DNS services
This section covers the DNS services offered by FortiGSLB Cloud.
FortiGSLB, functioning as a DNS Service, can support both standard DNS zones and primary type zones.
Configuring zone text field
Settings | Guidelines |
---|---|
Name |
Name of the zone. |
Type |
Primary—The configuration contains the “primary” copy of data for the zone and is the authoritative server for it. |
Domain name |
The domain name must end with a period. For example: example.com. |
Responsible Mail |
Username of the person responsible for this zone, such as Note: Format is mailbox-name.domain.com. (remember the trailing dot). The format uses a dot, not the @ sign used in email addresses because @ has other uses in the zone file. Email, however, is sent to admin@example.com. |
Primary server name |
Sets the server name in the SOA record. |
Primary server address (IPv4) |
The IPv4 address of the primary server. Note: The address will append on the 'ADDITIONAL SECTION' of the query reply. In most cases is the FortiGSLB Cloud DNS server IP address. |
Primary Server Address (IPv6) |
The IPv6 address of the primary server. Note: The IPv6 address will append on the 'ADDITIONAL SECTION' of the IPv6 type query reply. If you have another DNS server hosting the same domain and it supports IPv6, then put that IPv6 address, otherwise leave it empty. |
TTL |
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set. The default is 86,400. The valid range is 0 to 2,147,483,647. |
Negative TTL |
The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647. |
DNSSEC
Only enable DNSSEC when necessary. Click the DNSSEC toggle switch to enable DNSSEC, and then click Save. Wait at least 5 seconds before clicking the Refresh icon at the top right corner. The DNSSEC Available dot indicator should now be green. The Download DNSSEC Certs icon and Regenerate a set of DNSSEC certs icon buttons should now be accessible.
After clicking the Download DNSSEC Certs button, an archive file is downloaded which contains the dsset key, zone-signing keys, and key-signing keys.
After clicking Regenerate a set of DNSSEC certs button, A new group of dsset key, zone-signing keys, and key-signing keys will be generated and take effect. The old keys become invalid.
Note: DNSSEC works with A/AAAA, CNAME, NS, MX, TXT, SRV and PTR records created in the Zone. It can also work with FQDN-generated A records, with the limitation that only one record will reply to the client for FQDN services.
DSSet
DSSet keys list for sub-domains which also enabled DNSSEC
Note: Corresponding NS record should already exist, when add a dsset. And key content must be valid. Failed to do so will result in the Zone reload fail and not respond to any query request.
Configuring the DSSet text field
Settings |
Guidelines |
---|---|
Name |
Key name |
Key |
Paste the DSset file content. The content of DSset files is similar to the following:
|
Importing zone configuration files
Before importing a zone file in FortiGSLB's DNS Services, ensure proper zone configuration.
Consider the following guidelines:
-
Zone file must comply with RFC standards and BIND format.
-
Record domain names in the zone file must match the hosted zone's name.
-
FortiGSLB ignores SOA records in the zone file.
-
NS records and their corresponding A records for the configured zone domain are disregarded.
-
The imported zone file must not duplicate any records already present in the hosted zone, or the import process will fail.
-
Duplicate records in the imported zone file will also cause the import process to fail.
-
You can import up to 1024 records.
Below is a sample zone file:
$TTL 86400
example.com. IN SOA ns1 admin (
10004 ; serial
3600 ; refresh
900 ; retry
3600000 ; expiry
3600 ; minimum
)
example.com. IN NS ns1
$ORIGIN example.com.
ns1 86400 IN A 1.2.3.4
mail 86400 IN A 192.0.2.2
www 86400 IN A 192.0.2.1
www.example.com 86400 IN CNAME example.com.
sub.example.com 86400 IN MX 10 mail