mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-07 18:16:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4893 from TomyLobo/patch-1

Browse Source 
docs(Microsoft DNS): improve instructions
This commit is contained in:
Kubernetes Prow Robot 2025-01-23 00:38:57 -08:00 committed by GitHub
commit fc24607635
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 29 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
docs/tutorials/rfc2136.md
View File

@ -299,41 +299,18 @@ spec:
- --domain-filter=k8s.example.org - --domain-filter=k8s.example.org
``` ```
## Microsoft DNS (Insecure Updates) ## Microsoft DNS
While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV. While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV.
### Insecure Updates
#### DNS-side configuration
1. Create a DNS zone
2. Enable insecure dynamic updates for the zone
3. Enable Zone Transfers to all servers
#### `external-dns` configuration
You'll want to configure `external-dns` similarly to the following:
```text
...
- --provider=rfc2136
- --rfc2136-host=192.168.0.1
- --rfc2136-port=53
- --rfc2136-zone=k8s.example.org
- --rfc2136-zone=k8s.your-zone.org
- --rfc2136-insecure
- --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
...
```
### Secure Updates Using RFC3645 (GSS-TSIG) ### Secure Updates Using RFC3645 (GSS-TSIG)
#### DNS-side configuration #### DNS-side configuration
1. Create a DNS zone 1. Create a DNS zone
2. Enable secure dynamic updates for the zone 2. Enable **secure** dynamic updates for the zone
3. Enable Zone Transfers to all servers 3. Enable Zone Transfers to all servers and/or other domains
4. Create a user with permissions to create/update/delete records in that zone
If you see any error messages which indicate that `external-dns` was somehow not able to fetch If you see any error messages which indicate that `external-dns` was somehow not able to fetch
existing DNS records from your DNS server, this could mean that you forgot about step 3. existing DNS records from your DNS server, this could mean that you forgot about step 3.
@ -423,6 +400,30 @@ This means that Active Directory might only work if this is set to a specific do
`KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`. `KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`.
To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server. To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server.
### Insecure Updates
#### DNS-side configuration
1. Create a DNS zone
2. Enable insecure dynamic updates for the zone
3. Enable Zone Transfers to all servers and/or other domains
#### `external-dns` configuration
You'll want to configure `external-dns` similarly to the following:
```text
...
- --provider=rfc2136
- --rfc2136-host=192.168.0.1
- --rfc2136-port=53
- --rfc2136-zone=k8s.example.org
- --rfc2136-zone=k8s.your-zone.org
- --rfc2136-insecure
- --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
...
```
## DNS Over TLS (RFCs 7858 and 9103) ## DNS Over TLS (RFCs 7858 and 9103)
If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags: If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags: