Google Git
Sign in
apache / trafficcontrol-website / 91716725350ee8ad6edf196b035dd8e94dc3e923 / . / docs / latest / admin / quick_howto / dnssec.html
blob: c5c25f2c4106cd4c47904028b26949205041bbde [file] [log] [blame]
<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Configure DNSSEC &mdash; Traffic Control 1.7 documentation </title>
<link rel="shortcut icon" href="../../_static/favicon.ico"/>
<link rel="stylesheet" href="../../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../../_static/theme_overrides.css" type="text/css" />
<link rel="top" title="Traffic Control 1.7 documentation" href="../../index.html"/>
<link rel="up" title="Quick How To Guides" href="index.html"/>
<link rel="next" title="Configure Federations" href="federations.html"/>
<link rel="prev" title="Configure Multi Site Origin" href="multi_site.html"/>
<script src="_static/js/modernizr.min.js"></script>
</head>
<body class="wy-body-for-nav" role="document">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-nav-search">
<a href="/" class="icon icon-home"> Traffic Control
<img src="../../_static/tc_logo.png" class="logo" />
</a>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../basics/index.html">CDN Basics</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../basics/content_delivery_networks.html">Content Delivery Networks</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../basics/http_11.html">HTTP 1.1</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../basics/caching_proxies.html">Caching Proxies</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../basics/cache_revalidation.html">Cache Control Headers and Revalidation</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../overview/index.html">Traffic Control Overview</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../overview/introduction.html">Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../overview/traffic_ops.html">Traffic Ops</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../overview/traffic_portal.html">Traffic Portal</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../overview/traffic_router.html">Traffic Router</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../overview/traffic_monitor.html">Traffic Monitor</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../overview/traffic_stats.html">Traffic Stats</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../overview/traffic_server.html">Traffic Server</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../overview/traffic_vault.html">Traffic Vault</a></li>
</ul>
</li>
</ul>
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="../index.html">Administrator&#8217;s Guide</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../traffic_ops_install.html">Installing Traffic Ops</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_ops_config.html">Configuring Traffic Ops</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_ops_using.html">Using Traffic Ops</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_ops_extensions.html">Managing Traffic Ops Extensions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_portal.html">Traffic Portal Administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_monitor.html">Traffic Monitor Administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_router.html">Traffic Router Administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_stats.html">Traffic Stats Administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_server.html">Traffic Server Administration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../traffic_vault.html">Traffic Vault Administration</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html">Quick How To Guides</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../development/index.html">Developer&#8217;s Guide</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../development/traffic_ops.html">Traffic Ops</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../development/traffic_portal.html">Traffic Portal</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../development/traffic_router.html">Traffic Router</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../development/traffic_monitor.html">Traffic Monitor</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../development/traffic_stats.html">Traffic Stats</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../development/traffic_server.html">Traffic Server</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../faq/index.html">FAQ</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../faq/general.html">General</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../faq/development.html">Development</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../faq/administration.html">Running a Traffic Control CDN</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../glossary.html">Glossary</a></li>
</ul>
</div>
&nbsp;
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../../index.html">Traffic Control</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../../index.html">Traffic Control 1.7</a> &raquo;</li>
<li><a href="../index.html">Administrator&#8217;s Guide</a> &raquo;</li>
<li><a href="index.html">Quick How To Guides</a> &raquo;</li>
<li>Configure DNSSEC</li>
<li class="wy-breadcrumbs-aside">
<a href="../../_sources/admin/quick_howto/dnssec.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="federations.html" class="btn btn-neutral float-right" title="Configure Federations">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="multi_site.html" class="btn btn-neutral" title="Configure Multi Site Origin"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<div role="main" class="document">
<div class="section" id="configure-dnssec">
<span id="rl-dnssec-qht"></span><h1>Configure DNSSEC<a class="headerlink" href="#configure-dnssec" title="Permalink to this headline">ΒΆ</a></h1>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">In order for Traffic Ops to successfully store keys in Traffic Vault, at least one Riak Server needs to be configured in Traffic Ops. See the <a class="reference external" href="../traffic_vault.html">Traffic Vault admin page</a> for more information.</p>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Currently DNSSEC is only supported for DNS delivery services.</p>
</div>
<ol class="arabic simple">
<li>Go to Tools-&gt;Manage DNSSEC Keys choose a CDN and click Manage DNSSEC Keys</li>
</ol>
<a class="reference internal image-reference" href="../../_images/dnssec01.png"><img alt="../../_images/dnssec01.png" class="align-center" src="../../_images/dnssec01.png" style="width: 1100.0px; height: 280.0px;" /></a>
<ol class="arabic" start="2">
<li><p class="first">Generate keys for a CDN by clicking Generate Keys then entering the following information:</p>
<blockquote>
<div><ul class="simple">
<li>Expiration in days for the Zone Signing Key (ZSK)</li>
<li>Expiration in days for the Key Signing Key (KSK)</li>
<li>Effective Date</li>
</ul>
</div></blockquote>
<p>Once the required information has been entered click on the &#8216;Generate Keys&#8217; button.</p>
<p>Depending upon the number of Delivery Services in the CDN, generating DNSSEC keys may take serveral seconds.</p>
</li>
</ol>
<a class="reference internal image-reference" href="../../_images/dnssec02.png"><img alt="../../_images/dnssec02.png" class="align-center" src="../../_images/dnssec02.png" style="width: 747.0px; height: 454.0px;" /></a>
<ol class="arabic" start="3">
<li><p class="first">In order for DNSSEC to work properly, the DS Record information needs to be added to the parent zone of the CDN&#8217;s domain (e.g. If the CDN&#8217;s domain is &#8216;cdn.kabletown.net&#8217; the parent zone is &#8216;kabletown.net&#8217;).</p>
<p>If you control your parent zone you can enter this information yourself, otherwise you will need to work with your DNS team to get the DS Record added to the parent zone.</p>
</li>
</ol>
<a class="reference internal image-reference" href="../../_images/dnssec03.png"><img alt="../../_images/dnssec03.png" class="align-center" src="../../_images/dnssec03.png" style="width: 499.1px; height: 190.4px;" /></a>
<ol class="arabic" start="4">
<li><p class="first">Once DS Record information has been added to the parent zone, DNSSEC needs to be activated for the CDN so that Traffic Router will sign responses.</p>
<p>Click on Tools -&gt; Manage DNSSEC Keys -&gt; Choose your CDN -&gt; On the Manage DNSSEC Keys page click the activate DNSSEC Keys button.</p>
<p>This will add a &#8216;dnssec.enabled = &#8220;true&#8221;&#8217; entry to CRConfig for the chosen CDN.</p>
</li>
</ol>
<a class="reference internal image-reference" href="../../_images/dnssec04.png"><img alt="../../_images/dnssec04.png" class="align-center" src="../../_images/dnssec04.png" style="width: 554.4px; height: 422.8px;" /></a>
<ol class="arabic" start="5">
<li><p class="first">DNSSEC should now be active on your CDN and Traffic Router should be signing responses.</p>
<blockquote>
<div><p>A dig command with +dnssec added should show you the signed responses.</p>
<p><code class="docutils literal"><span class="pre">dig</span> <span class="pre">edge.cdn.kabletown.net.</span> <span class="pre">+dnssec</span></code></p>
</div></blockquote>
</li>
<li><p class="first">When KSK expiration is approaching (default 365 days), it is necessary to manually generate a new KSK for the TLD (Top Level Domain) and add the DS Record to the parent zone. In order to avoid signing errors, it is suggested that an effective date is chosen which allows time for the DS Record to be added to the parent zone before the new KSK becomes active.</p>
<p>A new KSK can be generated by clicking the &#8216;Regenerate KSK&#8217; button on the Manage DNSSEC Keys screen (see screenshot above).</p>
</li>
</ol>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="federations.html" class="btn btn-neutral float-right" title="Configure Federations">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="multi_site.html" class="btn btn-neutral" title="Configure Multi Site Origin"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT:'../../',
VERSION:'1.7',
COLLAPSE_INDEX:false,
FILE_SUFFIX:'.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../../_static/jquery.js"></script>
<script type="text/javascript" src="../../_static/underscore.js"></script>
<script type="text/javascript" src="../../_static/doctools.js"></script>
<script type="text/javascript" src="../../_static/js/theme.js"></script>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.StickyNav.enable();
});
</script>
</body>
</html>