Fortinet black logo

CLI Reference

config global-dns-server trust-anchor-key

config global-dns-server trust-anchor-key

Use this command to change the trust anchor key (if necessary).

DNSSEC validation requires that a DNS name server know the trust anchor key for the root DNS domain in order to validate already signed responses. In general, trust anchor keys do not change often, but they do change occasionally, and might change unexpectedly in the event the keys are compromised.

The FortiADC DNS server is preconfigured with a trust anchor key for the root DNS domain. If you are informed that you must update this key, you can use the configuration editor to paste the new content into the DNS server configuration.

Further reading:

http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html

Before you begin:

  • You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
  • You must have already obtained the key so that you can copy and paste it into the DNS server configuration.
  • You must have read-write permission for global load balancing settings.

Syntax

config global-dns-server trust-anchor-key

edit <name>

set value <string>

set description <string>

next

end

value

The key value. The key format is a string with the following format:

\"<domainname>\" <num1> <num2> <num3> \"<content>\"

The following is an example:

\".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16 pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\"

description

A description of this configuration.

Example

FortiADC-VM # config global-dns-server trust-anchor-key

FortiADC-VM (trust-anchor-key) # edit sss

Add new entry 'sss' for node 2240

FortiADC-VM (sss) # get

value :

description :

FortiADC-VM (sss) # set

*value key value

description key description

FortiADC-VM (sss) # set value "\".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16 pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\""

FortiADC-VM (sss) # end

config global-dns-server trust-anchor-key

Use this command to change the trust anchor key (if necessary).

DNSSEC validation requires that a DNS name server know the trust anchor key for the root DNS domain in order to validate already signed responses. In general, trust anchor keys do not change often, but they do change occasionally, and might change unexpectedly in the event the keys are compromised.

The FortiADC DNS server is preconfigured with a trust anchor key for the root DNS domain. If you are informed that you must update this key, you can use the configuration editor to paste the new content into the DNS server configuration.

Further reading:

http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html

Before you begin:

  • You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
  • You must have already obtained the key so that you can copy and paste it into the DNS server configuration.
  • You must have read-write permission for global load balancing settings.

Syntax

config global-dns-server trust-anchor-key

edit <name>

set value <string>

set description <string>

next

end

value

The key value. The key format is a string with the following format:

\"<domainname>\" <num1> <num2> <num3> \"<content>\"

The following is an example:

\".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16 pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\"

description

A description of this configuration.

Example

FortiADC-VM # config global-dns-server trust-anchor-key

FortiADC-VM (trust-anchor-key) # edit sss

Add new entry 'sss' for node 2240

FortiADC-VM (sss) # get

value :

description :

FortiADC-VM (sss) # set

*value key value

description key description

FortiADC-VM (sss) # set value "\".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16 pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\""

FortiADC-VM (sss) # end