“Serve” DNSSEC

The DNSSEC "Serve" feature provides the ability to support DNSSEC for secondary zones, but the zone administrator is responsible for implementing their own key management infrastructure (KMI) solution and properly rotating their zone signing key (ZSK) and key signing key (KSK).

DNSSEC requires transaction signature (TSIG). For zone access control, you need to enable TSIG with the supported algorithms. In addition to your responsibility for all of the key signing, it falls to you to ensure that all the necessary new records are in the zone transfer to Akamai.

Note: If you have a self-signed zone, Edge DNS won’t serve subset RRsets. It will serve the full RRset as defined in your zone. If the RRset is too large for the standard DNS packet size, it will be necessary for your end users’ caching name servers to negotiate a larger packet size with extension mechanisms for DNS (EDNS0) or else use TCP. If you’re concerned about end users’ name servers not having this functionality, please configure smaller RRsets in your zone.