mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-06 01:26:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

RFC2136: Document DNS-over-TLS

Browse Source 
Add a note about the TLS flags to the RFC2136 Tutorial.
This commit is contained in:
Kyle Butt 2023-10-19 12:44:19 -06:00
parent a3c9908d5e
commit 1030de7da9
No known key found for this signature in database
GPG Key ID: 3D31732B217319A3
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
docs/tutorials/rfc2136.md
View File

@ -403,3 +403,15 @@ However, it also determines the name of the Kerberos principal which is used dur
This means that Active Directory might only work if this is set to a specific domain name, possibly leading to errors like this:
`KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`.
To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server.
## DNS Over TLS (RFCs 7858 and 9103)
If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags:
* `--rfc2136-use-tls` Will enable TLS for both zone transfers and for updates.
* `--tls-ca=<cert-file>` Is the path to a file containing certificate(s) that can be used to verify the DNS server
* `--tls-client-cert=<client-cert-file>` and
* `--tls-client-cert-key=<client-key-file>` Set the client certificate and key for mutual verification
* `--rfc2136-skip-tls-verify` Disables verification of the certificate supplied by the DNS server.
It is currently not supported to do only zone transfers over TLS, but not the updates. They are enabled and disabled together.