Description | This article describes how to get the DNSSEC Delegation Signer (DS) record information for a zone. It may be necessary to preconfigure the FortiADC Global Load Balance and refer to the documentation at the end of this article for more information on configuring the Global Load Balance. |
Scope | FortiADC and FortiADC-VM. |
Solution |
From GUI:
1. Go to Global Load Balance -> Zone Tools -> Zone. Edit the respective zone. In this article, example.my is used as example.
2. Enable DNSSEC and Save.
3. Edit the same zone again and select the 'Backup DSSET Key' button to download the DNSSEC file. It will prompt to save the tar file.
4. Extract the file and go to the DNSSEC folder. Open the file name and start with 'dsset'. The DS record will be available as below.
From CLI:
1. Enable DNSSEC:
config global-dns-server zone
edit "fqdn_generate_example.my."
set type fqdn-generate
set domain-name example.my.
set dnssec-status enable
set dnssec-algorithm RSASHA256
set dnssec-keysize 2048
end
2. Run the 'show' command for the 'global-dns-server zone' configuration. The DS record will be available as below:
show global-dns-server zone
config global-dns-server zone
edit "fqdn_generate_example.my."
set dsset-info "example.my. IN DS 45572 8 2 5492B4A701FC9EDD77AC21B466BBEED0315701746440401E72A9CC6A B1FFF7B8"
Before FortiADC v7.4.0, the FortiADC DNSSEC option only supported Algorithm RSASHA1 (517 bit).
FortiADC v7.4.0 or later supports more Algorithm options as per the below documentation.
Refer to the below documentation for more information on the Global Load Balance:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.