From 1030de7da95021917ee0c42f473237a04fb68ec4 Mon Sep 17 00:00:00 2001
From: Kyle Butt <kyle@mojotech.com>
Date: Thu, 19 Oct 2023 12:44:19 -0600
Subject: [PATCH] RFC2136: Document DNS-over-TLS

Add a note about the TLS flags to the RFC2136 Tutorial.
---
 docs/tutorials/rfc2136.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/tutorials/rfc2136.md b/docs/tutorials/rfc2136.md
index ca9ff4a61..8a9e13816 100644
--- a/docs/tutorials/rfc2136.md
+++ b/docs/tutorials/rfc2136.md
@@ -403,3 +403,15 @@ However, it also determines the name of the Kerberos principal which is used dur
 This means that Active Directory might only work if this is set to a specific domain name, possibly leading to errors like this:
 `KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`.
 To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server.
+
+## DNS Over TLS (RFCs 7858 and 9103)
+
+If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags:
+
+ * `--rfc2136-use-tls` Will enable TLS for both zone transfers and for updates.
+ * `--tls-ca=<cert-file>` Is the path to a file containing certificate(s) that can be used to verify the DNS server
+ * `--tls-client-cert=<client-cert-file>` and
+ * `--tls-client-cert-key=<client-key-file>` Set the client certificate and key for mutual verification
+ * `--rfc2136-skip-tls-verify` Disables verification of the certificate supplied by the DNS server.
+
+It is currently not supported to do only zone transfers over TLS, but not the updates. They are enabled and disabled together.