Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    How to enable DNSSEC on GSLB

    How to enable DNSSEC on GSLB

    Prerequisites:

    • Ensure your top-level domain (TLD) supports DNSSEC.

    Steps:

    1. Navigate to GSLB > DNS, and create a new Zone or edit an existing Zone.

      If you are creating this for an existing FQDN service, you need to create a Zone service with the same Domain Name.

    2. Toggle DNSSEC on to enable it, then save the configuration. The DNSSEC key will be generated shortly after submission.

    3. Click Edit for this Zone service. You may see the Refresh button and the DNSSEC Key status indicator under DNSSEC.

    4. Click the Refresh button until the DNSSEC status changes from Generating key to Available to download, and the Download button appears. The key-generation process should take less than one minute.

      If you suspect your DNSSEC key has been compromised, click the three dots next to DNSSEC Key Status, then select Regenerate. Repeat Step 4 to download the new key before proceeding.

    5. Click the Download button to download the DNSSEC Key files.

    6. Unzip the downloaded key files, and open the file name that begins with "dsset". You may need this for your top-level domain (TLD).

      1. Add the opened file to the DSSET list

      2. In Zone configuration, select the item from the DSSET list.

    7. You should now be able to query the domain records via CLI with the DNSSEC flag. The resulting output contains a RRSIG record and a DS reccord.

      Linux - dig

      Windows - Resolve-DnsName

    8. Add the DNSSEC key downloaded in Step 5 to your domain registrar.

      • To avoid DNS resolution issues, do not delete the old DNSSEC key until its TTL (Time to Live) has expired and the new key has fully propagated.

      • We recommend verifying propagation of the new DNSSEC key using public DNS resolvers such as Google, Cloudflare, or TLD-specific resolvers.

      • GSLB DNS servers will retain the old DNSSEC key for 14 days after a new key is generated to ensure uninterrupted service. After this period, DNS requests signed with the old key will be rejected.

      • To ensure continuity, delete the old DNSSEC key from your domain registrar within the 14-day window, once propagation of the new key is confirmed.

    Debugging

    Please see the Debugging.

    Previous
    Next

    How to enable DNSSEC on GSLB

    How to enable DNSSEC on GSLB

    Prerequisites:

    • Ensure your top-level domain (TLD) supports DNSSEC.

    Steps:

    1. Navigate to GSLB > DNS, and create a new Zone or edit an existing Zone.

      If you are creating this for an existing FQDN service, you need to create a Zone service with the same Domain Name.

    2. Toggle DNSSEC on to enable it, then save the configuration. The DNSSEC key will be generated shortly after submission.

    3. Click Edit for this Zone service. You may see the Refresh button and the DNSSEC Key status indicator under DNSSEC.

    4. Click the Refresh button until the DNSSEC status changes from Generating key to Available to download, and the Download button appears. The key-generation process should take less than one minute.

      If you suspect your DNSSEC key has been compromised, click the three dots next to DNSSEC Key Status, then select Regenerate. Repeat Step 4 to download the new key before proceeding.

    5. Click the Download button to download the DNSSEC Key files.

    6. Unzip the downloaded key files, and open the file name that begins with "dsset". You may need this for your top-level domain (TLD).

      1. Add the opened file to the DSSET list

      2. In Zone configuration, select the item from the DSSET list.

    7. You should now be able to query the domain records via CLI with the DNSSEC flag. The resulting output contains a RRSIG record and a DS reccord.

      Linux - dig

      Windows - Resolve-DnsName

    8. Add the DNSSEC key downloaded in Step 5 to your domain registrar.

      • To avoid DNS resolution issues, do not delete the old DNSSEC key until its TTL (Time to Live) has expired and the new key has fully propagated.

      • We recommend verifying propagation of the new DNSSEC key using public DNS resolvers such as Google, Cloudflare, or TLD-specific resolvers.

      • GSLB DNS servers will retain the old DNSSEC key for 14 days after a new key is generated to ensure uninterrupted service. After this period, DNS requests signed with the old key will be rejected.

      • To ensure continuity, delete the old DNSSEC key from your domain registrar within the 14-day window, once propagation of the new key is confirmed.

    Debugging

    Please see the Debugging.

    Previous
    Next