FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 205888



This article describes how to use a DHCP server with Dynamic update of DNS records and with TSIG authentication.




In order to avoid DNS records exposure, all updates should use transactional signatures (TSIG). Transactional signatures are a method of cryptographically signing updates by using a shared secret key. 




You have to generate a TSIG key in order to authenticate the DHCP server to the DNS server for dynamic updates. This is possible by using either the dnssec-keygen (BIND v9) or dnskeygen (BIND v8) commands. To generate a key with dnssec-keygen, using the HMAC-MD5 algorithm (mandatory for TSIG keys), and a key size of 128, use the following command:


dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-server.example.domain


This TSIG key is then placed in the '# config system dhcp server' settings like:


FGT3KD-1 # config system dhcp server

FGT3KD-1 (server) edit 1

FGT3KD-1 (1) set ddns-update enable

FGT3KD-1 (1) set ddns-update_override enable

FGT3KD-1 (1) set dns-server-ip #ddns_server_ip address

FGT3KD-1 (1) set dns-zone example.domain #ddns_zone

FGT3KD-1 (1) set ddns-auth tsig

FGT3KD-1 (1) set ddns-key 'YrjNE9zKuIffBhQSC/4Tkg=='



Then it is necessary to configure your DNS named and the private key should be placed in the named.conf settings:


key dhcp-server.example.domain. {

algorithm hmac-md5;
secret "YrjNE9zKuIffBhQSC/4Tkg==";


Add an update-policy substatement to both the forward and reverse zones in the named.conf file:


zone "example.domain" {

type master;

file db.example.domain";

update-policy {

grant dhcp-server.example.domain. wildcard*. example.domain A TXT; };



zone {

type master; file "db.172.16.32";

update-policy {

grant dhcp-server.example.domain. wildcard * PTR; };



Note: This does not work with secure DNS updates on Windows systems as windows uses GSS-TGIS protocol which does not support HMAC-MD5 algorithm. 




Related documents: