Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Configuring the DSSET list

If you enable DNSSEC, secure communication between the FortiADC DNS server and any child DNS servers is based on keys contained in delegation signer files (DSSET files). In DNSSEC deployments, DSSET files are generated automatically when the zone is signed by DNSSEC.

You use the DSSET list configuration to paste in the content of the DSSET files provided by child domain servers or stub domains.

Note: You use the Global DNS zone configuration to generate the DSSET file for this server. The file generated by the zone configuration editor is the one you give to any parent zone or the registrar of your domain.

Before you begin:

  • You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
  • You must have used DNSSEC to sign the child domain servers and have downloaded the DSset files to a location you can reach from your management computer.
  • You must have Read-Write permission for Global Load Balance settings.

After you have configured a DSSET list, you can select it in DNS zone configuration.

To configure the DSSET list:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the DSSET List tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in DSset list configuration.

DSset list configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference the name in the zone configuration (if you enable DNSSEC).

After you initially save the configuration, you cannot edit the name.

Filename

Type the filename. The convention is dsset-<domain>, for example, dsset-example.com.

Content

Paste the DSset file content. The content of DSset files is similar to the following:

dns.example.com. IN DS 13447 5 1 A5AD9EFB6840F58CF817F3CC7C24A7ED2DD5559C

Configuring the DSSET list

If you enable DNSSEC, secure communication between the FortiADC DNS server and any child DNS servers is based on keys contained in delegation signer files (DSSET files). In DNSSEC deployments, DSSET files are generated automatically when the zone is signed by DNSSEC.

You use the DSSET list configuration to paste in the content of the DSSET files provided by child domain servers or stub domains.

Note: You use the Global DNS zone configuration to generate the DSSET file for this server. The file generated by the zone configuration editor is the one you give to any parent zone or the registrar of your domain.

Before you begin:

  • You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
  • You must have used DNSSEC to sign the child domain servers and have downloaded the DSset files to a location you can reach from your management computer.
  • You must have Read-Write permission for Global Load Balance settings.

After you have configured a DSSET list, you can select it in DNS zone configuration.

To configure the DSSET list:
  1. Go to Global Load Balance > Zone Tools.
  2. Click the DSSET List tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in DSset list configuration.

DSset list configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference the name in the zone configuration (if you enable DNSSEC).

After you initially save the configuration, you cannot edit the name.

Filename

Type the filename. The convention is dsset-<domain>, for example, dsset-example.com.

Content

Paste the DSset file content. The content of DSset files is similar to the following:

dns.example.com. IN DS 13447 5 1 A5AD9EFB6840F58CF817F3CC7C24A7ED2DD5559C