diff --git a/docs/tutorials/rfc2136.md b/docs/tutorials/rfc2136.md index a89b39aec..97508e66f 100644 --- a/docs/tutorials/rfc2136.md +++ b/docs/tutorials/rfc2136.md @@ -299,41 +299,18 @@ spec: - --domain-filter=k8s.example.org ``` -## Microsoft DNS (Insecure Updates) +## Microsoft DNS While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV. -### Insecure Updates - -#### DNS-side configuration - -1. Create a DNS zone -2. Enable insecure dynamic updates for the zone -3. Enable Zone Transfers to all servers - -#### `external-dns` configuration - -You'll want to configure `external-dns` similarly to the following: - -```text -... - - --provider=rfc2136 - - --rfc2136-host=192.168.0.1 - - --rfc2136-port=53 - - --rfc2136-zone=k8s.example.org - - --rfc2136-zone=k8s.your-zone.org - - --rfc2136-insecure - - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records. -... -``` - ### Secure Updates Using RFC3645 (GSS-TSIG) #### DNS-side configuration 1. Create a DNS zone -2. Enable secure dynamic updates for the zone -3. Enable Zone Transfers to all servers +2. Enable **secure** dynamic updates for the zone +3. Enable Zone Transfers to all servers and/or other domains +4. Create a user with permissions to create/update/delete records in that zone If you see any error messages which indicate that `external-dns` was somehow not able to fetch existing DNS records from your DNS server, this could mean that you forgot about step 3. @@ -423,6 +400,30 @@ This means that Active Directory might only work if this is set to a specific do `KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`. To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server. +### Insecure Updates + +#### DNS-side configuration + +1. Create a DNS zone +2. Enable insecure dynamic updates for the zone +3. Enable Zone Transfers to all servers and/or other domains + +#### `external-dns` configuration + +You'll want to configure `external-dns` similarly to the following: + +```text +... + - --provider=rfc2136 + - --rfc2136-host=192.168.0.1 + - --rfc2136-port=53 + - --rfc2136-zone=k8s.example.org + - --rfc2136-zone=k8s.your-zone.org + - --rfc2136-insecure + - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records. +... +``` + ## DNS Over TLS (RFCs 7858 and 9103) If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags: