You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by mi...@apache.org on 2018/09/26 13:51:55 UTC

[trafficcontrol] 38/46: Moved DNSSEC tutorial to Traffic Portal

This is an automated email from the ASF dual-hosted git repository.

mitchell852 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git

commit 461468758a4cf5fe044020f18dde4575a6316948
Author: ocket8888 <oc...@gmail.com>
AuthorDate: Mon Sep 17 08:07:54 2018 -0600

    Moved DNSSEC tutorial to Traffic Portal
---
 docs/source/admin/quick_howto/dnssec.rst   |  84 +++++++++++++++++++----------
 docs/source/admin/quick_howto/dnssec00.png | Bin 0 -> 34298 bytes
 docs/source/admin/quick_howto/dnssec01.png | Bin 32216 -> 46043 bytes
 docs/source/admin/quick_howto/dnssec02.png | Bin 61047 -> 47207 bytes
 docs/source/admin/quick_howto/dnssec03.png | Bin 145394 -> 15058 bytes
 docs/source/admin/quick_howto/dnssec04.png | Bin 195587 -> 40494 bytes
 docs/source/admin/quick_howto/dnssec05.png | Bin 0 -> 19137 bytes
 docs/source/admin/quick_howto/dnssec06.png | Bin 0 -> 37558 bytes
 docs/source/admin/quick_howto/index.rst    |   9 +---
 9 files changed, 57 insertions(+), 36 deletions(-)

diff --git a/docs/source/admin/quick_howto/dnssec.rst b/docs/source/admin/quick_howto/dnssec.rst
index 4af1ce3..7741b3f 100644
--- a/docs/source/admin/quick_howto/dnssec.rst
+++ b/docs/source/admin/quick_howto/dnssec.rst
@@ -19,54 +19,80 @@
 Configure DNSSEC
 ****************
 
+.. seealso:: :ref:`tr-dnssec`
+
 .. Note:: In order for Traffic Ops to successfully store keys in Traffic Vault, at least one Riak Server needs to be configured in Traffic Ops. See the `Traffic Vault admin page <../traffic_vault.html>`_ for more information.
 
 .. Note:: Currently DNSSEC is only supported for DNS delivery services.
 
-1)  Go to Tools->Manage DNSSEC Keys choose a CDN and click Manage DNSSEC Keys
+#. Go to 'CDNs' and click on the desired CDN.
+
+	.. figure:: dnssec00.png
+		:width: 60%
+		:align: center
+		:alt: Screenshot of the Traffic Portal UI depicting the CDNs page
+
+		CDNs Page
+
+#. Click on 'Manage DNSSEC Keys' under the 'More' drop-down menu.
+
+	.. figure:: dnssec01.png
+		:width: 60%
+		:align: center
+		:alt: Screenshot of the Traffic Portal UI depicting the CDN details page
+
+		CDN Details Page
+
+#. Click on the 'Generate DNSSEC Keys' button.
+
+	.. figure:: dnssec02.png
+		:width: 60%
+		:align: center
+		:alt: Screenshot of the Traffic Portal UI depicting the CDN DNSSEC Key Management page
 
-.. image:: dnssec01.png
-	:scale: 100%
-	:align: center
+		DNSSEC Key Management Page
 
-2)	Generate keys for a CDN by clicking Generate Keys then entering the following information:
+#. A modal will pop up asking you to confirm that you want to proceed.
 
-		-  Expiration in days for the Zone Signing Key (ZSK)
-		-  Expiration in days for the Key Signing Key (KSK)
-		-  Effective Date
+	.. figure:: dnssec03.png
+		:width: 30%
+		:align: center
+		:alt: Screenshot of the Traffic Portal UI depicting the CDN DNSSEC Key Generation confirmation modal
 
-	Once the required information has been entered click on the 'Generate Keys' button.
+		Confirmation Modal
 
-	Depending upon the number of Delivery Services in the CDN, generating DNSSEC keys may take serveral seconds.
+#. Input the required information (reasonable defaults should be generated for you). When done, click on the green 'Generate' button.:
 
-.. image:: dnssec02.png
-	:scale: 100%
-	:align: center
+	.. note:: Depending upon the number of Delivery Services in the CDN, generating DNSSEC keys may take several seconds.
 
-3)	In order for DNSSEC to work properly, the DS Record information needs to be added to the parent zone of the CDN's domain (e.g. If 	the CDN's domain is 'cdn.kabletown.net' the parent zone is 'kabletown.net').
+	.. figure:: dnssec04.png
+		:width: 50%
+		:align: center
+		:alt: Screenshot of the Traffic Portal UI depicting the CDN DNSSEC Key Generation page
 
-	If you control your parent zone you can enter this information yourself, otherwise you will need to work with your DNS team to get the DS Record added to the parent zone.
+		DNSSEC Key Generation Page
 
-.. image:: dnssec03.png
-	:scale: 70%
-	:align: center
+#. You will be prompted to confirm the changes by typing the name of the CDN into a text box. After doing so, click on the red 'Confirm' button.
 
-4)	Once DS Record information has been added to the parent zone, DNSSEC needs to be activated for the CDN so that Traffic Router will sign responses.
+	.. figure:: dnssec05.png
+		:width: 30%
+		:align: center
+		:alt: Screenshot of the Traffic Portal UI depicting the confirmation modal for committing changes to DNSSEC Keys.
 
-	Click on Tools -> Manage DNSSEC Keys -> Choose your CDN -> On the Manage DNSSEC Keys page click the activate DNSSEC Keys button.
+		DNSSEC Key Change Confirmation
 
-	This will add a 'dnssec.enabled = "true"' entry to CRConfig for the chosen CDN.
 
-.. image:: dnssec04.png
-	:scale: 70%
-	:align: center
+#. In order for DNSSEC to work properly, the DS Record information needs to be added to the parent zone of the CDN's domain (e.g. If the CDN's domain is 'ciab.cdn.local' the parent zone is 'cdn.local'). If you control your parent zone you can enter this information yourself, otherwise you will need to work with your DNS team to get the DS Record added to the parent zone.
 
-5) DNSSEC should now be active on your CDN and Traffic Router should be signing responses.
+#. Once DS Record information has been added to the parent zone, DNSSEC needs to be activated for the CDN so that Traffic Router will sign responses. Go back to the CDN details page for this CDN, and set the 'DNSSEC Enabled' field to 'true', then click the green 'Update' button.
 
-	A dig command with +dnssec added should show you the signed responses.
+	.. figure:: dnssec06.png
+		:width: 60%
+		:align: center
+		:alt: Screenshot of the Traffic Portal UI depicting the details page for a CDN when changing its 'DNSSEC Enabled' field
 
-	``dig edge.cdn.kabletown.net. +dnssec``
+		Change 'DNSSEC Enabled' to 'true'
 
-6)	When KSK expiration is approaching (default 365 days), it is necessary to manually generate a new KSK for the TLD (Top Level Domain) and add the DS Record to the parent zone.  In order to avoid signing errors, it is suggested that an effective date is chosen which allows time for the DS Record to be added to the parent zone before the new KSK becomes active.
+#. DNSSEC should now be active on your CDN and Traffic Router should be signing responses. This should be tested e.g. with this ``dig`` command: ``dig edge.cdn.local. +dnssec``.
 
-	A new KSK can be generated by clicking the 'Regenerate KSK' button on the Manage DNSSEC Keys screen (see screenshot above).
+#. When KSK expiration is approaching (default 365 days), it is necessary to manually generate a new KSK for the TLD (Top Level Domain) and add the DS Record to the parent zone. In order to avoid signing errors, it is suggested that an effective date is chosen which allows time for the DS Record to be added to the parent zone before the new KSK becomes active.
diff --git a/docs/source/admin/quick_howto/dnssec00.png b/docs/source/admin/quick_howto/dnssec00.png
new file mode 100644
index 0000000..003313f
Binary files /dev/null and b/docs/source/admin/quick_howto/dnssec00.png differ
diff --git a/docs/source/admin/quick_howto/dnssec01.png b/docs/source/admin/quick_howto/dnssec01.png
index 044538f..f4d5cf7 100644
Binary files a/docs/source/admin/quick_howto/dnssec01.png and b/docs/source/admin/quick_howto/dnssec01.png differ
diff --git a/docs/source/admin/quick_howto/dnssec02.png b/docs/source/admin/quick_howto/dnssec02.png
index 82fa75a..adb9766 100644
Binary files a/docs/source/admin/quick_howto/dnssec02.png and b/docs/source/admin/quick_howto/dnssec02.png differ
diff --git a/docs/source/admin/quick_howto/dnssec03.png b/docs/source/admin/quick_howto/dnssec03.png
index 1fc3cce..4d615a5 100644
Binary files a/docs/source/admin/quick_howto/dnssec03.png and b/docs/source/admin/quick_howto/dnssec03.png differ
diff --git a/docs/source/admin/quick_howto/dnssec04.png b/docs/source/admin/quick_howto/dnssec04.png
index f9b8d32..2d56a43 100644
Binary files a/docs/source/admin/quick_howto/dnssec04.png and b/docs/source/admin/quick_howto/dnssec04.png differ
diff --git a/docs/source/admin/quick_howto/dnssec05.png b/docs/source/admin/quick_howto/dnssec05.png
new file mode 100644
index 0000000..847fee0
Binary files /dev/null and b/docs/source/admin/quick_howto/dnssec05.png differ
diff --git a/docs/source/admin/quick_howto/dnssec06.png b/docs/source/admin/quick_howto/dnssec06.png
new file mode 100644
index 0000000..225ac30
Binary files /dev/null and b/docs/source/admin/quick_howto/dnssec06.png differ
diff --git a/docs/source/admin/quick_howto/index.rst b/docs/source/admin/quick_howto/index.rst
index 4c6b6dc..1d845c4 100644
--- a/docs/source/admin/quick_howto/index.rst
+++ b/docs/source/admin/quick_howto/index.rst
@@ -24,20 +24,15 @@ Traffic Ops
 .. toctree::
 
   multi_site.rst
-  dnssec.rst
   federations.rst
   regionalgeo.rst
   anonymous_blocking.rst
-  steering.rst
 
 Traffic Portal
 ==============
 
 .. toctree::
 
+  dnssec.rst
   ds_requests.rst
-
-
-
-
-
+  steering.rst