mirror of
https://github.com/kubernetes-sigs/external-dns.git
synced 2025-08-07 10:06:57 +02:00
94 lines
2.8 KiB
Markdown
94 lines
2.8 KiB
Markdown
# Configuring RFC2136 provider
|
|
|
|
## Using with BIND
|
|
### Server credentials:
|
|
- RFC2136 was developed for and tested with [BIND](https://www.isc.org/downloads/bind/) DNS server. This documentation assumes that you already have a configured and working server. If you don't, please check BIND documents or tutorials.
|
|
- So you should obtain from your administrator a TSIG key. It will look like:
|
|
```text
|
|
key "externaldns-key" {
|
|
algorithm hmac-sha256;
|
|
secret "XXXXXXXXXXXXXXXXXXXXXX==";
|
|
};
|
|
```
|
|
- **Warning!** Bind server configuration should enable this key for AFXR zone transfer. `external-dns` uses it for listing DNS records.
|
|
|
|
```text
|
|
# cat /etc/named.conf
|
|
...
|
|
include "/etc/rndc.key";
|
|
|
|
controls {
|
|
inet 123.123.123.123 port 953 allow { 10.x.y.151; } keys { "externaldns-key"; };
|
|
};
|
|
options {
|
|
include "/etc/named/options.conf";
|
|
};
|
|
|
|
include "/etc/named/zones.conf";
|
|
...
|
|
|
|
# cat /etc/named/options.conf
|
|
...
|
|
dnssec-enable yes;
|
|
dnssec-validation yes;
|
|
...
|
|
|
|
# cat /etc/named/zones.conf
|
|
...
|
|
zone "example.com" {
|
|
type master;
|
|
file "/var/named/dynamic/db.example.com";
|
|
update-policy {
|
|
grant externaldns-key zonesub ANY;
|
|
};
|
|
};
|
|
...
|
|
```
|
|
|
|
### RFC2136 provider configuration:
|
|
- Example fragment of real configuration of ExternalDNS service pod.
|
|
|
|
```text
|
|
...
|
|
- --provider=rfc2136
|
|
- --rfc2136-host=123.123.123.123
|
|
- --rfc2136-port=53
|
|
- --rfc2136-zone=your-domain.com
|
|
- --rfc2136-tsig-secret=${rfc2136_tsig_secret}
|
|
- --rfc2136-tsig-secret-alg=hmac-sha256
|
|
- --rfc2136-tsig-keyname=externaldns-key
|
|
- --rfc2136-tsig-axfr
|
|
...
|
|
```
|
|
- `--rfc2136-tsig-secret` - environment variable containing actual secret value from TSIG key. Something like `XXXXXXXXXXXXXXXXXXXXXX==`.
|
|
- `--rfc2136-tsig-keyname` - this is a string parameter with the key name in the Kubernetes secret. It **must match** with key name on the DNS server. In this example it is `externaldns-key`.
|
|
|
|
## Using with Microsoft DNS
|
|
|
|
While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV.
|
|
|
|
### DNS-side configuration
|
|
|
|
1. Create a DNS zone
|
|
2. Enable insecure dynamic updates for the zone
|
|
3. Enable Zone Transfers from all servers
|
|
|
|
### `external-dns` configuration
|
|
|
|
You'll want to configure `external-dns` similarly to the following:
|
|
|
|
```text
|
|
...
|
|
- --provider=rfc2136
|
|
- --rfc2136-host=123.123.123.123
|
|
- --rfc2136-port=53
|
|
- --rfc2136-zone=your-domain.com
|
|
- --rfc2136-tsig-secret=not-needed
|
|
- --rfc2136-tsig-secret-alg=hmac-sha256
|
|
- --rfc2136-tsig-keyname=externaldns-key
|
|
- --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
|
|
...
|
|
```
|
|
|
|
Since Microsoft DNS does not support secure updates via TSIG, this will let `external-dns` make insecure updates. Do this at your own risk.
|