config global-dns-server zone
Use this command to configure DNS zone and resource records.
The DNS zone configuration is the key to the global load balancing solution. This configuration contains the key DNS server settings, including:
- Domain name and name server details.
- Type—Whether the server is the primary or a forwarder.
- DNSSEC—Whether to use DNSSEC and the DNSSEC algorithm/key size.
- DNS RR records—The zone configuration contains resource records (RR) used to resolve DNS queries delegated to the domain by the parent zone.
You can specify different DNS server settings for each zone you create. For example, the DNS server can be a primary for one zone and a forwarder for another zone.
Before you begin:
- You must have a good understanding of DNS and knowledge of the DNS deployment in your network.
- You must have authority to create authoritative DNS zone records for your network.
- You must have read-write permission for global load balancing settings.
After you have configured a DNS zone, you can select it in the DNS policy configuration.
Syntax
config global-dns-server zone
edit <name>
set type {forward|fqdn-generate|primary|secondary}
set domain-name <string>
set negative-ttl <integer>
set primary-server-ip <class_ip>
set primary-server-ip6 <class_ip>
set primary-server-name <string>
set responsible-mail <string>
set ttl <integer>
set serial <integer>
set refresh <integer>
set primary-ip <ip>
set tsig-key <datasource>
set forward-host {enable|disable}
set forward {first|only}
set forwarders <datasource>
set dnssec-status {enable|disable}
set dnssec-algorithm {ECDSAP256SHA256|ECDSAP384SHA384|NSEC3RSASHA1|RSASHA1|RSASHA256|RSASHA512}
set dnssec-keysize {1024|2048|4096}
set dsset-info <string>
set dssetinfo-filename <string>
set dsset-info-list <datasource>
set notify-status {enable|disable}
set also-notify-server-ip <ip address>
set allow-transfer-status {enable|disable}
set allow-transfer <ip address>
set allow-transfer-tsig-key <datasource>
set auto-sync-rr {enable|disable}
set KSK <string>
set KSK-Filename <string>
set ZSK <string>
set ZSK-Filename <string>
config a-aaaa-record
edit <No.>
set hostname <string>
set source-type {ipv4 | ipv6}
set ip <class_ip>
set ip6 <class_ip>
set method wrr
set weight <integer>
next
end
config cname-record
edit <No.>
set alias <string>
set target <string>
next
end
config mx-record
edit <No.>
set domain-name <string>
set hostname <string>
set type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
set priority <integer>
next
end
config ns-record
edit <No.>
set domain-name <string>
set host-name <string>
set type {ipv4|ipv6}
set ip <class_ip>
set ip6 <class_ip>
next
end
config txt-record
edit <No.>
set name <string>
set text <name>=<value>,<name>=<value>
next
end
config srv-record
edit 1
set hostname 222
set target-server 222
next
end
config ptr-record
edit <No.>
set ptr-address <string>
set fqdn <string>
next
end
next
end
|
config global-dns-server zone |
|
|
type |
|
|
domain-name |
The domain name must end with a period. For example: |
|
negative-ttl |
The last field in the SOA—the negative caching TTL. This informs other servers how long to cache no-such-domain (NXDOMAIN) responses from you. The default is 3600 seconds. The valid range is 0 to 2,147,483,647. |
|
primary-server-ip |
IP address of the primary server. |
|
primary-server-ip6 |
IP address of the primary server. |
|
primary-server-name |
Sets the server name in the SOA record. If the name does not end with a trailing dot, the DNS system will automatically append the root domain, potentially resulting in an incorrect entry. For example, |
|
responsible-mail |
Username of the person responsible for this zone, such as |
|
ttl |
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set. The default is 86,400. The valid range is 1 to 2,147,483,647. |
|
serial |
The serial option is available if type is primary. SOA (Start of Authority) serial number for the zone. Incremented when records are updated. Default 10004. Range 1-4294967295. |
|
refresh |
The refresh option is available if type is primary. Interval (in seconds) at which secondary servers query the SOA record to check for updates. Default: 3600 Range: 1- 2147483647 |
|
primary-ip |
The primary-ip option is available if type is secondary. The IPv4 address of the upstream Primary DNS server from which this zone will synchronize data. |
|
tsig-key |
The tsig-key option is available if type is secondary. An imported TSIG (Transaction SIGnature) key used to authenticate AXFR transfers and NOTIFY messages from the Primary server. If not specified, synchronization relies only on the source IP address. |
|
forward-host |
Enable Forward Host to allow DNS queries to be forwarded to remote servers at the zone level. This is disabled by default. This only requires the forwarded DNS query to match the zone and no other information is required to match such as the hostname. |
|
forward |
The forward option is available if forward-host is enabled.
|
|
forwarders |
The forwarders option is available if forward-host is enabled. Specify a remote server configuration object. |
|
dnssec-status |
Enable/disable DNSSEC. The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. |
|
dnssec-algorithm |
The dnssec-algorithm option is available if dnssec-status is enabled. Select the cryptographic algorithm to use for authenticating DNSSEC.
|
|
dnssec-keysize |
The dnssec-keysize option is available if dnssec-status is enabled. Select the key size (number of bits) for the encryption algorithm.
