config global-dns-server zone
Use this command to configure DNS zone and resource records.
The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS server settings, including:
- Domain name and name server details.
- Type—Whether the server is the primary or a forwarder.
- DNSSEC—Whether to use DNSSEC and the DNSSEC algorithm/key size.
- DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to the domain by the parent zone.
You can specify different DNS server settings for each zone you create. For example, the DNS server can be a primary for one zone and a forwarder for another zone.
Before you begin:
- You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
- You must have authority to create authoritative DNS zone records for your network.
- You must have read-write permission for global load balancing settings.
After you have configured a DNS zone, you can select it in the DNS policy configuration.
Syntax
config global-dns-server zone
edit <name>
set type {forward|fqdn-generate|primary}
set domain-name <string>
set negative-ttl <integer>
set primary-server-ip <class_ip>
set primary-server-ip6 <class_ip>
set primary-server-name <string>
set responsible-mail <string>
set ttl <integer>
set forward-host {enable|disable}
set forward {first|only}
set forwarders <datasource>
set dnssec-status {enable|disable}
set dnssec-algorithm {ECDSAP256SHA256|ECDSAP384SHA384|NSEC3RSASHA1|RSASHA1|RSASHA256|RSASHA512}
set dnssec-keysize {1024|2048|4096}
set dsset-info <string>
set dssetinfo-filename <string>
set dsset-info-list <datasource>
set KSK <string>
set KSK-Filename <string>
set ZSK <string>
set ZSK-Filename <string>
config a-aaaa-record
edit <No.>
set hostname <string>
set source-type {ipv4 | ipv6}
set ip <class_ip>
set ip6 <class_ip>
set method wrr
set weight <integer>
next
end
config cname-record
edit <No.>
set alias <string>
set target <string>
next
end
config mx-record
edit <No.>
set domain-name <string>
set hostname <string>
set type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
set priority <integer>
next
end
config ns-record
edit <No.>
set domain-name <string>
set host-name <string>
set type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
next
end
config txt-record
edit <No.>
set name <string>
set text <name>=<value>,<name>=<value>
next
end
config srv-record
edit 1
set hostname 222
set target-server 222
next
end
config ptr-record
edit <No.>
set ptr-address <string>
set fqdn <string>
next
end
next
end
config global-dns-server zone |
|
type |
|
domain-name |
The domain name must end with a period. For example: |
negative-ttl |
The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647. |
primary-server-ip |
IP address of the primary server. |
primary-server-ip6 |
IP address of the primary server. |
primary-server-name |
Sets the server name in the SOA record. |
responsible-mail |
Username of the person responsible for this zone, such as |
ttl |
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set. The default is 86,400. The valid range is 1 to 2,147,483,647. |
forward-host |
Enable Forward Host to allow DNS queries to be forwarded to remote servers at the zone level. This is disabled by default. This only requires the forwarded DNS query to match the zone and no other information is required to match such as the hostname. |
forward |
The forward option is available if forward-host is enabled.
|
forwarders |
The forwarders option is available if forward-host is enabled. Specify a remote server configuration object. |
dnssec-status |
Enable/disable DNSSEC. The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. |
dnssec-algorithm |
The dnssec-algorithm option is available if dnssec-status is enabled. Select the cryptographic algorithm to use for authenticating DNSSEC.
|
dnssec-keysize |
The dnssec-keysize option is available if dnssec-status is enabled. Select the key size (number of bits) for the encryption algorithm.
Note: |
dsset-info |
It is generated by the system if DNSSEC is enabled for the zone. |
dssetinfo-filename |
The file is generated by the system if DNSSEC is enabled for the zone. The file generated by the zone configuration editor is the one you give to any parent zone or the registrar of your domain. The convention is dsset-<domain>, for example |
dsset-info-list |
Specify a DSSET info list configuration object. |
KSK |
Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone. |
KSK-Filename |
The file is generated by the system if DNSSEC is enabled for the zone. To regenerate the KSK, disable DNSSEC and then re-enable DNSSEC. |
ZSK |
Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone. |
ZSK-Filename |
The file is generated by the system if DNSSEC is enabled for the zone. To regenerate the ZSK, disable DNSSEC and then re-enable DNSSEC. |
config a-aaaa-record |
|
hostname |
The hostname part of the FQDN, such as Note:
|
source-type |
IPv4 or IPv6 |
ip |
IP address of the virtual server. |
ip6 |
IP address of the virtual server. |
method |
Weighted Round Robin is the only method supported. |
weight |
Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently. The default is 1. The valid range is 1-255. |
config cname-record |
|
alias |
An alias name to another true or canonical domain name (the target). For instance, |
target |
The true or canonical domain name. For instance, |
config mx-record |
|
hostname |
The hostname part of the FQDN for a mail exchange server, such as |
type |
IPv4 or IPv6 |
ip |
IP address of the mail server. |
ip6 |
IP address of the mail server. |
priority |
Preference given to this RR among others at the same owner. Lower values have greater priority. |
config ns-record |
|
domain-name |
The domain for which the name server has authoritative answers, such as |
host-name |
The hostname part of the FQDN, such as |
type |
IPv4 or IPv6 |
ip |
IP address of the name server. |
ip6 |
IP address of the name server. |
config txt-record | |
name |
Hostname. TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records. |
text |
Comma-separated list of name=value pairs. An example SPF record has the following form: "v=spf1 +mx a:colo.example.com/28 -all"
If you complete the entry from the CLI, put the string in quotes. (If you complete the entry from the the Web UI, you do not put the string in quotes.) |
config srv-record | |
hostname |
The SRV Hostname. |
target-server |
The target server name (record). |
config ptr-record | |
PTR Address |
A PTR address, such as 10.168.192.in-addr.arpa. or 1. If you use the number, the domain name is in the format "x.x.x.in-addr.arpa.". |
FQDN |
A fully qualified domain name, such as "www.example.com". |
Example
FortiADC-VM # config global-dns-server zone
FortiADC-VM (zone) # edit wan-zone
Add new entry 'wan-zone' for node 2248
FortiADC-VM (wan-zone) # get
type : primary
domain-name :
dnssec-status : disable
ttl : 86400
responsible-mail :
negative-ttl : 3600
primary-server-name :
primary-server-ip : 0.0.0.0
primary-server-ip6 : ::
FortiADC-VM (wan-zone) # set domain-name www.fortiadc.com.
FortiADC-VM (wan-zone) # set responsible-mail root
FortiADC-VM (wan-zone) # set primary-server-name ns
FortiADC-VM (wan-zone) # set primary-server-ip 202.33.11.107
FortiADC-VM (wan-zone) # config a-aaaa-record
FortiADC-VM (a-aaaa-record) # edit 1
Add new entry '1' for node 2257
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # get
hostname : www
source-type : ipv4
weight : 1
ip : 0.0.0.0
method : wrr
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # set ip 202.33.11.1
FortiADC-VM (1) # end
FortiADC-VM (wan-zone) # end