FortiWAN DNSSEC Support

DNSSEC Support

The DNS Security Extensions (DNSSEC) is a specification that adds data authentications and integrity to standard DNS. To resist tampering with DNS responses, DNSSEC introduces PKI (Public Key Infrastructure) to sign and authenticate DNS resource record sets within the zone. A signed zone includes a collection of new resource records: RRSIG, DNSKEY and DS.

  • RRSIG contains the DNSSEC signature for the corresponded DNS records (A, AAAA, MX, CNAME and etc.) within the zone.
  • DNSKEY contains the public key corresponded to the private key used to generate RRSIG records. A DNS resolver uses it to verify DNSSEC signatures in RRSIG.
  • DS (Delegation Signer) references to the public key used to verify the RRSIG in your zone. Every DS record should be signed by your parent zone and stored in the parent zone to establish trust chain between DNS zones.

Multihoming supports basic DNSSEC which employs only one key pair KSK (Key Sign Key) to generate DNSKEY and RRSIG records for the zone (NSEC is not supported). The supported algorithm and key size are only RSASHA512 and 2048 bits. Note that Multihoming’s DNSSEC is not supported for Relay Mode.

Remember that you have to configure DS records with your domain registrar after you complete configurations for DNSSEC. Please contact your domain registrar for further details about managing DS records.

Relay Mode

For the case that a DNS server already exists in you network, Relay Mode is the way to combine the existing DNS servers with Multihoming’s inbound load balance and fault tolerance. With Relay Mode enabled, FortiWAN will forward all the DNS requests it receives to the specified name servers, in stead of processing the requests directly. Answer of the DNS request will be responded to FortiWAN from the name server. FortiWAN’s

Multihoming then reprocess the answer with appropriate IP address according to the AAAA/A records and AAAA/A policies (load balancing algorithm). The DNS answer that contains appropriate IP address will finally responded to client, so that the inbound access could connect via the appropriate WAN link.

Enable Backup

FortiWAN Multihoming employs Backup mechanism to provide disaster recovery approach for network across various regions. Under this mechanism, the same backup service is set up across different regions. Therefore, when master site is down, backup site will immediately take over to resume the service.

To deploy Multihoming Backup between two FortiWAN units for one domain, at least one of the WAN links’ localhost IPv4 addresses of each FortiWAN unit must be registered with the parent domain (so that a DNS request for the domain can be delivered to the two FortiWAN units). Check “Enable Backup” on the Slave FortiWAN Web UI and specify the IPv4 addresses (which are registered with parent domain) of the Master FortiWAN in “Remote Master Servers”. Configurations for Multihoming Backup deployment is only necessary on the Slave unit, please do not check “Enable Backup” on the Master unit.

Then the Slave unit will detect the state of the Master unit periodically with its built-in Dig tool. The detect packets will be delivered to Master unit via the IP addresses specified on the Slave unit. When the Master’s Multihoming works properly, the Slave’s Multihoming will get into non-active mode (Unit that is in non-active mode will not answer to any DNS request); when the Master’s Multihoming is down, the Slave will get into active mode and take over to resume Multihoming. After takeover, the Slave will continuously detect Master’s state. Once the Master recovers, the Slave will return Multihoming service back to Master and get into non-active mode. This is how the Backup mechanism offers disaster recovery function. DNS database synchronization is not provided for Multihoming Backup deployment, so that DNS database can be maintained individually on the two units for local and remote-backup services. In case that multiple IP addresses of FortiWAN are registered with parent domain (to avoid single WAN links failure), those IP addresses should be configured into the “Server IPv4 Address” field on the Slave unit.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.