Note: |
|
dsset-info |
It is generated by the system if DNSSEC is enabled for the zone. |
|
dssetinfo-filename |
The file is generated by the system if DNSSEC is enabled for the zone. The file generated by the zone configuration editor is the one you give to any parent zone or the registrar of your domain. The convention is dsset-<domain>, for example |
|
dsset-info-list |
Specify a DSSET info list configuration object. |
|
notify-status |
The notify-status option is available if type is primary or secondary. Behavior depends on zone type: • Primary — Enable/disable sending DNS NOTIFY messages to Secondary servers when the zone changes. • Secondary — Enable/disable acceptance of NOTIFY messages from the upstream Primary. When enabled, NOTIFY triggers immediate synchronization. |
|
also-notify-server-ip |
The also-notify-server-ip option is available if notify-status is enabled. Behavior depends on zone type: • Primary — List of Secondary server IP addresses to which NOTIFY messages are sent when notify-status is enabled. • Secondary — List of Primary server IP addresses from which NOTIFY messages are accepted. Applies only if notify-status is enabled. |
|
allow-transfer-status |
The allow-transfer-status option is available if type is primary or secondary. Enable or disable zone transfers to primaries or secondaries. Enabled by default. |
|
allow-transfer |
The allow-transfer option is available if type is primary or secondary, and allow-transfer-status is enabled. List of primary or secondary server IP addresses permitted to initiate zone transfers. |
|
allow-transfer-tsig-key |
The allow-transfer-tsig-key option is available if type is primary or secondary, and allow-transfer-status is enabled. One or more imported TSIG (Transaction SIGnature) keys used to authenticate zone transfer requests. If not specified, transfers are validated only by source IP. |
|
auto-sync-rr |
The auto-sync-rr option is available if type is secondary. Controls whether zone records received from the Primary are automatically applied to the FortiADC configuration.
|
|
KSK |
Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone. |
|
KSK-Filename |
The file is generated by the system if DNSSEC is enabled for the zone. To regenerate the KSK, disable DNSSEC and then re-enable DNSSEC. |
|
ZSK |
Type characters for a string key. The file is generated by the system if DNSSEC is enabled for the zone. |
|
ZSK-Filename |
The file is generated by the system if DNSSEC is enabled for the zone. To regenerate the ZSK, disable DNSSEC and then re-enable DNSSEC. |
|
config a-aaaa-record |
|
|
hostname |
The hostname part of the FQDN, such as Note:
|
|
source-type |
IPv4 or IPv6 |
|
ip |
IP address of the virtual server. |
|
ip6 |
IP address of the virtual server. |
|
method |
Weighted Round Robin is the only method supported. |
|
weight |
Assigns relative preference among members—higher values are more preferred and are assigned connections more frequently. The default is 1. The valid range is 1-255. |
|
config cname-record |
|
|
alias |
An alias name to another true or canonical domain name (the target). For instance, |
|
target |
The true or canonical domain name. For instance, |
|
config mx-record |
|
|
hostname |
The hostname part of the FQDN for a mail exchange server, such as |
|
type |
IPv4 or IPv6 |
|
ip |
IP address of the mail server. |
|
ip6 |
IP address of the mail server. |
|
priority |
Preference given to this RR among others at the same owner. Lower values have greater priority. |
|
config ns-record |
|
|
domain-name |
The domain for which the name server has authoritative answers, such as |
|
host-name |
The hostname part of the FQDN, such as |
|
type |
IPv4 or IPv6 |
|
ip |
IP address of the name server. |
|
ip6 |
IP address of the name server. |
| config txt-record | |
|
name |
Hostname. TXT records are name-value pairs that contain human readable information about a host. The most common use for TXT records is to store SPF records. |
|
text |
Comma-separated list of name=value pairs. An example SPF record has the following form: "v=spf1 +mx a:colo.example.com/28 -all"
If you complete the entry from the CLI, put the string in quotes. (If you complete the entry from the the Web UI, you do not put the string in quotes.) |
| config srv-record | |
|
hostname |
The SRV Hostname. |
|
target-server |
The target server name (record). |
| config ptr-record | |
|
PTR Address |
A PTR address, such as 10.168.192.in-addr.arpa. or 1. If you use the number, the domain name is in the format "x.x.x.in-addr.arpa.". |
|
FQDN |
A fully qualified domain name, such as "www.example.com". |
Example
FortiADC-VM # config global-dns-server zone
FortiADC-VM (zone) # edit wan-zone
Add new entry 'wan-zone' for node 2248
FortiADC-VM (wan-zone) # get
type : primary
domain-name :
dnssec-status : disable
ttl : 86400
responsible-mail :
negative-ttl : 3600
primary-server-name :
primary-server-ip : 0.0.0.0
primary-server-ip6 : ::
FortiADC-VM (wan-zone) # set domain-name www.fortiadc.com.
FortiADC-VM (wan-zone) # set responsible-mail root
FortiADC-VM (wan-zone) # set primary-server-name ns
FortiADC-VM (wan-zone) # set primary-server-ip 202.33.11.107
FortiADC-VM (wan-zone) # config a-aaaa-record
FortiADC-VM (a-aaaa-record) # edit 1
Add new entry '1' for node 2257
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # get
hostname : www
source-type : ipv4
weight : 1
ip : 0.0.0.0
method : wrr
FortiADC-VM (1) # set hostname www
FortiADC-VM (1) # set ip 202.33.11.1
FortiADC-VM (1) # end
FortiADC-VM (wan-zone) # end