Fortinet black logo

Handbook

Home FortiGSLB Handbook

DNS services

DNS services

This section covers the DNS services offered by FortiGSLB Cloud.

FortiGSLB, functioning as a DNS Service, can support both standard DNS zones and primary type zones.

Configuring zone text field
Settings Guidelines

Name

Name of the zone.

Type

 Primary—The configuration contains the “primary” copy of data for the zone and is the authoritative server for it.

Domain name

The domain name must end with a period. For example: example.com.

Responsible Mail

Username of the person responsible for this zone, such as admin.example.com.

Note: Format is mailbox-name.domain.com. (remember the trailing dot). The format uses a dot, not the @ sign used in email addresses because @ has other uses in the zone file. Email, however, is sent to admin@example.com.

Primary server name

Sets the server name in the SOA record.

Primary server address (IPv4)

The IPv4 address of the primary server.

Note: The address will append on the 'ADDITIONAL SECTION' of the query reply. In most cases is the FortiGSLB Cloud DNS server IP address.

Primary Server Address (IPv6)

The IPv6 address of the primary server.

Note: The IPv6 address will append on the 'ADDITIONAL SECTION' of the IPv6 type query reply. If you have another DNS server hosting the same domain and it supports IPv6, then put that IPv6 address, otherwise leave it empty.

TTL

The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.

The default is 86,400. The valid range is 0 to 2,147,483,647.

Negative TTL

The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.
DNSSEC

Only enable DNSSEC when necessary. Click the DNSSEC toggle switch to enable DNSSEC, and then click Save. Wait at least 5 seconds before clicking the Refresh icon at the top right corner. The DNSSEC Available dot indicator should now be green. The Download DNSSEC Certs icon and Regenerate a set of DNSSEC certs icon buttons should now be accessible.

After clicking the Download DNSSEC Certs button, an archive file is downloaded which contains the dsset key, zone-signing keys, and key-signing keys.

After clicking Regenerate a set of DNSSEC certs button, A new group of dsset key, zone-signing keys, and key-signing keys will be generated and take effect. The old keys become invalid.

Note: DNSSEC works with A/AAAA, CNAME, NS, MX, TXT, SRV and PTR records created in the Zone. It can also work with FQDN-generated A records, with the limitation that only one record will reply to the client for FQDN services.

DSSet

DSSet keys list for sub-domains which also enabled DNSSEC

Note: Corresponding NS record should already exist, when add a dsset. And key content must be valid. Failed to do so will result in the Zone reload fail and not respond to any query request.

Configuring the DSSet text field

Settings

Guidelines

Name

Key name

Key

Paste the DSset file content. The content of DSset files is similar to the following:

dns.example.com. IN DS 21961 5 1 6E6C2D5EBF440DB2C71A8191FF2772F58A434175

dns.example.com. IN DS 21961 5 2 1B000131FCC68FF34441A710ACACDFD67350CF962260F47309321F8D 0551DADF

Importing zone configuration files

Before importing a zone file in FortiGSLB's DNS Services, ensure proper zone configuration.

Consider the following guidelines:

  • Zone file must comply with RFC standards and BIND format.

  • Record domain names in the zone file must match the hosted zone's name.

  • FortiGSLB ignores SOA records in the zone file.

  • NS records and their corresponding A records for the configured zone domain are disregarded.

  • The imported zone file must not duplicate any records already present in the hosted zone, or the import process will fail.

  • Duplicate records in the imported zone file will also cause the import process to fail.

  • You can import up to 1024 records.

Below is a sample zone file:

$TTL 86400

example.com. IN SOA ns1 admin (

10004 ; serial

3600 ; refresh

900 ; retry

3600000 ; expiry

3600 ; minimum

)

example.com. IN NS ns1

$ORIGIN example.com.

ns1 86400 IN A 1.2.3.4

mail 86400 IN A 192.0.2.2

www 86400 IN A 192.0.2.1

www.example.com 86400 IN CNAME example.com.

sub.example.com 86400 IN MX 10 mail

Previous
Next

DNS services

DNS services

This section covers the DNS services offered by FortiGSLB Cloud.

FortiGSLB, functioning as a DNS Service, can support both standard DNS zones and primary type zones.

Configuring zone text field
Settings Guidelines

Name

Name of the zone.

Type

 Primary—The configuration contains the “primary” copy of data for the zone and is the authoritative server for it.

Domain name

The domain name must end with a period. For example: example.com.

Responsible Mail

Username of the person responsible for this zone, such as admin.example.com.

Note: Format is mailbox-name.domain.com. (remember the trailing dot). The format uses a dot, not the @ sign used in email addresses because @ has other uses in the zone file. Email, however, is sent to admin@example.com.

Primary server name

Sets the server name in the SOA record.

Primary server address (IPv4)

The IPv4 address of the primary server.

Note: The address will append on the 'ADDITIONAL SECTION' of the query reply. In most cases is the FortiGSLB Cloud DNS server IP address.

Primary Server Address (IPv6)

The IPv6 address of the primary server.

Note: The IPv6 address will append on the 'ADDITIONAL SECTION' of the IPv6 type query reply. If you have another DNS server hosting the same domain and it supports IPv6, then put that IPv6 address, otherwise leave it empty.

TTL

The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.

The default is 86,400. The valid range is 0 to 2,147,483,647.

Negative TTL

The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647.
DNSSEC

Only enable DNSSEC when necessary. Click the DNSSEC toggle switch to enable DNSSEC, and then click Save. Wait at least 5 seconds before clicking the Refresh icon at the top right corner. The DNSSEC Available dot indicator should now be green. The Download DNSSEC Certs icon and Regenerate a set of DNSSEC certs icon buttons should now be accessible.

After clicking the Download DNSSEC Certs button, an archive file is downloaded which contains the dsset key, zone-signing keys, and key-signing keys.

After clicking Regenerate a set of DNSSEC certs button, A new group of dsset key, zone-signing keys, and key-signing keys will be generated and take effect. The old keys become invalid.

Note: DNSSEC works with A/AAAA, CNAME, NS, MX, TXT, SRV and PTR records created in the Zone. It can also work with FQDN-generated A records, with the limitation that only one record will reply to the client for FQDN services.

DSSet

DSSet keys list for sub-domains which also enabled DNSSEC

Note: Corresponding NS record should already exist, when add a dsset. And key content must be valid. Failed to do so will result in the Zone reload fail and not respond to any query request.

Configuring the DSSet text field

Settings

Guidelines

Name

Key name

Key

Paste the DSset file content. The content of DSset files is similar to the following:

dns.example.com. IN DS 21961 5 1 6E6C2D5EBF440DB2C71A8191FF2772F58A434175

dns.example.com. IN DS 21961 5 2 1B000131FCC68FF34441A710ACACDFD67350CF962260F47309321F8D 0551DADF

Importing zone configuration files

Before importing a zone file in FortiGSLB's DNS Services, ensure proper zone configuration.

Consider the following guidelines:

  • Zone file must comply with RFC standards and BIND format.

  • Record domain names in the zone file must match the hosted zone's name.

  • FortiGSLB ignores SOA records in the zone file.

  • NS records and their corresponding A records for the configured zone domain are disregarded.

  • The imported zone file must not duplicate any records already present in the hosted zone, or the import process will fail.

  • Duplicate records in the imported zone file will also cause the import process to fail.

  • You can import up to 1024 records.

Below is a sample zone file:

$TTL 86400

example.com. IN SOA ns1 admin (

10004 ; serial

3600 ; refresh

900 ; retry

3600000 ; expiry

3600 ; minimum

)

example.com. IN NS ns1

$ORIGIN example.com.

ns1 86400 IN A 1.2.3.4

mail 86400 IN A 192.0.2.2

www 86400 IN A 192.0.2.1

www.example.com 86400 IN CNAME example.com.

sub.example.com 86400 IN MX 10 mail

Previous
Next