://api.dynect.net/REST/Session/
# Expect: 401 / 403

If using a separate API key (DynID), explicitly revoke the old key in the portal after verifying the new one works.

8. Audit log entry

action: secret.rotate.completed
actor: <admin_id>
context: {
  "secret_name": "DYN_PASSWORD",
  "customer": "<customer_name>",
  "user": "<user_name>",
  "method": "operator-assisted-portal"
}

Rollback

If the password reset replaced the old credential atomically, rollback is not possible — only roll forward by resetting again.

If the new credential is broken at the consumer: 1. Log back into the portal and reset the password again to a fresh value. 2. Repeat steps 4–6.

Vendor doc references

Known gotchas