Configuring the trust anchor key
DNSSEC validation requires that a DNS name server know the trust anchor key for the root DNS domain in order to validate already signed responses. In general, trust anchor keys do not change often, but they do change occasionally, and might change unexpectedly in the event the keys are compromised.
The FortiADC DNS server is preconfigured with a trust anchor key for the root DNS domain. If you are informed that you must update this key, you can use the configuration editor to paste the new content into the DNS server configuration.
Further reading:
Before you begin:
• You must have a good understanding of DNSSEC and knowledge of the DNS deployment in your network.
• You must have already obtained the key so that you can copy and paste it into the DNS server configuration.
• You must have Read-Write permission for Global DNS Server settings.
To configure the trust anchor key:
1. Go to Global DNS Server > Trust Anchor Key.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in
Table 36.
4. Save the configuration.
Table 36: Trust anchor key configuration
Settings | Guidelines |
Name | Unique name. No spaces or special characters. After you initially save the configuration, you cannot edit the name. |
Value | The key value. The key format is a string with the following format: \"<domainname>\" <num1> <num2> <num3> \"<content>\" The following is an example: \".\" 256 3 5 \"AwEAAbDrWmiIReotvZ6FObgKygZwUxSUJW9z5pjiQMLH0JBGXooHrR16 pdKhI9mNkM8bLUMtwYfgeUOYXIvfagee8rk=\" |
Description | Description for the key. |