Use this command to change the trust anchor key (if necessary).
DNSSEC validation requires that a DNS name server know the trust anchor key for the root DNS domain in order to validate already signed responses. In general, trust anchor keys do not change often, but they do change occasionally, and might change unexpectedly in the event the keys are compromised.
The FortiADC DNS server is preconfigured with a trust anchor key for the root DNS domain. If you are informed that you must update this key, you can use the configuration editor to paste the new content into the DNS server configuration.
Before you begin:
- You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
- You must have already obtained the key so that you can copy and paste it into the DNS server configuration.
- You must have read-write permission for global load balancing settings.
config global-dns-server trust-anchor-key
set value <string>
set description <string>
The key value. The key format is a string with the following format:
\"<domainname>\" <num1> <num2> <num3> \"<content>\"
The following is an example:
\".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16 pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\"
A description of this configuration.
FortiADC-VM # config global-dns-server trust-anchor-key
FortiADC-VM (trust-anchor-key) # edit sss
Add new entry 'sss' for node 2240
FortiADC-VM (sss) # get
FortiADC-VM (sss) # set
*value key value
description key description
FortiADC-VM (sss) # set value "\".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16 pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\""
FortiADC-VM (sss) # end