In order for Traffic Ops to successfully store keys in Traffic Vault, at least one Riak Server needs to be configured in Traffic Ops. See the Traffic Vault admin page for more information.
Currently DNSSEC is only supported for DNS Delivery Services.
Go to CDNs and click on the desired CDN.
Click on the Generate DNSSEC Keys button.
A modal will pop up asking you to confirm that you want to proceed.
Input the required information (reasonable defaults should be generated for you). When done, click on the green Generate button.
Depending upon the number of Delivery Services in the CDN, generating DNSSEC keys may take several seconds.
You will be prompted to confirm the changes by typing the name of the CDN into a text box. After doing so, click on the red Confirm button.
In order for DNSSEC to work properly, the DS Record information needs to be added to the parent zone of the CDN’s domain (e.g. If the CDN’s domain is ‘ciab.cdn.local’ the parent zone is ‘cdn.local’). If you control your parent zone you can enter this information yourself, otherwise you will need to work with your DNS team to get the DS Record added to the parent zone.
Once DS Record information has been added to the parent zone, DNSSEC needs to be activated for the CDN so that Traffic Router will sign responses. Go back to the CDN details page for this CDN, and set the ‘DNSSEC Enabled’ field to ‘true’, then click the green Update button.
DNSSEC should now be active on your CDN and Traffic Router should be signing responses. This should be tested e.g. with this dig(1) command:
dig edge.cdn.local. +dnssec.
When KSK expiration is approaching (default 365 days), it is necessary to manually generate a new KSK for the TLD and add the DS Record to the parent zone. In order to avoid signing errors, it is suggested that an effective date is chosen which allows time for the DS Record to be added to the parent zone before the new KSK becomes active.