# Configuring RFC2136 provider ## Using with BIND ### Server credentials: - RFC2136 was developed for and tested with [BIND](https://www.isc.org/downloads/bind/) DNS server. This documentation assumes that you already have a configured and working server. If you don't, please check BIND documents or tutorials. - So you should obtain from your administrator a TSIG key. It will look like: ```text key "externaldns-key" { algorithm hmac-sha256; secret "XXXXXXXXXXXXXXXXXXXXXX=="; }; ``` - **Warning!** Bind server configuration should enable this key for AFXR zone transfer. `external-dns` uses it for listing DNS records. ```text # cat /etc/named.conf ... include "/etc/rndc.key"; controls { inet 123.123.123.123 port 953 allow { 10.x.y.151; } keys { "externaldns-key"; }; }; options { include "/etc/named/options.conf"; }; include "/etc/named/zones.conf"; ... # cat /etc/named/options.conf ... dnssec-enable yes; dnssec-validation yes; ... # cat /etc/named/zones.conf ... zone "example.com" { type master; file "/var/named/dynamic/db.example.com"; update-policy { grant externaldns-key zonesub ANY; }; }; ... ``` ### RFC2136 provider configuration: - Example fragment of real configuration of ExternalDNS service pod. ```text ... - --provider=rfc2136 - --rfc2136-host=123.123.123.123 - --rfc2136-port=53 - --rfc2136-zone=your-domain.com - --rfc2136-tsig-secret=${rfc2136_tsig_secret} - --rfc2136-tsig-secret-alg=hmac-sha256 - --rfc2136-tsig-keyname=externaldns-key - --rfc2136-tsig-axfr ... ``` - `--rfc2136-tsig-secret` - environment variable containing actual secret value from TSIG key. Something like `XXXXXXXXXXXXXXXXXXXXXX==`. - `--rfc2136-tsig-keyname` - this is a string parameter with the key name in the Kubernetes secret. It **must match** with key name on the DNS server. In this example it is `externaldns-key`. ## Using with Microsoft DNS While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV. ### DNS-side configuration 1. Create a DNS zone 2. Enable insecure dynamic updates for the zone 3. Enable Zone Transfers from all servers ### `external-dns` configuration You'll want to configure `external-dns` similarly to the following: ```text ... - --provider=rfc2136 - --rfc2136-host=123.123.123.123 - --rfc2136-port=53 - --rfc2136-zone=your-domain.com - --rfc2136-tsig-secret=not-needed - --rfc2136-tsig-secret-alg=hmac-sha256 - --rfc2136-tsig-keyname=externaldns-key - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records. ... ``` Since Microsoft DNS does not support secure updates via TSIG, this will let `external-dns` make insecure updates. Do this at your own risk.