mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-06 09:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve Microsoft DNS instructions

Browse Source 
- List secure updates first
- Remove the confusing "(Insecure Updates)" part from the main headline
- Mention zone transfers to other domains
- Mention creating a user for secure updates
This commit is contained in:
TomyLobo 2024-11-22 13:02:38 +01:00 committed by GitHub
parent 850b9731fa
commit cd9be5ff80
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 28 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
docs/tutorials/rfc2136.md
View File

@ -299,41 +299,18 @@ spec:
- --domain-filter=k8s.example.org
```
## Microsoft DNS (Insecure Updates)
## Microsoft DNS
While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV.
### Insecure Updates
#### DNS-side configuration
1. Create a DNS zone
2. Enable insecure dynamic updates for the zone
3. Enable Zone Transfers to all servers
#### `external-dns` configuration
You'll want to configure `external-dns` similarly to the following:
```text
...
- --provider=rfc2136
- --rfc2136-host=192.168.0.1
- --rfc2136-port=53
- --rfc2136-zone=k8s.example.org
- --rfc2136-zone=k8s.your-zone.org
- --rfc2136-insecure
- --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
...
```
### Secure Updates Using RFC3645 (GSS-TSIG)
#### DNS-side configuration
1. Create a DNS zone
2. Enable secure dynamic updates for the zone
3. Enable Zone Transfers to all servers
2. Enable **secure** dynamic updates for the zone
3. Enable Zone Transfers to all servers and/or other domains
4. Create a user with permissions to create/update/delete records in that zone
If you see any error messages which indicate that `external-dns` was somehow not able to fetch
existing DNS records from your DNS server, this could mean that you forgot about step 3.
@ -423,6 +400,30 @@ This means that Active Directory might only work if this is set to a specific do
`KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`.
To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server.
### Insecure Updates
#### DNS-side configuration
1. Create a DNS zone
2. Enable insecure dynamic updates for the zone
3. Enable Zone Transfers to all servers and/or other domains
#### `external-dns` configuration
You'll want to configure `external-dns` similarly to the following:
```text
...
- --provider=rfc2136
- --rfc2136-host=192.168.0.1
- --rfc2136-port=53
- --rfc2136-zone=k8s.example.org
- --rfc2136-zone=k8s.your-zone.org
- --rfc2136-insecure
- --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
...
```
## DNS Over TLS (RFCs 7858 and 9103)
If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags: